Winter is coming. At least that’s the case here in Texas; in some parts of the country and world, it’s already here. ‘Tis the season that brings hackers and attackers out in force, but there are ways to thwart their dastardly plans and prevent them from ruining your holiday fun.
As we wrap up another year (while wondering how it went by so quickly), it’s traditional to look back over the past eleven and a half months and reflect on what we’ve learned.
2020 and the pandemic brought about a paradigm shift in the corporate work world as “work from home” became not the exception, but the rule. Even as Covid restrictions eased and some places returned to almost-normal in 2021, the trend continued. Businesses and employees alike have discovered the benefits (and addressed the challenges) of remote work. It appears to be here to stay, so it’s important to consider our security strategies through that lens.
Keeping systems and devices that connect to the network, no matter where they’re physically located, up to date with security patches is the first line of defense against the onslaught of threats that are waiting just around the corner in 2022 – including continuing supply chain attacks, the cyber cold war, scaled-up data breaches, and more.
Let’s take a look at the security updates released on December 14.
Many of the CVEs that are addressed include mitigations, workarounds, or FAQs that may be relevant to specific cases, so be sure to check those out if you are unable to install the updates due to compatibility or other reasons. Known issues are addressed in the Release Notes.
This month’s updates include fixes for a total of sixty-seven vulnerabilities across the above products. As usual, in this blog post we’ll focus on the zero day and critical issues since they pose the greatest threat.
Critical and exploited vulnerabilities
Zero day vulnerabilities are exploitable security flaws in software that are disclosed to the public or to attackers before they’re known to and patched by the software vendors. This year has seen an increase in the instance of zero day disclosures and attacks, so we will look first at this month’s zero day vulnerabilities that have been fixed. This includes six vulnerabilities, but only one of them is reported as having been actively exploited.
Vulnerabilities being exploited in the wild
The following vulnerability has been detected as having already been exploited in the wild:
Other zero-day vulnerabilities patched
The following five vulnerabilities were publicly exposed prior to the release of a fix but have not, at the time of this writing, been detected as exploited in the wild:
Other critical vulnerabilities patched
The following seven vulnerabilities this month were classified as critical but had not been disclosed or exploited prior to patch release:
Important and moderate updates
In addition to the critical and zero-day updates listed above, this month’s patches address a number of vulnerabilities that are rated important. These include elevation of privilege, information disclosure, spoofing, and remote code execution issues. You can find the full list in the Security Updates Guide. The following are a few of note:
- KB5008244 – Windows 7 and Server 2008 R2 (monthly rollup)
- KB5008263 – Windows 8.1 and Server 2012 R2 (monthly rollup)
- KB5008215 – Windows 11
NOTES: As of October 2021, there are no longer optional, non-security releases for Windows 10, version 1909. Only cumulative monthly security updates will continue for Windows 10, version 1909.
Windows 10, version 2004 reached end of servicing on December 14, 2021. To continue receiving security and quality updates, Microsoft recommends that you update to the latest version of Windows 10.
Because of minimal operations during the holidays and the upcoming Western new year, there won’t be a preview release (known as a “C” release) for the month of December 2021. There will be a monthly security release (known as a “B” release) for December 2021. Normal monthly servicing for both B and C releases will resume in January 2022.
Applying the updates
Most organizations will deploy Microsoft and third-party software updates automatically to their servers and managed client systems using a patch management system of their choice, such as GFI’s LanGuard. Automated patch management saves time and reduces the risk of botched installations.
Most home users will receive the updates via the Windows Update service that’s built into the operating system.
Microsoft provides direct downloads for those who need to install the updates manually. You can download these from the Microsoft Update Catalog.
Before installing updates, you should always research whether there are known issues that could affect your particular machines and configurations before rolling out an update to your production systems. There are a large number of such known issues that impact this month’s updates. A full list of links to the KB articles detailing these issues can be found here in the release notes.
Malicious Software Removal Tool (MSRT) update
The MSRT is used to find and remove malicious software from Windows systems and its definitions are updated regularly. The updates are normally installed via Windows Update but if you need to download and install them manually, you’ll find the links for the 32- and 64-bit versions in Remove specific prevalent malware with Windows Malicious Software Removal Tool (KB890830) (microsoft.com)
Third party releases
In addition to Microsoft’s security updates, this month’s Patch Tuesday brought a whopping eleven security bulletins/updates from Adobe, which will be discussed in more detail in this month’s Third Party Patch Roundup at the end of this month.
This content was originally published here.