Microsoft patches actively exploited Windows zero-day (CVE-2021-40449)

On October 2021 Patch Tuesday, Microsoft has fixed 71 CVE-numbered vulnerabilities. Of those, only one was a zero-day exploited in attacks in the wild (CVE-2021-40449) and three were publicly known before the release of the patches.

Vulnerabilities of note

Let’s start with CVE-2021-40449, a Windows bug that may be used to escalate privileges on an already compromised system.

Its exploitation was detected and flagged by Boris Larin, a zero-day exploits hunter with Kaspersky. According to the company, it was leveraged to target Microsoft Windows servers.

“Besides finding the zero-day in the wild, we analyzed the malware payload used along with the zero-day exploit, and found that variants of the malware were detected in widespread espionage campaigns against IT companies, military/defense contractors, and diplomatic entities,” Larin and colleague Costin Raiu shared.

Kevin Breen, Director of Cyber Threat Research at Immersive Labs, says that this vulnerability should definitely be a patching priority. “Gaining [admin rights] on a compromised host is the first step towards becoming a domain admin – and securing full access to a network. Almost every ransomware attack reported this year has included the use of one or more privilege escalation vulnerabilities as part of the attacker’s workflow, so this is serious stuff indeed.”

CVE-2021-40486 is a MS Word bug that would allow code execution when a specially crafted Word document is viewed on an affected system.

“Although Microsoft lists user interaction required, the Preview Pane is also listed as an attack vector. This creates a much larger attack surface. When combined with a privilege escalation – like the one currently under active attack – this could be used to take over a target system,” noted Dustin Childs, with Trend Micro’s Zero Day Initiative.

He also pointed out that there are five security feature bypass bugs patched in this month’s release, but lamented the fact that Microsoft has provided very few details, despite one of them being publicly known.

CVE-2021-26427 is a Microsoft Exchange Server RCE vulnerability that has the highest CVSS score this month (9.0).

“The bug will certainly receive its fair share of attention, if nothing else, due to it being reported by the National Security Agency (NSA),” Childs pointed out.

“This bug is not as severe since this exploit is limited at the protocol level to a logically adjacent topology and not reachable from the Internet. This flaw, combined with the other Exchange bugs patched this month, should keep Exchange admins busy for a while.”

Childs also urged those who use the rich text edit control in Power Apps to test and deploy the patch for CVE-2021-40454 quickly.

“We don’t often highlight information disclosure bugs, but this vulnerability goes beyond just dumping random memory locations. This bug could allow an attacker to recover cleartext passwords from memory, even on Windows 11.”

Those organizations who use Windows Hyper-V should quickly fix two critical RCE vulnerabilities (CVE-2021-38672 and CVE-2021-40461), one of which could allow a malicious guest VM to read kernel memory in the host and to allow a VM escape from guest to host.

Finally, Satnam Narang, staff research engineer at Tenable pointed out CVE-2021-36970, a spoofing vulnerability in Microsoft’s Windows Print Spooler, as worthy of a quick fix.

“The vulnerability was discovered by researchers XueFeng Li and Zhiniang Peng of Sangfor. They were also credited with the discovery of CVE-2021-1675, one of two vulnerabilities known as PrintNightmare. While no details have been shared publicly about the flaw, this is definitely one to watch for, as we saw a constant stream of Print Spooler-related vulnerabilities patched over the summer while ransomware groups began incorporating PrintNightmare into their affiliate playbook.”

Prioritizing patches

Which vulnerabilities should be remediated first? It depends on which Microsoft solutions an organization uses, the severity of the vulnerabilities and the likelihood of a vulnerability getting exploited sooner rather than later.

“As always, you know your own risk and what assets in your organization have the most exposure, so plan your updates accordingly. One thing worth considering, especially if you have critical services that rely on uptime, is your testing or roll-back processes. We’ve seen several occasions where patches have unintended side effects, so take this into account in your planning process,” says Breen.

“We always recommend patching anything that is being actively exploited first. Privilege escalation vulnerabilities always score lower than remote code execution, but are more commonly used by attackers once they have that initial access, so do not let the raw CVSS score be your priority order!”