Let us give thanks that this November, Microsoft has given us just 55 security fixes, two of which are for actively exploited flaws

Light load has infosec bods wondering what awaits next month


Patch Tuesday As the US season of giving thanks and turkey carnage approaches, let us reflect upon Microsoft's November Patch Tuesday, which has bestowed 55 CVEs and the promise of continued employment for the IT admins who have to clean up the recurring mess of software.

Only six of the vulnerabilities are considered "Critical," the rest are just "Important."

Affected applications include: 3D Viewer, Azure (including RTOS and Sphere), Dynamics, Edge, Exchange Server, Office, Power BI, Role: Windows Hyper-V, Visual Studio, Visual Studio Code, and multiple Windows components (including the Codecs Library).

It is a meager harvest compared to the 71 flaws flagged in October but more bountiful than the mere 44 vulnerabilities spotted in August.

Nonetheless, Microsoft watchers have concerns. "Historically speaking, 55 patches in November is a relatively low number," mused Zero-Day Initiative's Dustin Childs in a review of the bundle. "Last year, there were more than double this number of CVEs fixed."

Childs wonders whether there's a backlog of unreleased patches, given that the industry trend is toward more patches. A December deluge, perhaps? Tune in next month.

Four of the November bugs have already been publicly disclosed: 3D Viewer Remote Code Execution Vulnerabilities (CVE-2021-43209 and CVE-2021-43208); Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerabilities (CVE-2021-41371 and CVE-2021-38631).

Two are actively being exploited: Microsoft Exchange Server Remote Code Execution Vulnerability (CVE-2021-42321) and Microsoft Excel Security Feature Bypass Vulnerability (CVE-2021-42292).

Childs notes that while the Exchange flaw requires authentication, it should still be dealt with promptly.

And you may not have a choice if you work for Uncle Sam. "If you are a federal or government body in the US, you may also be bound by the recent CISA directive 22-01 that puts an emphasis on faster patching of exploits that are actively being used by attackers," said Kev Breen, director of cyber Threat research at Immersive Labs in an email to The Register. "This vulnerability – along with CVE-2021-42292 – would likely fall into that category."

Microsoft has published further details for admins addressing the flaw.

As for the Excel security bypass, it's a bug that allows remote code execution if the victim opens a maliciously crafted file. Microsoft's patch fixes it, but not for macOS, said Childs.

The highest rated bug in terms of severity is an OpenSSL decryption buffer overflow (CVE-2021-3711) that affects Visual Studio Code. It's a remote code execution flaw that gets a 9.8 out of 10.

On a related note, Microsoft has enhanced its reporting by expanding its use of the Common Vulnerability Scoring System (CVSS) to describe all disclosed flaws.

"The Microsoft Security Response Center has been scoring Windows and Browser vulnerabilities since 2016," the Windows giant explained in an online post. "Now we are scoring every vulnerability and displaying the details that make up that score in the new version of the Security Update Guide."

Beyond Microsoft

Enterprise biz SAP also had a slow patch day with only eight new and three revised fixes.

In a blog post, Onapsis security researcher Thomas Fritsch said the only flaw to qualify as "HotNews" – SAP's euphemism for "Critical" – is Security Note #3099776, which gets a CVSS score of 9.6. It's a privilege escalation flaw that affects the SAP ABAP (Advanced Business Application Programming) runtime environment Platform Kernel.

"The vulnerability affects trusted connections to other systems via RFC and HTTP communication, allowing the user to execute application-specific logic in other systems," explains Fritsch. "SAP optimistically labeled the CVSS vector of the vulnerability as low impact on availability despite the fact that a business user '... is able to read and modify data…' Due to the criticality and the impact on systems beyond the vulnerable system, we strongly recommend applying the corresponding kernel patch."

Adobe, after publishing 14 security bulletins covering 92 CVEs two weeks ago, appears to be spent and could only muster the energy to push out three bulletins – for RoboHelp Server, InCopy, and Creative Cloud, covering four CVEs.

RoboHelp Server for Windows is affected by a critical arbitrary code execution flaw; InCopy for Windows and macOS is affected by a critical arbitrary code execution flaw and a application denial of service bug; and the Creative Cloud Desktop Application for macOS is bedeviled by an application denial of service vulnerability.

At the beginning of the month, Google published patches for 39 CVEs affecting the Android Open Source Project and components from MediaTek and Qualcomm. One of these – CVE-2021-1048 – "may be under limited, targeted exploitation." It's a critical use-after-free flaw in the kernel. ®

Broader topics


Other stories you might like

  • Zuckerberg sued for alleged role in Cambridge Analytica data-slurp scandal
    I can prove CEO was 'personally involved in Facebook’s failure to protect privacy', DC AG insists

    Cambridge Analytica is back to haunt Mark Zuckerberg: Washington DC's Attorney General filed a lawsuit today directly accusing the Meta CEO of personal involvement in the abuses that led to the data-slurping scandal. 

