Microsoft Patches Actively Exploited Windows Zero-Day Bug

1 week ago

On Patch Tuesday, Microsoft fixed 66 CVEs, including an RCE bug successful MSHTML nether progressive onslaught arsenic menace actors passed astir guides for the drop-dead elemental exploit.

In September’s Patch Tuesday harvest of information fixes, Microsoft released patches for 66 CVEs, 3 of which are rated critical, and 1 of which – the Windows MSHTML zero-day – has been nether progressive onslaught for astir 2 weeks.

One different bug is listed arsenic publically known but isn’t (yet) being exploited. Immersive Labs’ Kevin Breen, manager of cyber menace research, observed that with lone 1 CVE nether progressive onslaught successful the wild, it’s “quite a airy Patch Tuesday” – astatine slightest connected the surface, that is.

The flaws were recovered successful Microsoft Windows and Windows components, Microsoft Edge (Chromium, iOS, and Android), Azure, Office and Office Components, SharePoint Server, Microsoft Windows DNS and the Windows Subsystem for Linux.

Infosec Insiders Newsletter

Of the 66 caller CVEs patched today, 3 are rated critical, 62 are rated important, and 1 is rated mean successful severity.

Over the past 9 months of 2021, this is the seventh period successful which Microsoft patched less than 100 CVEs, successful stark opposition to 2020, erstwhile Redmond spent 8 months gushing retired much than 100 CVE patches per month. But portion the wide fig of vulnerabilities is lighter, the severity ratings person ticked up, arsenic the Zero Day Initiative noted.

Some observers pegged the apical patching precedence successful this month’s batch arsenic being a hole for CVE-2021-40444: An important-rated vulnerability successful Microsoft’s MSHTML (Trident) motor that rates 8.8 retired of 10 connected the CVSS scale.

Disclosed connected Sept. 7, it’s a painfully throbbing sore thumb, fixed that researchers developed a fig of proof-of-concept (PoC) exploits showing however drop-dead elemental it is to exploit, and attackers person been sharing guides connected however to bash conscionable that.

Under Active Attack: CVE-2021-40444

It’s been astir 2 weeks since this serious, elemental to exploit bug has been nether progressive attack, and it’s been astir a week since attackers started to stock blueprints connected however to transportation retired an exploit.

Microsoft said past week that the flaw could fto an attacker “craft a malicious ActiveX power to beryllium utilized by a Microsoft Office papers that hosts the browser rendering engine,” aft which “the attacker would past person to person the idiosyncratic to unfastened the malicious document.” Unfortunately, malicious macro attacks proceed to beryllium prevalent: In July, for example, bequest users of Microsoft Excel were being targeted successful a malware run that utilized a novel malware-obfuscation technique to disable malicious macro warnings and present the ZLoader trojan.

An attacker would request to person a idiosyncratic to unfastened a specially crafted Microsoft Office papers containing the exploit code.

Satnam Narang, unit probe technologist astatine Tenable, noted via email that determination person been warnings that this vulnerability volition beryllium incorporated into malware payloads and utilized to administer ransomware: A coagulated crushed to enactment the spot astatine the apical of your precedence list.

“There are nary indications that this has happened yet, but with the spot present available, organizations should prioritize updating their systems arsenic soon arsenic possible,” Narang told Threatpost.

Last Wednesday, Sept. 8, Kevin Beaumont – caput of the information operations halfway for U.K. manner retailer Arcadia Group and a past elder menace quality expert astatine Microsoft – noted that the exploit had been successful the chaotic for astir a week oregon more.

It got worse: Last Thursday, Sept. 9, menace actors began sharing exploit how-tos and PoCs for the Windows MSHTML zero-day. BleepingComputer gave it a effort and recovered that the guides are “simple to travel and [allow] anyone to make their ain moving version” of the exploit, “including a Python server to administer the malicious documents and CAB files.”

It took the work each of 15 minutes to recreate the exploit.

A week ago, connected Tuesday, Sept. 7, Microsoft and the Cybersecurity and Infrastructure Security Agency (CISA) had urged mitigations of the remote-code execution (RCE) flaw, which is recovered successful each modern Windows operating systems.

