This Tuesday marked the release of the last security updates from Microsoft for the year 2021. With December Patch Tuesday, Microsoft fixed 67 vulnerabilities, including a zero-day under attack and other critical bugs.
Serious Spoofing Vulnerability Under Attack
The most notable security fix from the Redmond giant this month is the patch for an AppX Installer vulnerability. Identified as CVE-2021-43890, Microsoft has categorized it as an important severity vulnerability that achieved a CVSS score of 7.1.
This spoofing vulnerability caught the attention of cyber criminals before receiving a fix. Microsoft has confirmed in its advisory that that bug is under attack.
We have investigated reports of a spoofing vulnerability in AppX installer that affects Microsoft Windows. Microsoft is aware of attacks that attempt to exploit this vulnerability by using specially crafted packages that include the malware family known as Emotet/Trickbot/Bazaloader.
Exploiting the bug merely requires an attacker to trick the user into opening a maliciously crafted package delivered via phishing. This attack severely affects devices running with admin users.
Other Notable December Patch Tuesday Fixes From Microsoft
Besides the zero-day, Microsoft has also fixed five other important severity bugs that became public before the fix. All these vulnerabilities would allow privilege escalation upon exploitation.
The affected components with these bugs include Windows Installer (CVE-2021-43883), Windows Mobile Device Management (CVE-2021-43880), Windows Print Spooler (CVE-2021-41333), Windows Encrypting File System (EFS) (CVE-2021-43893), and NTFS Set Short Name (CVE-2021-43240).
In addition, the updates address seven critical-severity remote code execution vulnerabilities affecting various components. Fortunately, all of these bugs remained under the radar to avoid exploitation.
Apart from these flaws, the December patches also address 54 other important severity vulnerabilities affecting different components. This month’s update bundle includes no fixes for low-severity bugs.
Since the patches are out, all Windows users must ensure updating their systems at the earliest to avoid any mishaps.