As you know, our usual Patch Tuesday advice boils down to four words: “Patch early, patch often.”
56 newly reported vulnerabilities have been fixed in this month’s patches from Microsoft, four of which allow attackers to external code execution (RCE) exploits.
Remote code execution is where otherwise harmless-looking data sent from outside your network can bug and take over your computer.
Bugs that allow booby-trapped chunks of data to trick your computer into running untrusted code are highly sought after by cybercriminals, as they typically allow scammers to break in and implant malware …
… Without any “are you sure” warnings popping up, without needing a username and password, and sometimes without leaving any obvious traces in your system logs.
With all that in mind, the statistic “56 fixes including 4 RCEs“In itself signals more than enough risk to immediately make patching a priority.
In the wild
In addition to the four possible RCE holes mentioned above, there is also a patch for a bug called CVE-2021-1732 that is already being exploited by hackers in the wild.
The situation where an attack is known before a patch is released is known as a zero-day bug: the crooks got there first, so there were zero days you could have patched to get ahead of them.
Fortunately, this zero-day bug is not an RCE hole, so scammers cannot use it to gain access to your network.
Unfortunately it is one increase privilege (EoP) bug in the Windows kernel itself meaning that crooks who have already broken into your computer can almost certainly take advantage of the flaw to give themselves almighty powers.
Having crooks on your network is bad enough, but if their network privileges are the same as those of a regular user, the damage they can do is often quite limited. (That’s why your own system administrators almost certainly won’t let you work with administrator privileges like you used to back in the 2000s.)
For example, ransomware criminals usually spend time at the start of their attack looking for an unpatched EoP bug that they can exploit to boost themselves to have the same power and authority as your own system administrators.
If they can get domain administrator rights, they are suddenly on an equal footing with your own IT department, so they can do just about anything they want.
Intruders accessing an EoP exploit will likely be able to: access and map your entire network; change your security settings; install or remove software they like on any computer; copy or change any file you want; mess with your system logs; find and destroy your online backups; and even to create secret “back door” accounts that they can use to break into again if you find them this time and throw them out.
But that is not everything
If you are still not convinced to patch early, patch often, you may also want to read Microsoft’s special security bulletin entitled Multiple security updates that affect TCP / IP.
The three vulnerabilities mentioned in this bulletin are the uninteresting ones mentioned CVE-2021-24074, CVE-2021-24094 and CVE-2021-24086.
However, the bugs they represent are very interesting indeed.
While Microsoft admits that two of them could theoretically be exploited for remote code execution (so they make up 2 of the 4 RCE bugs mentioned above), that’s not what Microsoft is most concerned about right now:
The two RCE vulnerabilities are complex and make it difficult to create functional exploits, so they are unlikely [to be abused] short-term. We believe attackers will be able to create DoS exploits much faster and expect all three issues to be exploited with a DoS attack shortly after release. That’s why we encourage customers to act quickly to apply Windows security updates this month.
The DoS exploits for these CVEs allow a remote attacker to cause a stop error. Customers can get a blue screen on any Windows system directly exposed to the Internet with minimal network traffic.
DoS is, of course, short for refusal of duty – a type of vulnerability that is often downplayed as the “last among equals” when compared to vulnerabilities such as RCE and EoP.
Denial of service means exactly what it says: crooks cannot take over a vulnerable service, software program or system, but they can stop it altogether.
Unfortunately, these three DoSsable holes are minor bugs in the Windows kernel driver tcpip.sys, and the flaws can, in theory, be tickled and triggered by simply your computer receiving incoming network packets.
In other words, just processing the packages to decide whether to accept and trust them could be enough to cause the target computer to crash – which, of course, could be a mission-critical Internet-facing server.
What must we do?
Microsoft itself warns you to prioritize these patches if you want to run your updates one at a time, and has even come up with scriptable workarounds for those who still fear the “early patch” principle:
It is essential that customers apply Windows updates to address these vulnerabilities as quickly as possible. If it is not practical to apply the update quickly, the CVEs describe solutions that do not require a server reboot.
Despite the workarounds, we’re here with Microsoft, and we wholeheartedly agree with the words essential and as soon as possible.
Do not wait any longer. Do it today!
JARGONBUSTER VIDEO: BUGS, VULNS, EXPLOITS AND 0 DAYS IN CLEAR ENGLISH
Watch directly on YouTube if the video cannot be played here.
Click the Settings gear to speed up playback or show subtitles.