Microsoft has fixed a spoofing vulnerability in its Windows AppX Installer, which was being actively exploited by attackers.
Attackers were attempting to exploit the important-severity vulnerability (CVE-2021-43890) by using specially crafted packages that downloaded the Emotet, Trickbot and Bazaloader malware families, according to Microsoft. The flaw, which has been previously publicly disclosed, allows bad actors to craft malicious attachments that they can then use in phishing campaigns by convincing an email recipient to open the attachment. It exists in AppX Installer, which is used to install AppX apps on Windows 10 systems.
In November, researchers saw Emotet infections inching up again, ten months after law enforcement disrupted its infrastructure in an international coordinated operation. The new Emotet infections both leveraged the Trickbot malware as part of the infection chain and also installed Cobalt Strike beacons directly, rather than dropping an intermediate payload first, as previous versions did.
“It seems that code execution would occur at the logged-on user level, so attackers would likely combine this with another bug to take control of a system,” according to Dustin Childs, with Trend Micro's Zero Day Initiative, in an analysis of the bug. “This malware family has been going for some time now. It seems like it will be around for a bit longer.”
The vulnerability is one of 67 flaws patched by Microsoft on Tuesday as part of its regularly scheduled security release. Of these vulnerabilities, seven have been ranked as critical-severity remote code execution bugs.
One of the more severe vulnerabilities is a flaw that exists in iSNS Server, which ranks 9.8 out of 10 on the CVSS scale. The Internet Storage Name Service (iSNS) protocol maintains data about active Internet Small Computer System Interface (iSCSI) devices on the network, such as their IP addresses and node names. Microsoft said that “exploitation is more likely” for this vulnerability (CVE-2021-43215), as an attacker could send a specially crafted request to the iSNS server that could result in remote code execution. Of note, Windows iSNS is not installed by default.
Another critical-severity flaw that Microsoft addressed exists in the Microsoft 4K Wireless Display Adapter, and could allow an unauthenticated attacker to send specially crafted packets to a vulnerable device. While the flaw (CVE-2021-43899) has a 9.8 CVSS score ranking, Microsoft said that exploitation is “less likely,” as an attacker would need to be on the same network as the Microsoft 4K Display Adapter.
“Patching this won’t be an easy chore,” warned Childs. “To be protected, users need to install the Microsoft Wireless Display Adapter application from the Microsoft Store onto a system connected to the Microsoft 4K Wireless Display Adapter. Only then can they use the Update & Security section of the app to download the latest firmware to mitigate this bug.”
A remote code execution bug (CVE-2021-43907) in the Code Windows Subsystem for Linux (WSL) Extension for Visual Studio, Microsoft’s source-code editor for Windows, Linux and macOS, is the third issue with a severe 9.8 CVSS score ranking, though Microsoft said exploitation of this bug is "less likely." Another bug of note is a critical RCE flaw in the Microsoft Office app (CVE-2021-43905), which has a CVSS score of 9.6. According to researchers with Tenable, in order to exploit this flaw, attackers would need to create a malicious Microsoft Office document and convince users to open it.
“Microsoft says that the Preview Pane is not an attack vector, which means exploitation requires opening the document, not merely previewing it,” according to the researchers in an analysis. “Because this vulnerability exists in the Microsoft Office app, the patch for this flaw will be distributed through the Microsoft Store as part of an automatic update.”
The updates follow Microsoft's November set of patches, which included fixes for 55 vulnerabilities. These included a remote code execution vulnerability in Exchange Server, which was being exploited in the wild. The important-severity flaw (CVE-2021-42321) stemmed from an improper validation of cmdlet arguments, which are commands used in the PowerShell environment.