As you know, our usual tips for Patch Tuesday come down to four words: “Patch early, patch often.”
There have been 56 recently reported vulnerabilities fixed in Microsoft’s patches this month, with four of them offering attackers a chance to find remote code execution (RCE) exploits.
Remote code execution is where innocent-looking data sent from outside the network can cause an error and take over the computer.
Errors that make it possible for pieces of data trapped to trick your computer into executing untrusted code are much sought after by cybercriminals, because they typically allow criminals to enter and deploy malware …
… without any “you’re sure” warning, without the need for news such as a username and password, and sometimes without leaving any obvious traces in the system logs.
With all this in mind, the statistics “56 corrections included 4 RCE”He points out for himself a risk more than enough to make the patch a priority.
In nature
In addition to the four potential RCE holes mentioned above, there is also a patch for an error called CVE-2021-1732 that is already being mistreated by hackers.
The situation in which an attack is known before a patch comes out is known as day zero Error: Thieves got there first, so there were zero days in which you could have parked to get ahead.
Fortunately, this zero-day error isn’t an RCE hole, so thieves can’t use it to access your network in the first place.
Unfortunately, it is one privilege elevation (EoP) error in the Windows kernel itself, which means that thieves who have already broken into your computer can certainly abuse the defect to give you almighty powers.
Having thieves on the net is bad enough, but if your network privileges are the same as regular users, the damage they can do is often quite limited. (That’s why your own system administrators almost certainly don’t allow you to run with administrator rights like before in the 2000s).
Ransomware criminals, for example, often spend time at the beginning of their attack looking for a hopeless EoP error that they can exploit to rise up and have the same power and authority as your administrators.
If they can get domain administrator rights, they are suddenly on an equal footing with your own IT department, so they can do pretty much whatever they want.
Intruders who have access to an EoP exploit will likely be able to: access and map your entire network; alter security settings; install or remove any software they like on any computer; copy or modify any file they like; manipulate system logs; find and destroy online backups; and even to create “back door” secret accounts that you can use to retrieve them if you find them this time and kick them out.
But this is not all
If you are not yet convinced to make a patch soon, kick it often, you may also want to read the Microsoft special security bulletin entitled Multiple security updates affecting TCP / IP.
The three vulnerabilities listed in this newsletter are called CVE-2021-24074, CVE-2021-24094, and CVE-2021-24086.
However, the mistakes they represent are very interesting.
While Microsoft admits that two of them could, in theory, be exploited for remote code execution purposes (so they constitute 2 of the 4 RCE errors mentioned above), this is not what worries Microsoft most right now. :
The two RCE vulnerabilities are complex, making it difficult to create functional farms, so it is unlikely [to be abused] short term. We believe that attackers will be able to create DoS exploits much faster and we hope that all three issues can be exploited with a DoS attack shortly after release. Therefore, we recommend that customers move quickly to apply Windows security updates this month.
DoS exploits for these CVEs would allow a remote attacker to cause a stop error. Customers can receive a blue screen on any Windows system that is directly exposed to the Internet with minimal network traffic.
Of course, DoS Denial of service – a type of vulnerability that is often downplayed as “last among peers” compared to security holes like RCE and EoP.
Denial of service means exactly what it says: Thieves can’t take over a vulnerable service, program, or system, but they can let it work completely.
Unfortunately, these three DoSsable holes are low-level errors in the Windows kernel driver tcpip.sys, and defects can, in theory, tickle and be triggered simply if the computer receives incoming network packets.
In other words, just purchasing the packages to decide if you accept and trust them in the first place might be enough to crash the target computer, which of course could be a mission-critical internet server.
What to do?
Microsoft itself warns you to prioritize these patches if you want to make your updates one at a time, and has even proposed solutions for those who are still afraid of the “early patch” principle:
It is essential that customers apply Windows updates to resolve these vulnerabilities as soon as possible. If it is not practical to apply the update quickly, solutions are detailed in CVEs that do not require a server restart.
Despite the workarounds, we’re here with Microsoft and we wholeheartedly agree with the words essential i as fast as possible.
Don’t be late. Do it today!
JARGONBUSTER VIDEO: ERRORS, VOLNS, HOLDINGS AND 0-DAYS IN ENGLISH PLAN
Watch YouTube directly if the video doesn’t play here.
Click gear settings to speed up playback or display subtitles.