A Year in Microsoft Bugs: The Most Critical, Overlooked & Hard to Patch

  /     /     /  
Publicated : 23/11/2024   Category : security


A Year in Microsoft Bugs: The Most Critical, Overlooked & Hard to Patch


Severe flaws in Microsoft Exchange and Windows Print Spooler stood out amid a wide range of vulnerabilities security teams were forced to prioritize in 2021.



In a year bookended by the late-2020 SolarWinds supply chain attack and the widespread Log4j vulnerability, security teams have consistently juggled and prioritized an ongoing wave of threats. And between those, they have a monthly Patch Tuesday update to contend with.
While Microsoft patched fewer vulnerabilities in 2021 than in 2020, the company fixed 883 bugs in 2021, says Aanchal Gupta, vice president of the Microsoft Security Response Center. Some of these resulted in widespread exploitation; some merited greater attention, and as a group, many reflect trends and patterns that security teams should note in the year ahead.
Among the most memorable vulnerabilities, disclosed and patched in March 2021, were those existing in on-premises versions of Microsoft Exchange Server. At the time it
reported the vulnerabilities
, Microsoft said these were used in limited and targeted attacks conducted by a group called Hafnium, which officials said is state-sponsored and operates out of China.
It
didnt take long
for the security community to report there were likely multiple threat groups behind a wave of malicious activity targeting Exchange Servers. What had been low and slow activity quickly escalated into a lot of noise, with tens of thousands of organizations
affected
. That snowballed really quickly, says Kevin Breen, director of cyber-threat research at Immersive Labs, about the Exchange Server attacks. Within weeks of the advanced persistent threat groups exploiting the vulnerabilities, cybercrime groups began to adopt it as well.
In addition to releasing patches, Microsoft at the time
produced
an additional series of security updates to be applied to some older and unsupported cumulative updates. It was necessary in this case, but Gupta notes we dont prefer doing it as it discourages customers from patching.
Threat actors like Hafnium, they are sophisticated, says Gupta. They are doing the scans; they are going to go after anyone who is not patching in time. 
But patching was tricky for many organizations. Some were running old versions of Exchange Server and didnt have an IT team to patch; some werent ready to patch. The company released a mitigation tool, which Gupta describes as a script containing five steps businesses could use to protect themselves.
A Nightmare for Security Teams
Security teams later learned of PrintNightmare, a
remotely exploitable bug
affecting all versions of Windows. It exists in the Windows Print Spooler Service, which acts as an interface between the OS and a printer and handles tasks such as loading printer drivers and ordering print jobs. The flaw could enable authenticated attackers to gain system-level access on vulnerable systems — which also include Active Directory admin servers and core domain controllers — and let them run code, download malware, create new user accounts, or view, change, and delete data.
But the PrintNightmare patch had its own issues, notes Dustin Childs, head of communications for Trend Micros Zero-Day Initiative. It was not just that the problem was severe and wide-ranging — because it certainly was — but the fixes also had their problems … fix after fix came out. 
And because some fixes didnt solve all the problems, it became an ongoing concern. After its initial disclosure of the vulnerability, Microsoft released a
new CVE
and workarounds for it.
Childs goes back and forth on whether the Exchange Server flaws or PrintNightmare was more severe. Ultimately, he says, the Exchange Server bugs have a broader impact that could last for years to come.
We still dont know exactly how wide that impact was, and its very likely theres still a lot of Exchange Servers out there that are unpatched, because its so difficult to patch Exchange, Childs explains. This is especially true for medium-sized businesses running Exchange Server on-premises: The mentality of its still working, dont touch it exists because employees fear it might break or there may be an issue with the patch.
More Vulns in the Spotlight
While the Exchange Server and PrintNightmare vulnerabilities stood out most, they werent the only bugs security teams worried about this year. Virsec CTO Satya Gupta pointed to CVE-2021-31166, a remote code execution (RCE) vulnerability in the HTTP Protocol Stack for Microsoft Internet Information Services, as a standout flaw with a CVSS 3.0 score of 9.8 and considered wormable.
Another was CVE-2021-28476, an RCE bug in Hyper-V that allows a guest virtual machine to force the Hyper-V hosts kernel to read from an arbitrary and potentially invalid address. Every Azure box runs with Hyper-V in it, Virsecs Gupta explains. If theres a vulnerability in Hyper-V, it makes everybodys box become a problem. Everybodys box becomes vulnerable.
Compounding the problem of this flaw was the availability of proof-of-concept code, he notes. This makes for a really, really nasty situation because attackers can access the proof of concept before a patch is applied, presenting a greater risk to vulnerable organizations.
