Any way you look at it, Microsoft is having a terrible year when it comes to security. And even as we approach 2022, the headlines keep on coming. Most recently, news broke about a Windows installer flaw that seems to affect every single version of Windows, including the fully patched Windows Server 2022.
By mid-2021, well over 1,200 vulnerabilities had been discovered in MS products, with Windows topping the list.
Why is Microsoft under attack? There are a few possible reasons.
First, they’re just plain big: Windows is the dominant desktop OS, with 73% market share, and also has a not-insignificant share of the server OS market, at 21%. Second, their products are ubiquitous. Almost every organization is running at least some Microsoft systems or applications; some are heavily locked into suites such as Office 365 and Teams, which managed to overtake previous team productivity leader Slack in only three years.
On top of these two factors, Microsoft is under the same pressure as other software businesses, including fast release cycles with less testing prior to release. And this is what puts your business at risk.
Let’s take a look at some of the biggest Microsoft vulnerabilities of the year and how you can make sure your organization stays protected.
PrintNightmare/MysterySnail (CVE-2021-34527/CVE-2021-40449)
Most of this year’s big Microsoft vulnerabilities involve remote code execution (RCE). This includes PrintNightmare, a print spooler vulnerability found across all Windows versions.
As an RCE vulnerability, PrintNightmare gives attackers the ability to run commands or code on the target machine. RCE vulnerabilities are among the most dangerous because, if exploited, you can completely lose control of your applications or data. That, in turn, leaves you open to data leaks and/or ransom demands—with the reputation damage that ensues.
But just when we thought the print spooler problems were over… along came MysterySnail. The name may sound cute, and it’s not an RCE vulnerability like PrintNightmare, but as a remote access Trojan (RAT) that gains access through the Windows print spooler, it’s a lot more serious than you might think.
MysterySnail allows attackers to escalate privileges to gain administrator access. Like most escalation of privilege attacks, MysterySnail is most valuable to attackers when it’s combined with RCE and/or social engineering attacks. For instance, users might be sent a lure in an email or compromised site leading them to execute the Trojan installer.
The best way to protect your systems against both PrintNightmare and MysterySnail is either to install the relevant MS patches or upgrade to Windows 11.
Microsoft MSHTML (MS Office Remote Code Execution Flaw) (CVE-2021-40444)
The Microsoft MSHTML vulnerability, another RCE vulnerability with a severity level of 8.8 (out of 10), reportedly applies mainly to Microsoft Office and Office 365.
Zero-day attacks exploiting this vulnerability began in September 2021, with attackers taking advantage of it to execute Cobalt Strike Beacon on target endpoints. Beacon is a well-known penetration-test product that’s become hugely popular among large hacker organizations, including advanced persistent threats (APTs) and nation-state actors.
Since Cobalt Strike Beacon can exist undetected in the system for extended periods (dwell time), it leaves systems open to attack at any time while potentially collecting a wealth of information from inside your network through port scanning, keylogging, and more.
For optimal protection against the Microsoft MSHTML vulnerability, install the relevant MS patches.
If you are temporarily unable to patch, protect yourself with the following workarounds:
- Open online documents in protected view or using Application Guard for Office.
- Disable ActiveX controls in IE via Group Policy.
This serious vulnerability in Office 365 is a good reminder to familiarize yourself with security for all your SaaS applications, particularly Microsoft’s shared responsibility model, where your IT department is responsible for security, data backup, and more.
Windows Installer Flaw (CVE-2021-41379)
While Microsoft released a patch almost immediately upon discovery of this vulnerability, it is still being widely exploited. ZDNet reports that according to Cisco vulnerability researchers, it can even be exploited after installation of the patch.
That means the best way to protect yourself—for now—is to harden your security posture in other ways, such as by careful network monitoring. Ensure that nobody except trusted users has access to your systems, as a user must be logged in for this vulnerability to be exploited. And make sure you have systems in place to automate the new patch rollout the minute it’s available.
Beyond patching, you should also ensure you have other cyber risk management components, such as appropriate malware tools and a backup plan.
Additionally, this may be a good time to educate all users in your network to be fully aware of security best practices, particularly social engineering tactics. Remind users to not open files that download automatically from websites, attachments to email messages, or files arriving via social media or IM unless they are expected and from a known, trusted sender.
Keeping Your Organization Safe
Obviously, this isn’t a comprehensive list of security flaws and vulnerabilities in Microsoft products for this year. New vulnerabilities are popping up all the time. For example, problems have also been found in Microsoft Exchange Server that are being actively exploited in the wild.
It’s important to realize that many vulnerabilities affecting Microsoft products are zero-days, like the MSHTML vulnerability. This means they are exploited before the vulnerability is discovered–and before Microsoft has a chance to release a patch.
That’s because hackers often take a “smash and grab” approach to zero-days, choosing vectors that will cause as much damage in as short a time as possible. Windows and other Microsoft software provide an ideal way to do that.
Even though Microsoft’s security team is very responsible and quick to patch—even releasing “out of band” patches for the most urgent fixes—it can be very difficult for organizations to keep up and to know which vulnerabilities may impact their highest-value assets and endpoints.
Patching strategically is also next to impossible given that the prioritization of patches released by Microsoft may not reflect your organization’s priorities, such as asset criticality, particularly given that the vast majority of MS’ CVE releases are rated important or critical.
Most organizations still don’t have a strategy that keeps them fully protected against zero-days. Under 50% are able to apply patches within the 72 hours that experts recommend, and as many as 15% remain unpatched even after 30 days. While mitigations are sometimes available until you can get around to patching, they are far from ideal. The best approach to protecting yourself is a comprehensive patching solution that brings down your overall time to remediation (TTR).
JetPatch is a modern patching platform that offers you a full response to vulnerability detection and remediation. JetPatch keeps you continuously on guard against vulnerabilities, including zero-days, in Microsoft and other vendors’ software by:
- Giving you a clear picture of all your assets, with prioritization
- Implementing automation to eliminate hassles and headaches
- Providing intelligent prediction to increase the odds of patch success
If you’re running Microsoft products—and you probably are—chances are, the vulnerabilities discussed here affect YOU.
The best way to protect yourself is with a proactive patch strategy that starts with trying out JetPatch for free. Find out how simple it can be to roll out the most urgent patches across your entire environment.
