As you know, our usual advice for Patch Tuesday comes down to four words: “Patch early, patch regularly.”
There have been 56 recently reported vulnerabilities fixed in Microsoft’s subjects this month, and four of them offer attackers the chance to find remote code execution (RCE) exploits.
Executing external code is where innocent data sent outside your network can cause an error and take over your computer.
Errors that make it possible to deceive bits of data from your computer to execute unreliable code are highly sought after by cybercriminals because they usually allow crooks to break in and implant malware …
… without overriding a “security” alert, without requiring treats such as a username and password, and sometimes without leaving any clear traces in your system logs.
With all this in mind, the statistics are “56 corrections including 4 RCEsIndicate in itself more than enough risk to make stickers a priority immediately.
In nature
In addition to the four potential RCE holes mentioned above, there is also a patch for a bug called CVE-2021-1732 that is already being misused in nature by hackers.
The situation where an attack is known before a patch comes out is known as a zero day bug: the crooks first got there, so there were zero days you could have patched up to be in front of them.
Fortunately, this zero-day error is not an RCE hole, so crooks cannot use it to gain access to your network in the first place.
Unfortunately it is a elevation of privilege (EoP) error in the Windows kernel itself, which means that crooks who have already hacked into your computer can almost certainly exploit the error to give themselves almighty powers.
Rogue in your network is bad enough, but if their network privileges are the same as those of a regular user, the damage they can do is often quite limited. (Therefore, your own sysadmins will almost certainly not let you run with Administrator Rights anymore like in the 2000s.)
Ransomware criminals, for example, usually spend time at the beginning of their attack looking for an unopened EoP bug that they can use to strengthen themselves to have the same power and authority as your own sysadmins.
If they can seize domain administrator rights, they are suddenly on the same level as your own IT department, so they can do almost anything they want.
Intruders who have access to an EoP exploit are likely to be able to: access and map your entire network; change your security settings; install or remove software you like on any computer; copy or modify any file they like; tamper with your system logs; find and destroy your online backup; and even to create secret “backdoor” accounts with which they can break in if you find and take it out this time.
But that’s not all
If you are still not convinced to patch early, patch it regularly, you can also read Microsoft’s special security bulletin titled Various security updates affecting TCP / IP.
The three vulnerabilities listed in this bulletin are the uninteresting names CVE-2021-24074, CVE-2021-24094 and CVE-2021-24086.
However, the bugs they suggest are very interesting.
While Microsoft acknowledges that two of them could in theory be used for code execution purposes (so they form 2 of the 4 RCE errors mentioned above), this is not what Microsoft is currently most concerned about:
The two RCE vulnerabilities are complex which make it difficult to create functional benefits, so they are unlikely to [to be abused] in the short term. We believe that attackers can create DoS exploits faster, and we expect all three issues to be exploited with a DoS attack shortly after release. We therefore recommend that customers quickly apply Windows security updates this month.
The DoS usage for these CPUs will enable a remote attacker to cause a stop error. Customers can receive a blue screen on any Windows system that is directly exposed to the Internet with minimal network traffic.
DoS is of course an abbreviation for refusal of service – a type of vulnerability that is often downplayed as the “last among equals” compared to vulnerabilities such as RCE and EoP.
Denial of service means exactly what it says: crooks cannot take over a vulnerable service, software program or system, but they can stop it from working completely.
Unfortunately, these three low-level DoSsable hole errors are right in the Windows kernel driver tcpip.sys, and theories can in theory be tickled and activated by your computer receiving incoming network packets.
In other words, just packing the packets to decide whether to accept and trust them in the first place can be enough to drop the targeted computer – which can, of course, be a mission-critical server on the Internet.
What to do?
Microsoft itself warns you to prioritize these patches once you want to do your updates, and has even come up with scripting solutions for those who are still afraid of the “patch early” principle:
It is essential that customers apply Windows updates to address these vulnerabilities as soon as possible. If the application of the update is quickly not practical, the solutions are set out in the CPUs for which a server does not need to be restarted.
Despite the solution, we are here at Microsoft and wholeheartedly agree with the words necessary and as soon as possible.
Do not procrastinate. Do it today!
JARGONBUSTER VIDEO: BUGS, FULLS, EXPLOITS AND 0-DAYS IN LEVEL ENGLISH
Watch YouTube live if the video cannot play here.
Click the settings wheel to speed up or show subtitles.