SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
New Microsoft Defender vulnerability should concern every enterprise - expert
Mon, 15th Nov 2021
FYI, this story is more than a year old

A vulnerability found in Microsoft Defender released under Patch Tuesday is the most concerning, according to Virsec.

Microsoft reported a total of 55 vulnerabilities, six of which are rated critical, with the remaining 49 being rated important. The flaws are found in Microsoft Windows and Windows Components, Azure, Azure RTOS, Azure Sphere, Microsoft Dynamics, Microsoft Edge (Chromium-based), Exchange Server, Microsoft Office and Office Components, Windows Hyper-V, Windows Defender, and Visual Studio.

Virsec principal architect Danny Kim, says the CVE-2021-42298 vulnerability found in Microsoft Defender is the most concerning.

"With the Exploitability assessment of “Exploitation more likely” + the severity score + the repeatability of this attack, I think this CVE should be top of mind for all enterprises," he says.

"Windows Defender runs on all supported versions of Windows. This vulnerability significantly increases the potential attack surface for today's organisations due to the popularity of Windows Defender," Kim explains.

"This CVE does require some user interaction, however, we have seen in the past how attackers can use social engineering/phishing emails to achieve such interaction fairly easily.

"CVE-2021-26443 is also a dangerous vulnerability that allows an attacker to escape a Virtual Machine (VM) and execute arbitrary code on the host itself," he says.

"VMs are popular today (especially amongst Windows users) as a way to deploy more than one Windows machine on the same physical host. VMs offer virtualisation protection so that anything running in the VM cannot escape and run on the physical host.

"This vulnerability, if exploited, allows an attacker to escape this virtualisation protection and access the physical host," says Kim.

"This means the attacker can inflict damage not only on the VM he/she infiltrated, but all VMs running on that physical host. Gaining access and having the ability to run arbitrary code on a physical host is one of the deepest levels of infiltration an attacker can achieve.

Some of the vulnerabilities resolved in this update include:

  • CVE-2021-42321: (CVSS:3.1 8.8 / 7.7). Under active exploit, this vulnerability impacts Microsoft Exchange Server and due to improper validation of cmdlet arguments, can lead to RCE. However, attackers must be authenticated.
  • CVE-2021-42292: (CVSS:3.1 7.8 / 7.0). Also detected as exploited in the wild, this vulnerability was found in Microsoft Excel and can be used to circumvent security controls. Microsoft says that the Preview Pane is not an attack vector. No patch is currently available for Microsoft Office 2019 for Mac or Microsoft Office LTSC for Mac 2021.
  • CVE-2021-43209: (CVSS:3.1 7.8 / 6.8). A 3D Viewer vulnerability made public, this bug can be exploited locally to trigger RCE. 
  • CVE-2021-43208: (CVSS:3.1 7.8 / 6.8). Another known issue, this 3D Viewer security flaw can also be weaponized by a local attacker for code execution purposes. 
  • CVE-2021-38631: (CVSS:3.0 4.4 / 3.9). Also made public, this security flaw, found in the Windows Remote Desktop Protocol (RDP), can be used for information disclosure.
  • CVE-2021-41371: (CVSS:3.1 4.4 / 3.9). Finally, this RDP vulnerability, known before patching was available, can also be exploited locally to force an information leak.