It’s our favorite time of the month: Patch Newsday!
On the surface, it’s quite a light Patch Tuesday, with only one CVE being actively exploited in the wild (CVE-2021-40444). Even so, there are a few interesting trends.
Patch your browsers
This cycle we’ve seen 25 vulnerabilities that have been patched in Chrome and ported over to Microsoft’s Chromium-based Edge. That’s a pretty significant chunk of the 86 patched vulnerabilities this month.
I cannot underestimate the importance of patching your browsers and keeping them up to date. After all, browsers are the way we interact with the internet and web-based services that contain all sorts of highly sensitive, valuable and private information. Whether you’re thinking about your online banking or the data collected and stored by your organization’s web apps, they could all be exposed by attacks that exploit the browser. So patch your browsers.
Local Priv Esc Vulnerabilities
Also of interest is a trio of Local Privilege Escalation vulnerabilities in the Windows Common Log File System Driver (CVE-2021-36955, CVE-2021-36963, CVE-2021-38633). These are all listed as “exploitation more likely”.
Local Priv Esc vulnerabilities are a key component of almost every successful cyberattack, especially for the likes of ransomware operators who abuse this kind of exploit to gain the highest level of access. This allows them to disable anti-virus, delete backups and ensure their encryptors can reach even the most sensitive of files.
However, these exploits are not remote, so attackers need to have achieved code execution by other means; for example, via the only vulnerability listed as being actively exploited in the wild, CVE-2021-40444.
I won’t go into too much detail about this one, as we’ve already published an analysis of the CVE’s exploit, but it is worth noting simply because it’s the only one listed as being “actively exploited in the wild”. In short, the vulnerability leads to remote code execution in MSHTML. According to the advisory, attackers can include a specially crafted ActiveX control within a Microsoft Office document which is executed when the document is opened. It has yet to be patched.
More Priv Esc
Coming back to the topic of Privilege Escalation, CVE-2021-38639 and CVE-2021-36975 have also been listed as “exploitation more likely” and together cover the full range of supported Windows versions.
I am starting to feel like a broken record when talking about Privilege Escalation vulnerabilities. They typically have a lower CVSS score than something like Remote Code Execution, but these local exploits can be the linchpin in the post-exploitation phases of an experienced attacker.
If you can block them here you have the potential to significantly limit their damage. If we assume a determined attacker will be able to infect a victim’s device through social engineering or other techniques, I would argue that patching Priv Esc vulnerabilities is even more important than patching some other Remote Code execution vulns.
In terms of Remote Code Execution vulnerabilities, Office takes the lion share this month, with several CVES that cover Word, Excel, and Visio. We know that attackers like to abuse Office Exploits as part of phishing campaigns to get an initial foothold into an organization. Even so, despite this being a popular attack surface for many threat actors, Microsoft have indicated that they are not likely to be exploited by attackers.
As always, you know your estate and how much risk your organization is willing to take, so make your own, informed and measured decisions when it comes to prioritizing patches.
15 September 2021
Director of Cyber Threat Research,
Latest Blog posts
Patch Newsday: 14 September 2021 – Lousy Browsers and Arsey RCEs
15 September 2021
Analyzing the CVE-2021-40444 exploit
13 September 2021
Take the power back: Tool-up against a notorious global threat group with our new FIN7 series
13 September 2021
Episode 44: Rotten Apple or Privacy Nuts?
2 September 2021
Patch Newsday 10 August: Ironic exploitation and the spectre of PrintNightmare
10 August 2021
Kaseya supply chain attack: Prepare to respond with the Cyber Crisis Simulator
27 July 2021