High Threat Security Alert (A21-12-09): Multiple Vulnerabilities in Microsoft Products (December 2021)


 

Published on: 15 December 2021

  
  

Description:

Microsoft has released security updates addressing multiple vulnerabilities which affect several Microsoft products or components.  The list of security updates can be found at:

  • https://msrc.microsoft.com/update-guide/en-us/releaseNote/2021-Dec
  • https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-relnotes-security#december-14-2021

Reports indicated that a remote code execution vulnerability (CVE-2021-4102) in Microsoft Edge (Chromium-based) and a spoofing vulnerability (CVE-2021-43890) in Windows AppX Installer are being actively exploited. System administrators are advised to take immediate action to patch your affected systems to mitigate the elevated risk of cyber attacks.

 

Affected Systems:

  • Microsoft Edge (Chromium-based) prior to version 96.0.1054.57
  • Microsoft Windows 7, 8.1, RT 8.1, 10, 11
  • Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 2022
  • Microsoft Windows Server, version 2004, version 20H2
  • Microsoft Office 2013, 2013 RT, 2016, 2019, 2019 for Mac, LTSC 2021, LTSC for Mac 2021
  • Microsoft Office Online Server
  • Microsoft Office Web Apps Server 2013
  • Microsoft Excel 2013, 2013 RT, 2016
  • Microsoft SharePoint Enterprise Server 2013, 2016
  • Microsoft SharePoint Foundation 2013
  • Microsoft SharePoint Server 2019
  • Microsoft Visual Studio 2019, 2022
  • Microsoft 365 Apps for Enterprise
  • ASP.NET Core 3.1, 5.0, 6.0
  • Bot Framework SDK for .NET Framework
  • HEVC Video Extensions
  • PowerShell 7.2
  • Raw Image Extension
  • Visual Studio Code
  • Visual Studio Code WSL Extension
  • VP9 Video Extensions

 

Impact:

Depending on the vulnerability exploited, a successful attack could lead to remote code execution, elevation of privilege, information disclosure, denial of service, spoofing or security restriction bypass.

 

Recommendation:

Patches for affected products are available from the Windows Update/Microsoft Update Catalog.  Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

 

More Information:

  • https://msrc.microsoft.com/update-guide/en-us/releaseNote/2021-Dec
  • https://docs.microsoft.com/en-us/DeployEdge/microsoft-edge-relnotes-security#december-14-2021
  • https://www.hkcert.org/security-bulletin/microsoft-monthly-security-update-december-2021
  • https://www.cisa.gov/uscert/ncas/current-activity/2021/12/14/microsoft-releases-december-2021-security-updates
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4098 (to CVE-2021-4102)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40441
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40452
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40453
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41333
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41360
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41365
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42293 (to CVE-2021-42295)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42309 (to CVE-2021-42315)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42320
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43207
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43214 (to CVE-2021-43217)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43219
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43222 (to CVE-2021-43240)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43242 (to CVE-2021-43248)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43255
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43256
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43875
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43877
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43880
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43882
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43883
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43888 (to CVE-2021-43893)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43896
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43899
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43905
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43907
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-43908


Tag: Microsoft , Edge , Windows , Windows Server , Microsoft Office , Office Online Server , Microsoft Office Web Apps , Excel , SharePoint , Visual Studio , Microsoft 365 Apps , ASP.NET Core , Bot Framework SDK , HEVC Video Extensions , PowerShell , Raw Image Extension , Visual Studio Code , VP9 Video Extensions
Tags