Microsoft December 2021 Patch Tuesday: Zero-day exploited to spread Emotet malware

This month's round of security fixes includes a patch for a zero-day vulnerability being actively exploited in the wild.
Written by Charlie Osborne, Contributing Writer

Microsoft has released 67 security fixes for software including seven critical issues and a zero-day flaw being actively exploited by cybercriminals. 

In the Redmond giant's latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, Microsoft has fixed problems in software including Remote Code Execution (RCE) vulnerabilities, privilege escalation security flaws, spoofing bugs, and denial-of-service issues.

Products impacted by Microsoft's December security update include Microsoft Office, Microsoft PowerShell, the Chromium-based Edge browser, the Windows Kernel, Print Spooler, and Remote Desktop Client. 

Read on:

Some of the most severe vulnerabilities resolved in this update are a total of six zero-days, although only one is known to be actively exploited in the wild: 

  • CVE-2021-43890: This Windows AppX Installer Spoofing zero-day vulnerability, issued a CVSS severity score of 7.1 and rated important, is publicly known and under exploitation. Microsoft says that it is "aware of attacks that attempt to exploit this vulnerability by using specially crafted packages" and that the bug is being weaponized to spread the Emotet/Trickbot/Bazaloader malware families. 
  • CVE-2021-41333: Issued a CVSS score of 7.8, this Windows Print Spooler Elevation of Privilege vulnerability has been made public and has low attack complexity. 
  • CVE-2021-43880: This security flaw is described as a Windows Mobile Device Management Elevation of Privilege (EoP) vulnerability that allows local attackers to delete targeted files on a system.
  • CVE-2021-43893: James Forshaw of Google Project Zero reported this issue (CVSS 7.5), which is described by Microsoft as an EoP in the Windows Encrypting File System (EFS). 
  • CVE-2021-43240: Issued a CVSS score of 7.8, Microsoft says this flaw, an NTFS Set Short Name elevation of privilege bug, has proof-of-concept exploit code available and is known publicly.
  • CVE-2021-43883: The final zero-day flaw impacts Windows Installer. This issue, assigned a CVSS score of 7.8, can permit unauthorized privilege escalation. 

An additional 16 CVEs in the Chromium-based Edge browser were patched earlier this month.  

According to the Zero Day Initiative (ZDI), 887 CVE-assigned vulnerabilities have been patched by Microsoft this year. While this figure may seem high, the team notes this is a 29% decrease from 2020 (not including Chromium-based Edge). 

Last month, Microsoft resolved 55 bugs in the November batch of security fixes. In total, six were assigned critical ratings and 15 were remote code execution issues. Zero-day vulnerabilities, too, were resolved by the tech giant.

A month prior, the tech giant tackled 71 vulnerabilities during the October Patch Tuesday. This included four zero-day flaws, one of which was being actively exploited in the wild. 

In other Microsoft security news, the company recently warned that a patched Exchange Server post-authentication flaw, tracked as CVE-2021-42321, is being weaponized in new attacks -- adding to the last year's woes surrounding four zero-days in the server platform. 

The company also recently published research on Iranian threat actors and their ranking in the cybercriminal space. Microsoft says that there has been a massive surge in Iran state-sponsored attacks this year against IT services, despite being close to non-existent in 2020. 

Alongside Microsoft's Patch Tuesday round, other vendors, too, have published security updates which can be accessed below.

Editorial standards