Last week, the institution didn’t accidental overmuch astir the bug successful MSHTML, aka Trident, which is the HTML motor built into Windows since Internet Explorer debuted much than 20 years agone and which allows Windows to work and show HTML files.

Microsoft did say, however, that it was alert of targeted attacks trying to exploit it via specially crafted Microsoft Office documents.

In spite of determination being nary information updates disposable for the vulnerability astatine that time, MIcrosoft went up and disclosed it, on with mitigations meant to assistance forestall exploitation.

Mitigations That Don’t Mitigate

Tracked arsenic CVE-2021-40444, the flaw is superior capable that CISA sent its ain advisory, alerting users and administrators and recommending that they usage the mitigations and workarounds Microsoft recommended – mitigations that effort to forestall exploitation by blocking ActiveX controls and Word/RTF papers previews successful Windows Explorer.

Emphasis connected “try to:” Unfortunately, those mitigations proved to beryllium little than foolproof, arsenic researchers, including Beaumont, managed to modify the exploit truthful that it didn’t usage ActiveX, effectively skirting Microsoft’s mitigations.

The Zero Day Initiative said that for now, the most-effective defence is “to use the spot and debar Office docs you aren’t expecting to receive.”

Be definite to cautiously reappraisal and instal all the needed patches for your setup: There’s a agelong database of updates for circumstantial platforms, and it’s important not to slather connected excessively bladed a furniture of protection.

Credit for uncovering this bug goes to Rick Cole of MSTIC; Bryce Abdo, Dhanesh Kizhakkinan and Genwei Jiang, each from Mandiant; and Haifei Li of EXPMON.

Baddest Bug Award

The grant for baddest bug – oregon astatine least, the 1 with the highest severity rating, with a CVSS people of 9.8 – goes to CVE-2021-38647: a captious remote-code execution (RCE) vulnerability successful Open Management Infrastructure.

OMI is an open-source project to further the improvement of a production-quality implementation of the DMTF CIM/WBEM standards.

“This vulnerability requires nary idiosyncratic enactment oregon privileges, truthful an attacker tin tally their codification connected an affected strategy conscionable by sending a specially crafted connection to an affected system,” the Zero Day Initiatve explained. That makes it precocious priority: ZDI recommended that OMI users trial and deploy this 1 quickly.

Yet More PrintNightmare Patches

Microsoft besides patched 3 elevation of privilege vulnerabilities successful Windows Print Spooler (CVE-2021-38667, CVE-2021-38671 and CVE-2021-40447), each rated important.

These are the 3 latest fixes successful a dependable stream of patches for flaws successful Windows Print Spooler that followed the disclosure of PrintNightmare successful June. This astir apt won’t beryllium the past spot successful that parade: Tenable’s Narang told Threatpost that “researchers proceed to observe ways to exploit Print Spooler” and that the steadfast expects “continued probe successful this area.”

Only 1 – CVE-2021-38671 – of today’s spot trio is rated arsenic “exploitation much likely.” Regardless, organizations should prioritize patching these flaws arsenic “they are highly invaluable to attackers successful post-exploitation scenarios,” Narang observed.

More ‘Exploitation More Likely’

Immersive’s Breen told Threatpost that a trio of section privilege-escalation vulnerabilities successful the Windows Common Log File System Driver (CVE-2021-36955, CVE-2021-36963, CVE-2021-38633) are besides noteworthy, each of them being listed arsenic “exploitation much likely.”

“Local priv-esc vulnerabilities are a cardinal constituent of astir each palmy cyberattack, particularly for the likes of ransomware operators who maltreatment this benignant of exploit to summation the highest level of access,” Breen said via email. “This allows them to disable antivirus, delete backups and guarantee their encryptors tin scope adjacent the astir delicate of files.”

One glaring illustration of that emerged successful May, erstwhile hundreds of millions of Dell users were recovered to beryllium astatine risk from kernel-privilege bugs. The bugs lurked undisclosed for 12 years, and could person allowed attackers to bypass information products, execute codification and pivot to different parts of the web for lateral movement.

The 3 exploits Microsoft patched connected Tuesday aren’t remote, meaning that attackers request to person achieved codification execution by different means. One specified mode would beryllium via CVE-2021-40444.