Sometimes a vulnerability wont generate much attention when its first disclosed but becomes a more urgent situation later. Such was the case with CVE-2021-42287, an elevation of privilege vulnerability in Active Directory Domain Services, Immersive Labs Breen says. This was patched in November and classified as exploitation less likely by Microsoft; just last week, proof-of-concept exploit code was published online.
He points to four vulnerabilities in Open Management Infrastructure (OMI), collectively dubbed OMIGOD by the Wiz researchers who found them, as notable bugs in 2021. OMI is a widely used but little-known software agent embedded in many commonly used Azure services, and most organizations using Azure were affected. One was RCE; three were privilege escalation.
Childs points to local privilege escalation as a category of vulnerability that is often overlooked but which merits closer attention from security teams. Many of these have appeared in various Windows components, get wrapped up into malware, and then exploited, he says. While local privilege escalation isnt very exciting on its own, these flaws can become absolutely effective in taking over someones system when theyre combined with other vulnerabilities, he adds.
Its one of those things where we need to make sure were focusing on finding and fixing the bugs that are getting used, and LPE bugs are getting used by the bad guys, so we need to make sure we take care of those, he says. Even the bugs that arent critical, or have a lower CVSS score, can pose a threat if an attacker wants to take over a system.
Breen also highlights this trend, noting that privilege escalation vulnerabilities were a core part of many attacks that have happened in the past year. Many attackers wont use a RCE flaw, instead opting for social engineering, brute-forcing RDP, or phishing to gain user access.
Those things are really critical, because you cant always protect against the zero-day RCE but theres a lot you can do to protect users and mitigate privilege escalation attacks, he adds.
An Evolving Challenge for Defenders
There are a few trends in patching that may pose a challenge to security teams in months and years ahead. Childs points to what he calls the patch gap as an example: A patch will become available for product A, but other products consuming product A arent rolling out that patch — at a reasonable rate, or at all, he says.
He points to Google Chrome as an example. Im seeing a lot more bugs come through Chrome than weve seen in years past, Childs says. While Chrome has a reputation for being a secure browser, he notes people might overlook the number of products running on Chromium. How long is it before everything based on Chrome absorbs those patches and then theyre protected as well? he adds. A delay between a Chrome update release and Edge Chromium rolling out an update could pose a risk.
The same issue exists with open source libraries. A library could release an update, but everything that consumes the library may not be updated depending on how closely theyre paying attention. The impact of this issue may vary, depending on the products, he says.
The patch gap has become more prevalent and people are finally starting to understand there are shared resources that arent being closely monitored, Childs adds. Organizations should monitor the libraries theyre importing to be sure updates are consumed, though it is difficult to follow through on everything that needs to be patched.
Which leads to another problem in enterprise security: Many IT and security teams dont know how many patches they need to roll out because of the high volume and range of products they use. There is no centralized location that lists all products and services to be updated; they fear automatic updates will break things; and teams are often underfunded and under pressure.
The problems of patch management are going to grow even further, Childs says.
Another trend to watch is the increase in attention paid to specific products and services after a bug is released, Breen notes. Once a major bug appears, and especially if its under attack, the following months will bring additional flaws patched in the same products. It does draw a focus, he says. Researchers believe if there is one problem, there will probably be more. This happened in the months following the Exchange Server and PrintNightmare vulnerabilities.
While the number of patches released dropped this year, Microsofts Gupta says there is more work to be done in 2022. The supply chain risk is here to stay, she says, and we will continue to see more and more bugs organizations need to address. Working with partners in the security community has been helpful, and especially through Microsofts bug bounty program, which Gupta says has paid close to $13 million to $14 million in bug bounties to more than 300 researchers.
Internally, something that has proven valuable is pausing to reflect after incidents to see how things can be improved. Gupta adds: We are always looking at ways to prevent that issue from happening ever again.

Last News

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
A Year in Microsoft Bugs: The Most Critical, Overlooked & Hard to Patch