Patch Tuesday update

Chris Goettl, Vice President, Product Management at Ivanti, reports that Microsoft has resolved a total of 55 vulnerabilities (CVE’s) in the November Patch Tuesday release, six of which are rated as Critical.

The updates include the normal lineup of Windows OS, Office, Azure, and some dev tools like Visual Studio. The more painful part is likely going to be the Exchange update which contains a fix for one of two exploited vulnerabilities this month. Along with the two Zero Day vulnerabilities there are also four publicly disclosed vulnerabilities. From a risk perspective let’s start with the most severe, the two zero days.

Microsoft resolved a Remote Code Execution vulnerability in Microsoft Exchange server (CVE-2021-42321) that has been confirmed to be exploited in the wild. The vulnerability is rated as Important by Microsoft likely because the attacker must be authenticated to be able to exploit the vulnerability. This is a good example of the limits of vendor severity and CVSS scoring and how more information is required to fully understand what to prioritize. Exchange updates often need to be tested more by exchange admins, but an exploit in the wild puts a tighter timeframe on admins to get this vulnerability resolved.

Microsoft resolved a Security Feature Bypass in Microsoft Excel (CVE-2021-42292) that has been confirmed to be exploited in the wild. The exploit does not require authentication but does require user interaction. The Preview Pane is not an attack vector in this case.

Microsoft resolved a pair of Information Disclosure vulnerabilities in Remote Desktop Protocol (CVE-2021-38631 and CVE-2021-41371)) that could allow an RDP server administrator to read Windows RDP client passwords. These two CVEs have been publicly disclosed, but no exploits have currently been observed. The vulnerabilities are only rated as Important and the fact that the attacker would need to be an RDP admin to exploit the information disclosures would make them seem lower priority, but there could be ways for an insider threat to gain access to users credentials they should not have as an example.

Microsoft resolved a pair of Remote Code Execution vulnerabilities in 3D Viewer (CVE-2021-43209 and CVE-2021-43208) that have been publicly disclosed. The 3D Viewer is a Microsoft Store app and should auto update itself. You can verify the package using PowerShell to be sure the update has been applied. 3D Viewer is one of those apps that was installed by default on fresh Windows installs, but Microsoft announced that fresh installs using Windows 10 build 21332 or later would no longer install Paint 3D or 3D Viewer by default.

The urgency this month is on Exchange and Office updates to resolve the two Zero Day vulnerabilities. Beyond these updates is a broader response to vulnerabilities that are known to be trending amongst threat actors. BOD 22-01 was issued to drive federal agencies to mitigate actively exploited vulnerabilities, but any organization should be taking this as good guidance to improve their vulnerability management processes.

Organizations who adopt a risk-based approach to vulnerability management would identify vulnerabilities that find their way onto a list like this as part of their day-to-day vulnerability management activities. Risk-based analysis of the vulnerabilities in the DHS CISA advisory can help prioritize activities for organizations to respond to, starting with the worst of them first:

•A total 287 CVEs are released in the alert

o32 of them are trending in the last 30 days where attackers are focused on targeting and advancing their tactics

o53 CVEs are actively used by Ransomware groups

o54 CVEs are used by Malware authors

o87 CVEs are capable of a Remote Code Execution

o166 CVEs are Weaponized

The focus should be Trending - Ransomware - Malware - RCEs – Weaponized. A Risk-Based Vulnerability Management solution provides this type of analysis out of the box helping prioritize actions quickly and efficiently.

Research shows ‘game needs to be changed,’ with security innovation years behind that of the attackers, the board a decade behind security discussions and regulation needing more industry input.
73% of organizations lack automated patch management, and 62% experienced incidents involving exploitation of a vulnerability for which a patch was available but had not yet been deployed.
Quest Software has signed a definitive agreement with Clearlake Capital Group, L.P. (together with certain of its affiliates, “Clearlake”) to acquire the Company from Francisco Partners. Patrick Nichols, current CEO of Quest, will continue to lead the Company supported by the existing executive management team. Upon closing of the transaction, Clearlake will become the majority shareholder in Quest. The terms of the transaction were not disclosed.
Dell EMC PowerProtect Cyber Recovery for AWS provides a fast, easy-to-deploy public cloud vault to help secure, isolate and recover data from a ransomware attack.
Aqua’s cloud native application protection platform becomes the only solution that protects cloud applications, their code, and their CI/CD infrastructure.
54% of organisations working on a security transformation project now or in the next 12 months.
Node4 has released its Mid-Market IT Priorities Report 2021. The independent report reveals that the UK’s Mid-Market IT Leadership expects to see a shortfall in IT spend in 2022. While 52% of IT decision-makers believe their 2021 budget met the ambitions of their team, there seems to be less certainty and confidence about future finances — 61% think their budget will need to increase in 2022, but only 13% expect it to.
Zscaler Zero Trust exchange cloud-based architecture enables superior green security capabilities compared to legacy on-premises hardware and appliance-based models.