    DC AG Karl Racine filed [PDF] the civil suit on Monday morning, saying his office's investigations found ample evidence Zuck could be held responsible for that 2018 cluster-fsck. For those who've put it out of mind, UK-based Cambridge Analytica harvested tens of millions of people's info via a third-party Facebook app, revealing a – at best – somewhat slipshod handling of netizens' privacy by the US tech giant.

    That year, Racine sued Facebook, claiming the social network was well aware of the analytics firm's antics yet failed to do anything meaningful until the data harvesting was covered by mainstream media. Facebook repeatedly stymied document production attempts, Racine claimed, and the paperwork it eventually handed over painted a trail he said led directly to Zuck. 

    Continue reading
  • Florida's content-moderation law kept on ice, likely unconstitutional, court says
    So cool you're into free speech because that includes taking down misinformation

    While the US Supreme Court considers an emergency petition to reinstate a preliminary injunction against Texas' social media law HB 20, the US Eleventh Circuit Court of Appeals on Monday partially upheld a similar injunction against Florida's social media law, SB 7072.

    Both Florida and Texas last year passed laws that impose content moderation restrictions, editorial disclosure obligations, and user-data access requirements on large online social networks. The Republican governors of both states justified the laws by claiming that social media sites have been trying to censor conservative voices, an allegation that has not been supported by evidence.

    Multiple studies addressing this issue say right-wing folk aren't being censored. They have found that social media sites try to take down or block misinformation, which researchers say is more common from right-leaning sources.

    Continue reading
  • US-APAC trade deal leaves out Taiwan, military defense not ruled out
    All fun and games until the chip factories are in the crosshairs

    US President Joe Biden has heralded an Indo-Pacific trade deal signed by several nations that do not include Taiwan. At the same time, Biden warned China that America would help defend Taiwan from attack; it is home to a critical slice of the global chip industry, after all. 

    The agreement, known as the Indo-Pacific Economic Framework (IPEF), is still in its infancy, with today's announcement enabling the United States and the other 12 participating countries to begin negotiating "rules of the road that ensure [US businesses] can compete in the Indo-Pacific," the White House said. 

    Along with America, other IPEF signatories are Australia, Brunei, India, Indonesia, Japan, South Korea, Malaysia, New Zealand, the Philippines, Singapore, Thailand and Vietnam. Combined, the White House said, the 13 countries participating in the IPEF make up 40 percent of the global economy. 

    Continue reading
  • 381,000-plus Kubernetes API servers 'exposed to internet'
    Firewall isn't a made-up word from the Hackers movie, people

    A large number of servers running the Kubernetes API have been left exposed to the internet, which is not great: they're potentially vulnerable to abuse.

    Nonprofit security organization The Shadowserver Foundation recently scanned 454,729 systems hosting the popular open-source platform for managing and orchestrating containers, finding that more than 381,645 – or about 84 percent – are accessible via the internet to varying degrees thus providing a cracked door into a corporate network.

    "While this does not mean that these instances are fully open or vulnerable to an attack, it is likely that this level of access was not intended and these instances are an unnecessarily exposed attack surface," Shadowserver's team stressed in a write-up. "They also allow for information leakage on version and build."

    Continue reading
  • A peek into Gigabyte's GPU Arm for AI, HPC shops
    High-performance platform choices are going beyond the ubiquitous x86 standard

    Arm-based servers continue to gain momentum with Gigabyte Technology introducing a system based on Ampere's Altra processors paired with Nvidia A100 GPUs, aimed at demanding workloads such as AI training and high-performance compute (HPC) applications.

    The G492-PD0 runs either an Ampere Altra or Altra Max processor, the latter delivering 128 64-bit cores that are compatible with the Armv8.2 architecture.

    It supports 16 DDR4 DIMM slots, which would be enough space for up to 4TB of memory if all slots were filled with 256GB memory modules. The chassis also has space for no fewer than eight Nvidia A100 GPUs, which would make for a costly but very powerful system for those workloads that benefit from GPU acceleration.

    Continue reading
  • GitLab version 15 goes big on visibility and observability
    GitOps fans can take a spin on the free tier for pull-based deployment

    One-stop DevOps shop GitLab has announced version 15 of its platform, hot on the heels of pull-based GitOps turning up on the platform's free tier.

    Version 15.0 marks the arrival of GitLab's next major iteration and attention this time around has turned to visibility and observability – hardly surprising considering the acquisition of OpsTrace as 2021 drew to a close, as well as workflow automation, security and compliance.

    GitLab puts out monthly releases –  hitting 15.1 on June 22 –  and we spoke to the company's senior director of Product, Kenny Johnston, at the recent Kubecon EU event, about what will be added to version 15 as time goes by. During a chat with the company's senior director of Product, Kenny Johnston, at the recent Kubecon EU event, The Register was told that this was more where dollars were being invested into the product.

    Continue reading

Biting the hand that feeds IT © 1998–2022