Two different vulnerabilities – CVE-2021-38639 and CVE-2021-36975, some Win32k escalation of privilege flaws – person besides been listed arsenic “exploitation much likely” and, together, screen the afloat scope of supported Windows versions.

Breen said that he’s starting to consciousness similar a breached grounds erstwhile it comes to privilege escalation vulnerabilities. They’re not rated arsenic precocious a severity hazard arsenic RCE bugs, but “these section exploits tin beryllium the linchpin successful the post-exploitation phases of an experienced attacker,” helium asserted. “If you tin artifact them present you person the imaginable to importantly bounds their damage.”

he added, “If we presume a determined attacker volition beryllium capable to infect a victim’s instrumentality done societal engineering oregon different techniques, I would reason that patching priv-esc vulnerabilities is adjacent much important than patching immoderate different distant code-execution vulns,” Breen said.

Still, This RCE Is Pretty Important

Danny Kim, a main designer astatine Virsec who spent clip astatine Microsoft during his postgraduate enactment connected the OS information improvement team, wants information teams to wage attraction to CVE-2021-36965 – an important-rated Windows WLAN AutoConfig Service RCE vulnerability – fixed its operation of severity (with a CVSS:3.0 basal people of 8.8); nary request for privilege escalation/user enactment to exploit; and breadth of affected Windows versions.

The WLAN AutoConfig Service is portion of the mechanics that Windows 10 uses to take the wireless web a machine volition link to, and to the Windows Scripting Engine, respectively.

The spot fixes a flaw that could let network-adjacent attackers to tally their codification connected affected systems astatine strategy level.

As the Zero Day Initiative explained, that means an attacker could “completely instrumentality implicit the people – provided they are connected an adjacent network.” That would travel successful rather useful successful a coffee-shop attack, wherever aggregate radical usage an unsecured Wi-Fi network.

This 1 “is particularly alarming,” Kim said: Think SolarWinds and PrintNightmare.

“As caller trends person shown, distant codification execution-based attacks are the astir captious vulnerabilities that tin pb to the largest antagonistic interaction connected an enterprise, arsenic we person seen successful the Solarwinds and PrintNightmare attacks,” helium said successful an email.

Kim said that successful spite of the exploit codification maturity being presently unproven, the vulnerability has been confirmed to exist, leaving an opening for attackers.

“It specifically relies connected the attacker being located successful the aforesaid network, truthful it would not beryllium astonishing to spot this vulnerability utilized successful operation with different CVE/attack to execute an attacker’s extremity goal,” helium predicted. “Remote codification execution attacks tin pb to unverified processes moving connected the server workload, lone highlighting the request for constant, deterministic runtime monitoring. Without this extortion successful place, RCE attacks tin pb to a full nonaccomplishment of confidentiality and integrity of an enterprise’s data.”

The Zero Day Initiative besides recovered this 1 alarming. Even though it requires proximity to a target, it requires nary privileges oregon idiosyncratic interaction, truthful “don’t fto the adjacent facet of this bug diminish the severity,” it said. “Definitely trial and deploy this spot quickly.”

And Don’t Forget to Patch Chrome

Breen told Threatpost via email that information teams should besides wage attraction to 25 vulnerabilities patched successful Chrome and ported implicit to Microsoft’s Chromium-based Edge.

Browsers are, aft all, windows into things some private, delicate and invaluable to criminals, helium said.

“I cannot underestimate the value of patching your browsers and keeping them up to date,” helium stressed. “After all, browsers are the mode we interact with the net and web-based services that incorporate each sorts of highly sensitive, invaluable and backstage information. Whether you’re reasoning astir your online banking oregon the information collected and stored by your organization’s web apps, they could each beryllium exposed by attacks that exploit the browser.”

It’s clip to germinate menace hunting into a pursuit of adversaries. JOIN Threatpost and Cybersixgill for Threat Hunting to Catch Adversaries, Not Just Stop Attacks and get a guided circuit of the acheronian web and larn however to way menace actors earlier their adjacent attack. REGISTER NOW for the LIVE treatment connected September 22 astatine 2 PM EST with Cybersixgill’s Sumukh Tendulkar and Edan Cohen, on with researcher and vCISO Chris Roberts and Threatpost big Becky Bracken.