This week Microsoft released their last monthly security patch bundle for the year, fixing six zero-day vulnerabilities – and many other companies released security updates as well.
Microsoft Updates for December
This month Microsoft’s security bundle includes fixes for 67 vulnerabilities with six of them classified as zero-day – which means in Microsoft’s terms: that the vulnerability is either being actively exploited or has been publicly disclosed before an official fix is available. One vulnerability that has been seen to be actively exploited is in the Windows AppX installer. According to Microsoft the resurgent Emotet malware has been using this vulnerability (CVE-2021-43890) as an installation vector.
Also fixed are five publicly disclosed zero-day vulnerabilities:
CVE-2021-43240 – NTFS Set Short Name Elevation of Privilege Vulnerability
CVE-2021-41333 – Windows Print Spooler Elevation of Privilege Vulnerability
CVE-2021-43880 – Windows Mobile Device Management Elevation of Privilege Vulnerability
CVE-2021-43883 – Windows Installer Elevation of Privilege Vulnerability
CVE-2021-43893 – Windows Encrypting File System (EFS) Elevation of Privilege Vulnerability
Log4j Vulnerability Updates
Many suppliers of java powered software and devices are scrambling to identify which of their products are impacted by the Log4j vulnerabilities disclosed earlier this month
VMware security advisory
Cisco also published a security advisory which provides details of products affected by the Log4j vulnerability and those which they have confirmed are not impacted.