As you know, our usual tips for Patch Tuesday can be summed up in four words: “Patch early, patches often.”
There have been 56 recently reported vulnerabilities fixed in Microsoft’s patches this month, four of which give attackers a chance to find remote code execution (RCE) operates.
Remote code execution is where innocent data that is sent from outside your network can trigger an error and take over your computer.
Bugs that make it possible for trapped pieces of data to trick your computer into executing the trusted code are much sought after by cybercriminals, as they routinely allow scammers to enter and implant malware …
… without any “you’re sure” warning, without the need for details such as a username and password, and sometimes without even leaving obvious traces in the system logs.
In view of all this, the statistics “56 remedies, including 4 NCEsIt signals more than enough risk to make patches promptly a priority.
Into the wild
In addition to the four potential RCE holes mentioned above, there is also a patch for a bug called CVE-2021-1732 that is already being abused in the wild by hackers.
The situation in which an attack is known before a patch occurs is known as zero-day Error: Scammers got there first, so there were zero days you could have patched to be in front of them.
Fortunately, this zero day error is not an RCE hole, so scammers can’t use it to access your network in the first place.
Unfortunately, it is a lifting the privilege (EoP) error in the Windows kernel itself, which means that scammers who have already entered your computer can certainly abuse the defect to give it all-powerful powers.
Having scammers on your network is pretty bad, but if their network privileges are the same as a regular user, the damage they can do is often quite limited. (That’s why your own administration system almost certainly doesn’t let you run with administrator rights, as they used to in 2000).
Ransomware criminals, for example, spend time at the beginning of an attack looking for an imperfect EoP error that they can exploit to grow in order to have the same power and authority as your own administrators.
If they can get domain administrator rights, they are suddenly on an equal footing with their own IT department, so they can do almost anything they like.
Intruders who have access to an exploited EoP will probably be able to: access and map the entire network; change security settings; install or remove any software they like on any computer; copy or modify any file you like; manipulate system logs; find and destroy your backups online; and even to create secret “backdoor” accounts that I can use to log back in if you find them this time and kick them out.
But that’s not all
If you are still not convinced to make patches early, patches often, we recommend that you read the special Microsoft security bulletin entitled Multiple security updates affecting TCP / IP.
The three vulnerabilities listed in this bulletin are CVE-2021-24074, CVE-2021-24094 and CVE-2021-24086.
However, the errors they represent are very interesting.
While Microsoft admits that two of them could theoretically be exploited for remote code execution (so they are 2 of the 4 RCE bugs mentioned above), that’s not what Microsoft is most concerned about. now:
The two NCE vulnerabilities are complex, which makes it difficult to create functional exploitations, so they are unlikely [to be abused] short term. We believe that attackers will be able to create DoS exploits much faster, and we expect all three issues to be exploited with a DoS attack shortly after launch. Thus, we recommend that customers move quickly to apply Windows security updates this month.
DoS operations for these CVEs would allow a remote attacker to cause a stop error. Customers could receive a blue screen on any Windows system that is directly exposed to the Internet with minimal network traffic.
DoS, of course, is the abbreviation denial of service – a type of vulnerability that is often minimized as the “last peer” compared to security holes such as NCE and EoP.
Denial of service means exactly what it says: scammers cannot take over a vulnerable service, software or system, but can stop it from working completely.
Unfortunately, these three DoSsable holes are low-level bugs right in the Windows kernel driver tcpip.sys, and defects can, in theory, be tickled and triggered simply by your computer receiving incoming network packets.
In other words, just buying the packages to decide whether to accept and trust them in the first place might be enough to crash the target computer – which could, of course, be a mission-oriented internet server.
What to do?
Microsoft itself warns you to prioritize these patches if you want to update one at a time, and has even come up with scriptable solutions for those who are still afraid of the “early patch” principle:
It is essential that customers apply Windows updates to resolve these vulnerabilities as soon as possible. If applying the quick update is not practical, the solutions are detailed in CVEs that do not require a server restart.
Despite the alternative solutions, we are here with Microsoft and we wholeheartedly agree with the words essential and as soon as possible.
He wasn’t late. Do it today!
JARGONBUSTER VIDEO: BUGS, VULNERS, EXPLOITATIONS AND 0 DAYS IN FLAT ENGLISH
Watch live on YouTube if the video doesn’t play here.
Click the Settings button to speed up playback or display subtitles.