Zero-days under active exploit are keeping Windows users busy
It’s the second Tuesday of February, and that means Microsoft and other software makers are releasing dozens of updates to fix security vulnerabilities. Topping off this month’s list are two zero-days under active exploit and critical networking flaws that allow attackers to remotely execute malicious code or shut down computers.
The most important patch fixes a code-execution flaw in Adobe Reader, which despite its long-in-the-tooth status remains widely used for viewing and working with PDF documents. CVE-2021-21017, as the critical vulnerability is tracked, stems from a heap-based buffer overflow. After being tipped off by an anonymous source, Adobe warned that the flaw has been actively exploited in limited attacks that target Reader users running Windows.
Adobe didn’t provide additional details about the vulnerability or the in-the-wild attacks exploiting it. Typically, hackers use specially crafted documents sent by email or published online to trigger the vulnerability and execute code that installs malware on the device running the application. Adobe’s use of the word “limited” likely means that the hackers are narrowly focusing their attacks on a small number of high-value targets.
Microsoft, meanwhile, has issued a fix for a vulnerability in Windows 10 and Windows Server 2019 that’s also under active attack. The flaw, indexed as CVE-2021-1732, allows attackers to run their malicious code with elevated system rights.
Chain of exploits?
Hackers typically use these so-called elevation-of-privilege exploits alongside attack code that targets a separate vulnerability. The former will allow code execution while the latter ensures the code runs with privileges that are high enough to access sensitive parts of the operating system. Microsoft credited JinQuan, MaDongZe, TuXiaoYi, and LiHao of DBAPPSecurity Co. Ltd. with discovering and reporting the vulnerability.
In a blog post published after the vulnerability was patched, the DBAPPSecurity researchers said an advanced persistent threat hacker group called Bitter was exploiting the vulnerability in “a very limited number of attacks” against targets in China. The attackers could use it to escape the security sandbox when targets were using either Internet Explorer or Adobe Reader.
“The quality of this vulnerability [is] high and the exploit is sophisticated,” the researchers wrote. “The use of this in-the-wild zero-day reflects the organization’s strong vulnerability reserve capability. The threat organization may have recruited members with certain strength, or buying it from vulnerability brokers.”
The simultaneous patching of CVE-2021-21017 and CVE-2021-1732, their nexus to Windows, and the ability for CVE-2021-1732 to defeat an important Reader defense raise the distinct possibility that in-the-wild attacks are combining exploits for the two vulnerabilities. Neither Microsoft nor Adobe has provided details that confirm this speculation, however.
Microsoft on Tuesday published a security bulletin strongly urging users to patch three vulnerabilities in the Windows TCP/IP component, which is responsible for sending and receiving Internet traffic. CVE-2021-24074 and CVE-2021-24094 are both rated as critical and allow attackers to send maliciously manipulated network packets that execute code. Both flaws also allow hackers to launch denial-of-service attacks—as does a third TCP/IP vulnerability tracked as CVE-2021-24086.
The bulletin said that developing reliable code-execution exploits will be hard but that DoS attacks are much easier and hence likely to be exploited in the wild.
“The two RCE vulnerabilities are complex which make it difficult to create functional exploits, so they are not likely in the short term,” Tuesday’s bulletin said. “We believe attackers will be able to create DoS exploits much more quickly and expect all three issues might be exploited with a DoS attack shortly after release. Thus, we recommend customers move quickly to apply Windows security updates this month.”
The three vulnerabilities stem from a flaw in Microsoft’s implementation of TCP/IP and affect all supported versions of Windows versions. Non-Microsoft implementations aren’t affected. Microsoft said it identified the vulnerabilities internally.
In all, Microsoft patched 56 vulnerabilities across multiple products including Windows, Office, and SharePoint. Microsoft rated 11 of the vulnerabilities as critical. As usual, affected users should install patches as soon as practical. Those who can’t patch immediately should refer to workarounds listed in the advisories.
A word, too, about Adobe Reader. Adobe has devoted significant resources over the past few years to improving the security of the product. That said, Reader includes a bevy of advanced features that casual users rarely, if ever, need. These advanced features create the kind of attack surface that hackers love. The vast majority of computer users may want to consider a default reader that has fewer bells and whistles. Edge, Chrome, or Firefox are all suitable replacements.
Post updated to add details from DBAPPSecurity blog post.