Microsoft patched 74 unique security vulnerabilities in December 2021, including six zero-day exploits. We analyzed these weaknesses and spotlighted the most important vulnerabilities that ought to be fixed on priority.
Microsoft Patches – Overview
This December, Microsoft patched 74 vulnerabilities discovered in 2021.
-
The number of CVEs classified as remote code execution bugs: 26
-
The number of CVEs with privilege escalation capabilities: 22
-
The number of CVEs linked to information disclosure: 10
-
The number of CVEs with denial-of-service capabilities: 3
-
The number of CVEs with spoofing possibilities: 7
Five of these bugs are listed as publicly known, and one is listed as being publicly exploited.
Zero-Days
Microsoft had released fixes for six zero-day vulnerabilities this month.
-
CVE-2021-43890: Windows AppX Installer
-
CVE-2021-43240: NTFS Set Short Name
-
CVE-2021-41333: Windows Print Spooler
-
CVE-2021-43880: Windows Mobile Device Management
-
CVE-2021-43883: Windows Installer
-
CVE-2021-43893: Windows Encrypting File System (EFS)
CVE-2021-43890 is a zero-day spoofing vulnerability in Windows AppX Installer, issued a CVSS severity score of 7.1 (High), and is publicly known and under exploitation. According to Microsoft, it has been linked to attacks tied to the Emotet/TrickBot/BazaLoader malware families. An attacker would need to force a user to open a malicious attachment to exploit this vulnerability, which would most likely be done through a phishing attack.
For those who have not been able to install a patch, Microsoft has provided a few workarounds.
Severity Scores
CWE Analysis
When analyzing these vulnerabilities based on the Common Weakness Enumeration (CWE) categorization, 19 CVEs carry a CWE of CWE-269 (Improper Privilege Management) that falls under 2021 CWE Top 30 Most Dangerous Software Weaknesses. On the whole, 25 CVEs have not been assigned a CWE Identifier yet.
Product Analysis
The December patch package influences the following products: Microsoft Azure, the Chromium-based Edge browser, and Microsoft Office, as well as associated products such SP.NET Core and Visual Studio, Microsoft PowerShell, Windows Codecs Library, Remote Desktop Client, Windows Hyper-V, Visual Studio Code, Windows Installer, Windows Encrypting file system, Windows Kernel, Windows Media, Windows NTFS, Windows Print Spooler Components, and Windows Mobile Device Management. Windows products received a fix for 21 vulnerabilities.
Table: Microsoft December Patches 2021
Microsoft fixed a total of 887 CVEs this year, a 29% drop from 2020. We recommend prompt patching in all circumstances, and priority should be given to the critical and zero-day bugs.