Microsoft, Adobe, and Google All today released security updates for their products. The Microsoft patch includes six previously disclosed security vulnerabilities, one of which has been actively exploited. But this month’s Patch Tuesday was “Log4Shell”Popular 0day exploits Java With the vulnerability being widely exploited, Web server administrators are now racing to find and patch the library.
Log4Shell is a project named “Log 4j,” is included in a large number of Java applications. The publicly released exploit code allows an attacker to force a server running the vulnerable log4j library to execute commands, such as downloading malware or opening a backdoor connection with the server.
According to the researchers in LunasekMany, many services are vulnerable to this attack.
“Vulnerabilities have been found in cloud services such as Steam, Apple iCloud, and applications such as Minecraft,” Lunasec wrote“Anyone who uses Apache Struts may be attacked. We saw similar vulnerabilities being exploited in 2017 Equifax data breaches and other breaches. An extensive list of responses from affected organizations has been compiled. here. “
“If you run a server built on open source software, you are likely to be affected by this vulnerability,” said Dustin Childs Trend Micro’s zero-day plan. “Contact all vendors in your business to see if they are affected and what patches are available.”
Part of the difficulty in fixing the Log4Shell attack lies in identifying all vulnerable web applications, saying Johannes Ulrich, Event handlers and bloggers SANS Internet Storm Center“Log4Shell will continue to haunt us in the next few years. Dealing with log4shell will be a marathon,” Ullrich said. “Just treat it like this.” SANS has A good walkthrough How easy and powerful the exploit is.
John Hotquist, Vice President of Intelligence Analysis Mandiant, Said that the company has seen the use of log4j vulnerabilities by Chinese and Iranian state actors, and Iranian actors are particularly aggressive, participating in ransomware operations that may be conducted mainly for destructive purposes rather than economic benefits.
“We expect other national actors will do the same, or are prepared to do so,” Hultquist said. “We believe that these participants will work quickly to establish a foothold in the ideal network for follow-up activities, which may continue for some time. In some cases, they will be based on long before this vulnerability becomes publicly known. Work on a wish list of goals that exist. In other cases, the ideal goal may be selected after extensive positioning.”
researcher Kevin Beaumont Have a more relaxed view of Log4Shell Via twitter:
“Basically, the perfect ending for cybersecurity in 2021 is a 90s-style Java vulnerability in an open source module. The vulnerability was written by two volunteers without funding and used by a large cybersecurity vendor until the Minecraft chat was breached. It was discovered that no one knew how to respond correctly.”
The six vulnerabilities that Microsoft resolved today received the most terrifying “critical” rating, which means that malware or criminals can use these vulnerabilities to completely remotely control vulnerable Windows systems without the need for user assistance.
Windows flaws that have been actively exploited are CVE-2021-43890, This is a “deception” error Windows AppX installer exist Windows 10. Microsoft stated that it is aware of attempts to use special software packages to exploit this vulnerability to plant malware families such as Emotet, Trickbot and Bazaar loader.
Kevin BrinImmersive Labs Director of Threat Research says CVE-2021-43905 Stand out in this month’s patch batch.
“Not only because of its high CVSS score 9.6, but also because it is called’more likely to be exploited,'” Brin observes.
Microsoft also patched CVE-2021-43883, An elevation of privilege vulnerability in the Windows installer.
“This seems to be a patch to bypass CVE-2021-41379, Another privilege escalation vulnerability in Windows Installer was reportedly fixed in November.” Sananalang Tenable pointed out. “However, the researchers found that the repair was incomplete and published a proof of concept at the end of last month.”
Google released five security fixes Chrome alloy, One of them was rated as severe, and the other three were rated as high severity. If you use the Chrome browser, please pay attention to whether the “Update” label appears on the right side of the address bar. If you have closed your browser for a while, you may see the “Update” button change from green to orange and then to red. Green means there are updates available for two days; orange means four days have passed, and red means your browser is lagging on important updates by a week or more. Close and restart the browser completely to install any pending updates.
In addition, Adobe issued patches to correct more than 60 security vulnerabilities A series of products, Including Adobe Audition, Lightroom, Media Encoder, Premiere Pro, Prelude, Dimension, After Effects, Photoshop, Connect, Experience Manager and Premiere Rush.
Standard disclaimer: Before updating Windows, Please Make sure you have backed up your system and/or important files. It is not uncommon for Windows update packages to flood the system or prevent it from starting normally, and some updates are known to erase or damage files.
So do yourself a favor and back up before installing any patches. Windows 10 even has some Built-in tools Help you do this, whether on a per-file/folder basis, or by making a complete and bootable hard drive copy all at once.
If you want to make sure that Windows is set to suspend updates so that you can back up your files and/or system before the operating system decides to restart and install patches according to your schedule, Please refer to this guide.
If you encounter a glitch or problem while installing any of these patches this month, please consider posting a comment below; other readers are likely to have experienced the same thing and may provide useful tips here.
Supplementary reading:
SANS ISC list The number of each Microsoft vulnerability patched today is indexed by severity and affected components.
