Microsoft security alert.
December 14, 2021
Advisory overview
Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 59 vulnerabilities that were fixed in 13 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Vulnerability details
Microsoft has released 13 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
-
Microsoft Office Security Update for December 2021
- Severity
- Critical 4
- Qualys ID
- 110396
- Vendor Reference
- KB4486726, KB4504710, KB4504745, KB5002033, KB5002097, KB5002098, KB5002099, KB5002101, KB5002103, KB5002104, KB5002105
- CVE Reference
- CVE-2021-42293, CVE-2021-42295, CVE-2021-43255, CVE-2021-43256, CVE-2021-43875
- CVSS Scores
- Base 6.8 / Temporal 5
- Description
-
Microsoft has released December 2021 security updates to fix multiple security vulnerabilities.
This security update contains the following:
MacOS Release Notes
Office Click-2-Run and Office 365 Release Notes
KB5002103
KB5002105
KB5002098
KB5002097
KB5002101
KB4504745
KB5002033
KB4486726
KB4504710
KB5002104
KB5002099QID Detection Logic:
This authenticated QID checks the file versions from the Microsoft advisory with the versions on the affected office system.Note: Office click-2-run and Office 365 installations need to be updated manually or need to be set to automatic update. There is no direct download for the patch.
- Consequence
-
Successful exploitation allows an attacker to execute code remotely.
- Solution
-
Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.
MacOS Release Notes
Office Click-2-Run and Office 365 Release Notes
KB5002103
KB5002105
KB5002098
KB5002097
KB5002101
KB4504745
KB5002033
KB4486726
KB4504710
KB5002104
KB5002099Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Office and Microsoft Office Services and Web Apps Security Update December 2021
-
Microsoft SharePoint Enterprise Server and Foundation Multiple Vulnerabilities for December 2021
- Severity
- Critical 4
- Qualys ID
- 110397
- Vendor Reference
- KB5002008, KB5002015, KB5002045, KB5002047, KB5002054, KB5002055, KB5002059, KB5002061, KB5002071
- CVE Reference
- CVE-2021-42294, CVE-2021-42309, CVE-2021-42320, CVE-2021-43242, CVE-2021-43876
- CVSS Scores
- Base 6.5 / Temporal 4.8
- Description
-
Microsoft has released December security updates to fix multiple security vulnerabilities.
This security update contains the following KBs:
KB5002045
KB5002054
KB5002055
KB5002071
KB5002015
KB5002047
KB5002061
KB5002008
KB5002059
QID Detection Logic:
This authenticated QID checks the file versions from the above Microsoft KB article with the versions on the affected SharePoint system. - Consequence
-
Successful exploitation allows remote code execution.
- Solution
-
Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.
KB5002045
KB5002054
KB5002055
KB5002071
KB5002015
KB5002047
KB5002061
KB5002008
KB5002059
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Office and Microsoft Office Services and Web Apps Security Update December 2021
-
Microsoft PowerShell Spoofing Vulnerability
- Severity
- Medium 2
- Qualys ID
- 376161
- Vendor Reference
- CVE-2021-43896
- CVE Reference
- CVE-2021-43896
- CVSS Scores
- Base 4.3 / Temporal 3.2
- Description
-
Microsoft has released a security Update for PowerShell which resolves Information Disclosure Vulnerability.
Note: This does not affect windows operating system. Affected versions:
Powershell versions prior to 7.2.xQID Detection Logic: (Authenticated)
This QID detects vulnerable versions of powershell using pwsh --version
- Consequence
- Successful exploitation of this vulnerability could lead to Disclosure of Sensitive Information.
- Solution
-
The vendor has released patch in PowerShell.
For more information please visit herePatches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2021-43896
-
Microsoft Visual Studio Code Security Update for December 2021
- Severity
- Serious 3
- Qualys ID
- 376163
- Vendor Reference
- CVE-2021-43891, CVE-2021-43908
- CVE Reference
- CVE-2021-43891, CVE-2021-43908
- CVSS Scores
- Base 6.8 / Temporal 5
- Description
-
Visual Studio Code is a lightweight but powerful source code editor which runs on your desktop and is available for Windows, macOS and Linux.
