December 2021 Patch Tuesday has seen Microsoft issue fixes for 67 vulnerabilities across its product suite, including 6 zero-day vulnerabilities and 7 critical flaws, with 60 vulnerabilities rated important.
One of the zero-day vulnerabilities, a Windows AppX Installer issue tracked as CVE-2021-43890, is being actively exploited in real-world attacks to distribute malware such as Emotet, TrickBot, and BazarLoader in phishing campaigns that direct victims to a malicious webpage where they are presented with a notification about a fake Adobe PDR component that needs to be installed in order to read a shared PDF file. The patch to address this important-rated spoofing vulnerability will not prevent malware distribution, but it will ensure that the installer cannot be spoofed to appear valid.
The remaining five zero-day vulnerabilities are all elevation of privilege vulnerabilities that have been made public, but they are not believed to have been exploited. They affect Windows NTFS (CVE-2021-43240), Windows Print Spooler Components (CVE-2021-41333), Windows Mobile Device Management (CVE-2021-43880), Windows Encrypting File System (CVE-2021-43893), and Windows Installer (CVE-2021-43883). An exploit is believed to have been made public for the Windows Installer bug.
The critical vulnerabilities are all remote code execution vulnerabilities or can lead to remote code execution. They are:
- CVE-2021-43907 – Visual Studio Code – WSL Extension – CVSS 9.8
- CVE-2021-43215 – Internet Storage Name Service – CVSS 9.8
- CVE-2021-43899 – Microsoft Devices – CVSS 9.8
- CVE-2021-43905 – Microsoft Office – CVSS 9.6
- CVE-2021-42310 – Microsoft Defender for IoT – CVSS 8.1
- CVE-2021-43217 – Windows Encrypting File System (EFS) – CVSS 8.1
- CVE-2021-43233 – Remote Desktop Client – CVSS 7.0
This year, Microsoft has issued patches to fix 887 vulnerabilities across its product suite, which is a 29% reduction from 2020.
Adobe Patches 60 CVEs on December 2021 Patch Tuesday
Adobe has released a slew of patches this month to address 60 vulnerabilities across 11 products. 28 of the vulnerabilities are rated critical and can lead to remote code execution.
Patches have been released for the following products:
- Adobe Premiere Rush – 16 vulnerabilities: 11 critical, 5 important
- Adobe Experience Manager – 8 vulnerabilities: 6 critical, 2 important
- AdobeConnect – 1 vulnerability (Important)
- Adobe Photoshop – 3 vulnerabilities: 2 critical, 1 important
- Adobe Prelude – 2 vulnerabilities: 1 critical, 1 important
- Adobe After Effects – 10 vulnerabilities: 2 critical, 7 important, 1 moderate
- Adobe Dimension – 6 vulnerabilities: 3 critical, 1 important, 2 moderate
- Adobe Premiere Pro – 5 vulnerabilities: 1 critical, 4 moderate
- Adobe Media Encoder – 5 vulnerabilities: 2 critical, 3 moderate
- Adobe Lightroom – 1 vulnerability (Important)
- Adobe Audition – 3 vulnerabilities (Moderate)
Prompt patching is recommended in all cases and priority should be given to the critical and zero-day bugs.