CyberScotland Bulletin

Microsoft released its monthly security update on Tuesday 14^th December 2021, disclosing 67 vulnerabilities across its suite of products.

This Patch Tuesday, the breakdown of vulnerabilities includes 7 Critical ratings, and 6 zero-days, one of which is being actively exploited.

CVE-2021-41333 – Windows Print Spooler Elevation of Privilege

CVE-2021-43240 – NTFS Set Short Name Elevation of Privilege bug

CVE-2021-43880 – Elevation of Privilege in Windows Mobile Device Management

CVE-2021-43883 – Privilege escalation impacting Windows Installer

CVE-2021-43890 – Windows AppX Installer Spoofing

CVE-2021-43893 – Elevation of Privilege in Windows EFS

With this round of patches, Microsoft has addressed a total of 887 CVEs in 2021, according to stats by the Zero Day Initiative and zdnet.

A full list of Microsoft’s December 2021 Patches, their CVE’s severities, and updates can be found here: Microsoft Security Response Center

A zero-day was discovered in the Apache Log4j 2 library, which is a common logging utility featured in applications and services built using Java technology. The vulnerability, coined Log4Shell and tracked as CVE-2021-44228, can allow an attacker to perform remote code execution on systems that use vulnerable versions of Log4j. Exploiting this vulnerability is considered trivial and can be achieved with as little as a single line of code.

The earliest non-vulnerable version of the library is 2.17.0 (as of 21/12/2021). If an earlier version of the library is found to be in use by organisations, then it should be updated to the latest version.

Further information regarding this vulnerability can be found here: sbrcentre.co.uk

Google has released patches for five vulnerabilities in the Chrome web browser. One of the five vulnerabilities has been exploited in the wild. The Use-After-Free bug (meaning referencing memory after is has been freed) can cause the application to crash, become corrupted, or even execute code. Tracked as CVE-2021-4102, the bug exists in the V8 JavaScript and WebAssembley engine. The other four CVEs can be seen below.

CVE-2021-4099 – use after free vulnerability

CVE-2021-4100 – object lifecycle issue

CVE-2021-4101 – Heap buffer overflow vulnerability

CVE-2021-4098 – Insufficient Data Validation Issue

It is recommended that Google Chrome users update to the latest version, which is currently 96.0.4664.110.

Apple has released a series of updates for its operating systems, including iOS, macOS, tvOS, and watchOS. Among the addressed issues are two memory corruption vulnerabilities and two buffer overflow vulnerabilities, which could allow rogue applications to run malicious code. Furthermore, issues in which a person can retrieve passwords and sensitive data from the lock screen have been resolved. A macOS issue was also patched, in which a local user could exploit the Wi-Fi module to cause unexpected system termination.

It is recommended that Apple OS users update their devices to their most recent versions.