Affected Versions:
Visual studio code prior to version 1.63.1
QID Detection Logic(Authenticated):
This QID checks for the vulnerable versions of Visual Studio Code.
- Consequence
-
Visual Studio Code is prone to Spoofing and Remote Code Execution Vulnerabilities.
- Solution
-
Customers are advised to refer to CVE-2021-43908, CVE-2021-43891and for more information pertaining to these vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
VS Code 1.63
-
Visual Studio Code WSL Extension Remote Code Execution (RCE) Vulnerability for December 2021
- Severity
- Urgent 5
- Qualys ID
- 376164
- Vendor Reference
- CVE-2021-43907
- CVE Reference
- CVE-2021-43907
- CVSS Scores
- Base 10 / Temporal 7.4
- Description
-
Visual Studio Code Windows Subsystem for Linux (WSL) Extension has the Remote Code Execution Vulnerability
Affected Versions:
0.63.11
QID Detection Logic(Authenticated):
This QID checks for the vulnerable versions of Visual Studio Code with WSL extension.
- Consequence
-
Visual Studio Code WSL extension is prone to remote code execution vulnerability
- Solution
-
Customers are advised to refer to CVE-2021-43907for more information pertaining to these vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2021-43907
-
Microsoft Edge Based on Chromium Prior to 96.0.1054.57 Multiple Vulnerabilities
- Severity
- Critical 4
- Qualys ID
- 376166
- Vendor Reference
- 96.0.1054.57, CVE-2021-4099, CVE-2021-4100, CVE-2021-4101, CVE-2021-4102
- CVE Reference
- CVE-2021-4098, CVE-2021-4099, CVE-2021-4100, CVE-2021-4101, CVE-2021-4102
- CVSS Scores
- Base 6.8 / Temporal 5.6
- Description
-
EdgeChromium has released security update for Mac and Windows to fix the vulnerabilities.
QID Detection Logic: (Authenticated).
It checks package versions to check for the vulnerable packages.
Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues. - Consequence
- Successful exploitation of this vulnerability could lead to a security breach or could affect integrity, availability, and confidentiality.
- Solution
-
Customers are advised to upgrade to version 96.0.1054.57 or later
Patches:
The following are links for downloading patches to fix these vulnerabilities:
96.0.1054.57
-
Microsoft Visual Studio Security Update for December 2021
- Severity
- Serious 3
- Qualys ID
- 91843
- Vendor Reference
- CVE-2021-43877
- CVE Reference
- CVE-2021-43877
- CVSS Scores
- Base 4.6 / Temporal 3.4
- Description
-
Microsoft has released a security Update for Visual Studio which resolves Elevation of Privilege Vulnerability.
Affected Software:
Microsoft Visual Studio 2019 version 16.11 (includes 16.0-16.10)
Microsoft Visual Studio 2019 version 16.9 (includes 16.0-16.8)
Microsoft Visual Studio 2019 version 16.7 (includes 16.0-16.6)
and Microsoft Visual Studio 2022 version 17.0 - Consequence
-
The vulnerable versions of Visual Studio let attackers to perform Elevation of Privileges Attacks.
- Solution
-
Customers are advised to refer to CVE-2021-43877 for more information pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2021-43877
-
Microsoft ASP.NET Core Security Update for December 2021
- Severity
- Serious 3
- Qualys ID
- 91844
- Vendor Reference
- CVE-2021-43877
- CVE Reference
- CVE-2021-43877
- CVSS Scores
- Base 4.6 / Temporal 3.4
- Description
-
An Elevation of Privilege Vulnerability exists in ASP .NET Core
This security update is rated Important for supported versions of ASP.NET Core.Affected versions:
ASP.NET Core 3.1 prior to version 3.1.22
ASP.NET Core 5.0 prior to version 5.0.13
and ASP.NET Core 6.0 prior to version 6.0.1QID Detection Logic (Authenticated):
This QID looks for sub directories under %programfiles%\dotnet\shared\Microsoft.NETCore.App, %programfiles(x86)%\dotnet\shared\Microsoft.NETCore.App and checks for vulnerable versions in .version file on Windows.
