The latest of this year, December’s patch Tuesday brought fixes for six 0-day vulnerabilities in Microsoft products, including a bug in the Windows AppX Installer that uses Emotet malware to spread.
Microsoft patched 67 vulnerabilities in its products this month, seven of which are classified as critical and 60 are classified as important. Separately, Microsoft has fixed 16 bugs in Microsoft Edge for a total of 83 bugs.
Interestingly, according to ZDI data, the latest set of fixes increased the total number of bugs fixed in 2021 to 887, which is almost 30% less than in 2020.
One of the major fixes this month is the patch for CVE-2021-43890 (7.1 CVSS). This vulnerability in the Windows AppX Installer is reportedly already under attack. Microsoft says the bug can be exploited remotely by low-privilege attackers without user interaction. In particular, the problem is already being used to distribute various malicious programs, including the Emotet, TrickBot and BazarLoader malware.
Bleeping and Computer reports that Emotet malware has recently spread using malicious Windows App Installer packages disguised as Adobe PDF. While Microsoft does not directly link CVE-2021-4389 to this campaign, the details the experts have shared with the community are completely consistent with the tactics used in the recent Emotet attacks.
Five other zero-day vulnerabilities that were patched in December were not seen in hacker attacks:
- CVE-2021-43240 (CVSS: 7.8) – privilege escalation in NTFS Set Short Name;
- CVE-2021-43883 (CVSS: 7.8) – Windows Installer privilege escalation;
- CVE-2021-41333 (CVSS: 7.8) – Windows Print Spooler privilege escalation;
- CVE-2021-43893 (CVSS: 7.5) – privilege escalation in Windows Encrypting File System (EFS);
- CVE-2021-43880 (CVSS: 5.5) – Windows Mobile Device Management privilege escalation.
Let me remind you that we also wrote that Emotet now installs Cobalt Strike beacons.