As you know, our usual advice for Patch Tuesday comes down to four words, “Patch earlier, patch often.”
There were 56 recently reported vulnerabilities fixed in this month’s Microsoft patches, with four of them offering attackers the chance to find remote code execution (RCE) exploits.
Remote code execution occurs when innocent-looking data sent from outside the network can trigger a bug and take control of the computer.
Bugs that allow blocked pieces of data to trick your computer into executing untrusted code are highly sought after by cybercriminals because they usually allow criminals to hack into and deploy malware …
… Without showing any warning “are sure”, without needing subtleties like a username and password and, sometimes, not even leaving obvious traces in the system logs.
With all this in mind, the statistic “56 fixes including 4 CERs”It signals more than enough risk in itself to make correction immediately a priority.
In nature
As well as the four potential RCE holes mentioned above, there is also a patch for a bug called CVE-2021-1732 that is already being abused by hackers.
The situation in which an attack is known before a patch is released is known as zero day bug: swindlers arrived first, so there were zero days that you could have corrected to be ahead of them.
Fortunately, this zero-day bug is not a CER hole, so criminals cannot use it to gain access to your network in the first place.
Unfortunately, it is a elevation of privilege (EoP) bug in the Windows kernel itself, meaning that crooks who have already invaded your computer can almost certainly abuse the flaw to give themselves omnipotent powers.
Having criminals within your network is bad enough, but if your network privileges are the same as those of an ordinary user, the damage they can cause is quite limited. (That’s why your own system administrators almost certainly don’t allow you to perform administrator rights any more than they used to in the 2000s.)
Ransomware criminals, for example, typically spend time at the beginning of their attack looking for an uncorrected EoP bug that they can exploit to gain the same power and authority as their own system administrators.
If they can obtain domain administrator rights, they will suddenly be on an equal footing with their own IT department, so they can do almost anything they want.
Attackers who have access to an EoP exploit are likely to be able to: access and map your entire network; change your security settings; install or remove any desired software on any computer; copy or modify any file of your choice; tamper with the system’s records; find and destroy your backups online; and even to create secret “backdoor” accounts that they can use to hack again if you find them this time and expel them.
But that is not all
If you are still not convinced to fix it as soon as possible, apply frequently, you can also read the special Microsoft security bulletin entitled Various security updates that affect TCP / IP.
The three vulnerabilities listed in this bulletin are the uninteresting calls CVE-2021-24074, CVE-2021-24094 and CVE-2021-24086.
The bugs they represent, however, are very interesting.
Although Microsoft admits that two of them could, in theory, be exploited for remote code execution purposes (therefore, they constitute 2 of the 4 RCE bugs mentioned above), this is not what Microsoft is most concerned about now:
The two RCE vulnerabilities are complex, which makes it difficult to create functional exploits, so it probably won’t [to be abused] In short time. We believe that attackers will be able to create DoS exploits much more quickly and hope that all three problems can be exploited with a DoS attack shortly after launch. Therefore, we recommend that customers quickly apply Windows security updates this month.
DoS exploits for these CVEs would allow a remote attacker to cause a stop error. Customers can receive a blue screen on any Windows system directly exposed to the Internet with minimal network traffic.
DoS, of course, is short for denial of service – a type of vulnerability that is often minimized as the “last among equals” when compared to security flaws like RCE and EoP.
Denial of service means exactly what it says: criminals cannot take control of a vulnerable service, software program, or system, but they can prevent it from functioning completely.
Unfortunately, these three DoSsable holes are low-level bugs in the Windows kernel driver tcpip.sys, and faults can, in theory, be detected and triggered simply by your computer receiving incoming network packets.
In other words, just processing the packets to decide whether to accept and trust them in the first place can be enough to crash the target computer – which could, of course, be a mission-critical server facing the Internet.
What to do?
Microsoft itself is warning you to prioritize these patches if you like to make your updates one at a time, and has even come up with programmable workarounds for those who are still afraid of the “early patch” principle:
It is essential that customers apply Windows updates to address these vulnerabilities as quickly as possible. If applying the update quickly is not practical, the workarounds are detailed in CVEs that do not require a server restart.
Despite the workarounds, we are with Microsoft here and wholeheartedly agree with the words essential and As soon as possible.
Do not be late. Do it today!
JARGONBUSTER VIDEO: BUGS, VULNS, EXPLORE AND 0-DAYS IN CLEAR ENGLISH
Watch directly on YouTube if the video doesn’t play here.
Click the Settings gear to speed up playback or show subtitles.