- Consequence
-
Successful exploitation will lead to Elevation of Privilege Vulnerability.
- Solution
-
Customers are advised to refer to CVE-2021-43877 for more information pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2021-43877
-
Microsoft Windows Codecs Library HEVC Video And Web Media Extensions Remote Code Execution (RCE) Vulnerability for December 2021
- Severity
- Critical 4
- Qualys ID
- 91845
- Vendor Reference
- CVE-2021-40452, CVE-2021-40453, CVE-2021-41360, CVE-2021-43214
- CVE Reference
- CVE-2021-40452, CVE-2021-40453, CVE-2021-41360, CVE-2021-43214
- CVSS Scores
- Base 7.5 / Temporal 5.5
- Description
-
A remote code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory.
Affected Product:
"HEVC from Device Manufacturer" media codec before version 1.0.42702.0
"WEB from Device Manufacturer" media codec before version 1.0.42192.0QID detection Logic:
The gets the version of HEVCVideoExtension and WebMediaExtensions by querying wmi class Win32_InstalledStoreProgram. - Consequence
-
An attacker who successfully exploited this vulnerability can compromise confidentiality, integrity and availability of the system
- Solution
-
Users are advised to check CVE-2021-41360
CVE-2021-40452
CVE-2021-40453 and
CVE-2021-43214
for more information.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2021-40452
CVE-2021-40453
CVE-2021-41360
CVE-2021-43214
-
Microsoft Windows Security Update for December 2021
- Severity
- Critical 4
- Qualys ID
- 91846
- Vendor Reference
- KB5008206, KB5008207, KB5008210, KB5008212, KB5008215, KB5008218, KB5008223, KB5008230, KB5008244, KB5008255, KB5008263, KB5008271, KB5008274, KB5008277, KB5008282, KB5008285
- CVE Reference
- CVE-2021-40441, CVE-2021-40452, CVE-2021-40453, CVE-2021-41333, CVE-2021-41360, CVE-2021-43207, CVE-2021-43214, CVE-2021-43215, CVE-2021-43216, CVE-2021-43217, CVE-2021-43219, CVE-2021-43222, CVE-2021-43223, CVE-2021-43224, CVE-2021-43226, CVE-2021-43227, CVE-2021-43228, CVE-2021-43229, CVE-2021-43230, CVE-2021-43231, CVE-2021-43232, CVE-2021-43233, CVE-2021-43234, CVE-2021-43235, CVE-2021-43236, CVE-2021-43237, CVE-2021-43238, CVE-2021-43239, CVE-2021-43240, CVE-2021-43243, CVE-2021-43244, CVE-2021-43245, CVE-2021-43246, CVE-2021-43247, CVE-2021-43248, CVE-2021-43880, CVE-2021-43893
- CVSS Scores
- Base 7.8 / Temporal 6.4
- Description
-
Microsoft Windows Security Update - December 2021
The KB Articles associated with the update:
KB5008263
KB5008285
KB5008277
KB5008255
KB5008244
KB5008282
KB5008274
KB5008271
KB5008207
KB5008230
KB5008212
KB5008215
KB5008223
KB5008206
KB5008210
KB5008218
This QID checks for the file version of ntoskrnl.exe
The following versions of ntoskrnl.exe with their corresponding KBs are verified:
- Consequence
-
Successful exploit could compromise Confidentiality, Integrity and Availability
- Solution
-
Please refer to the KB5008263
KB5008285
KB5008277
KB5008255
KB5008244
KB5008282
KB5008274
KB5008271
KB5008207
KB5008230
KB5008212
KB5008215
KB5008223
KB5008206
KB5008210
KB5008218
Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB5008206
KB5008207
KB5008210
KB5008212
KB5008215
KB5008218
KB5008223
KB5008230
KB5008244
KB5008255
KB5008263
KB5008271
KB5008274
KB5008277
KB5008282
KB5008285
-
Microsoft Windows VP9 Video Extension Information Disclosure Vulnerability
- Severity
- Serious 3
- Qualys ID
- 91847
- Vendor Reference
- CVE-2021-43243
- CVE Reference
- CVE-2021-43243
- CVSS Scores
- Base 2.1 / Temporal 1.6
- Description
-
Microsoft has disclosed Information Disclosure Vulnerability in Windows VP9 Video Extensions.
