Cybersecurity Vulnerabilities
September 15, 2021

Patch Newsday: 14 September 2021 – Lousy Browsers and Arsey RCEs

Patch Newsday
a piece of blue denim with fray edgeslong exposure image of man walking by blue panels

It’s our favorite time of the month: Patch Newsday!

On the surface, it’s quite a light Patch Tuesday, with only one CVE being actively exploited in the wild (CVE-2021-40444). Even so, there are a few interesting trends.

Patch your browsers

This cycle we’ve seen 25 vulnerabilities that have been patched in Chrome and ported over to Microsoft’s Chromium-based Edge. That’s a pretty significant chunk of the 86 patched vulnerabilities this month.

I cannot underestimate the importance of patching your browsers and keeping them up to date. After all, browsers are the way we interact with the internet and web-based services that contain all sorts of highly sensitive, valuable and private information. Whether you’re thinking about your online banking or the data collected and stored by your organization’s web apps, they could all be exposed by attacks that exploit the browser. So patch your browsers.

Local Priv Esc Vulnerabilities

Also of interest is a trio of Local Privilege Escalation vulnerabilities in the Windows Common Log File System Driver (CVE-2021-36955, CVE-2021-36963, CVE-2021-38633). These are all listed as “exploitation more likely”.

Local Priv Esc vulnerabilities are a key component of almost every successful cyberattack, especially for the likes of ransomware operators who abuse this kind of exploit to gain the highest level of access. This allows them to disable anti-virus, delete backups and ensure their encryptors can reach even the most sensitive of files.

However, these exploits are not remote, so attackers need to have achieved code execution by other means; for example, via the only vulnerability listed as being actively exploited in the wild, CVE-2021-40444.

CVE-2021-40444

I won’t go into too much detail about this one, as we’ve already published an analysis of the CVE’s exploit, but it is worth noting simply because it’s the only one listed as being “actively exploited in the wild”. In short, the vulnerability leads to remote code execution in MSHTML. According to the advisory, attackers can include a specially crafted ActiveX control within a Microsoft Office document which is executed when the document is opened. It has yet to be patched.

More Priv Esc

Coming back to the topic of Privilege Escalation, CVE-2021-38639 and CVE-2021-36975 have also been listed as “exploitation more likely” and together cover the full range of supported Windows versions.

I am starting to feel like a broken record when talking about Privilege Escalation vulnerabilities. They typically have a lower CVSS score than something like Remote Code Execution, but these local exploits can be the linchpin in the post-exploitation phases of an experienced attacker.

If you can block them here you have the potential to significantly limit their damage. If we assume a determined attacker will be able to infect a victim’s device through social engineering or other techniques, I would argue that patching Priv Esc vulnerabilities is even more important than patching some other Remote Code execution vulns.

Arsey RCEs

In terms of Remote Code Execution vulnerabilities, Office takes the lion share this month, with several CVES that cover Word, Excel, and Visio. We know that attackers like to abuse Office Exploits as part of phishing campaigns to get an initial foothold into an organization. Even so, despite this being a popular attack surface for many threat actors, Microsoft have indicated that they are not likely to be exploited by attackers.

As always, you know your estate and how much risk your organization is willing to take, so make your own, informed and measured decisions when it comes to prioritizing patches.

Kev Breen

Kev Breen,
Director of Cyber Threat Research,
Immersive Labs

@kevthehermit

 

 

Trusted by top companies worldwide
to enhance cybersecurity

Trusted by some of the world’s biggest brands, we’re committed to taking your cybersecurity readiness to the next level - and we’re just getting started.

What Our Customers
Are Saying About Immersive

Realistic simulation of current threats is the only way to test and improve response readiness, and to ensure that the impact of a real attack is minimized. Immersive’s innovative platform, combined with Kroll’s extensive experience, provides the closest thing to replication of a real incident — all within a safe virtual environment.

Paul Jackson
Regional Managing Director, APAC Cyber Risk, Kroll

The speed at which Immersive produces technical content is hugely impressive, and this turnaround has helped get our teams ahead of the curve, giving them hands-on experience with serious vulnerabilities, in a secure environment, as soon as they emerge.

TJ Campana
Head of Global Cybersecurity Operations, HSBC

We no longer worry about managing infrastructure, leaving us free to build great courses.

Daniel Duggan
Director, Zero-Point Security

Ready to Get Started?
Get a Live Demo.

Simply complete the form to schedule time with an expert that works best for your calendar.