Affected Product:
VP9 Video Extensions prior to version prior to 1.0.42791.0
QID detection Logic:
The detection gets the version of VP9VideoExtension by querying wmi class Win32_InstalledStoreProgram. - Consequence
- The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.
- Solution
-
Users are advised to check CVE-2021-43243 for more information.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2021-43243
-
Windows AppX Installer Spoofing Vulnerability
- Severity
- Critical 4
- Qualys ID
- 91848
- Vendor Reference
- CVE-2021-43890
- CVE Reference
- CVE-2021-43890
- CVSS Scores
- Base 6 / Temporal 5
- Description
-
CVE-2021-43890: Windows AppX Installer Spoofing Vulnerability
Affected Products:
Windows 10 version Windows 10 version 1809 and later or any version of Windows 11
Windows 10 version 1709 or Windows 10 version 1803.QID Detection Logic (authenticated):
The detection gets the version of Microsoft.DesktopAppInstaller by querying wmi class Win32_InstalledStoreProgram.
Detection is also checking for BlockNonAdminUserInstall and AllowAllTrustedAppToInstall policies.
For version 1.17.10633.0 or greater of the App Installer, we are also checking for Group Policy EnableMSAppInstallerProtocol is set to Disabled.
- Consequence
- An attacker could craft a malicious attachment to be used in phishing campaigns
- Solution
-
Please refer to the CVE-2021-43890.
Workaround:
Option1: Enable the following GPO to prevent non-admins from installing any Windows App packages. BlockNonAdminUserInstall- This policy setting manages the ability of non-administrator users to install (signed) Windows app packages. When enabled (value: 1), non-administrator users will be unable to initiate the installation of (signed) Windows app packages.
Option2: Enable this GPO to prevent installing apps from outside the Microsoft Store AllowAllTrustedAppToInstall- This policy setting allows you to manage the installation of trusted line-of-business (LOB) or developer-signed Windows Store apps.If you enable this policy setting, you can install any LOB or developer-signed Windows Store app (which must be signed with a certificate chain that can be successfully validated by the local computer)
Option3: Disable the ms-appinstaller protocol to install apps directly from a website. ms-appinstaller- This will block all attempts to invoke the protocol from the browser. Specifically, how that looks to the user will depend on the construction of the page that tries to launch the protocol.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2021-43890
-
Microsoft Office app Remote Code Execution (RCE) Vulnerability
- Severity
- Serious 3
- Qualys ID
- 91850
- Vendor Reference
- CVE-2021-43905
- CVE Reference
- CVE-2021-43905
- CVSS Scores
- Base 6.8 / Temporal 5
- Description
-
Microsoft Office app is prone to Remote Code Execution Vulnerability.
Affected Software:
App versions prior to 18.2110.13110.0Detection Logic: (Authenticated)
The detection gets the version of MicrosoftOfficeHub by querying wmi class Win32_InstalledStoreProgram.
- Consequence
-
Successful exploitation allows attacker to execute arbitrary code.
- Solution
-
Users are advised to check /CVE-2021-43905 for more information.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2021-43905
These new vulnerability checks are included in Qualys vulnerability signature 2.5.354-3. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
Selective Scan Instructions Using Qualys
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
-
Enable the following Qualys IDs:
- 110396
- 110397
- 376161
- 376163
- 376164
- 376166
- 91843
- 91844
- 91845
- 91846
- 91847
- 91848
- 91850
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Access for Qualys Customers
Platforms and Platform Identification
Technical Support
For more information, customers may contact Qualys Technical Support.
About Qualys
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.