Fix now to prevent hackers from blindly crashing your Windows computers – Naked Security

As you know, our usual Patch Tuesday tip comes down to four words, “Patch early, patch often.”

There were 56 recently reported vulnerabilities fixed in Microsoft’s patches this month, four of which provide attackers with the ability to find remote code execution (RCE) exploits.

Remote code execution is where innocent-looking data sent from outside your network can trigger a bug and take control of your computer.

Bugs that allow trapped pieces of data to trick your computer into executing untrusted code are highly sought after by cybercriminals, as they typically allow crooks to break in and implant malware.

… Without showing “are you sure” warnings, without the need for niceties like a username and password, and sometimes without even leaving obvious traces in your system logs.

With all of this in mind, the statistic “56 fixes including 4 RCE»Signals more than enough risk to make quick fix a priority.

In nature

In addition to the four potential RCE holes mentioned above, there is also a fix for a bug called CVE-2021-1732 which is already being abused in nature by hackers.

The situation where an attack is known before a patch is released is called zero days bug: crooks got there first, so there was no day you could have patched to be ahead of them.

Fortunately, this zero day bug is not an RCE hole, so crooks cannot use it to gain access to your network in the first place.

Unfortunately it is a elevation of privilege (EoP) bug in the Windows kernel itself, which means crooks who have already broken into your computer can almost certainly abuse the loophole to give themselves almighty powers.

Having crooks inside your network is bad enough, but if their network privileges are the same as a regular user, the damage they can do is often quite limited. (This is why your own sysadmins certainly don’t allow you to run with administrator rights anymore like they did in the 2000s.)

Ransomware criminals, for example, typically spend time at the start of their attack looking for an unpatched EoP bug that they can exploit to strengthen themselves to have the same power and authority as your own administrators. system.

If they can get domain admin rights, suddenly they’re on a par with your own IT department, so they can pretty much do whatever they want.

Intruders who gain access to an EoP exploit will likely be able to: access and map your entire network; change your security settings; install or remove any software of their choice from any computer; copy or modify any file of their choice; alter your system logs; find and destroy your online backups; and even create secret “backdoor” accounts that they can use to break in if you find them this time and kick them out.

But that’s not all

If you are still not convinced to patch early, patch often, you can also read Microsoft’s special security bulletin titled Multiple security updates affecting TCP / IP.

The three vulnerabilities that are listed in this bulletin are the uninteresting names CVE-2021-24074, CVE-2021-24094, and CVE-2021-24086.

The bugs they represent, however, are very interesting.

Even though Microsoft admits that two of these could, in theory, be exploited for remote code execution (so they are 2 of the 4 RCE bugs mentioned above), that’s not what worries the most Microsoft at the moment:

Both RCE vulnerabilities are complex, making it difficult to create functional exploits, so they are unlikely [to be abused] short term. We believe attackers will be able to create DoS exploits much faster, and anticipate that all three issues could be exploited with a DoS attack soon after release. So, we recommend that customers act quickly to apply Windows security updates this month.

DoS exploits for these CVEs would allow a remote attacker to cause a Stop error. Customers may receive a blue screen on any Windows system that is directly exposed to the Internet with minimal network traffic.

DoS, of course, is the abbreviation for denied service – a type of vulnerability that is often downplayed as “last among equals” to security vulnerabilities such as RCE and EoP.

Denial of service means exactly what it says: crooks cannot take control of a vulnerable service, software or system, but they can simply prevent it from working.

Unfortunately, these three DoSsable holes are low level bugs in the Windows kernel driver tcpip.sys, and vulnerabilities can, in theory, be tickled and triggered simply by your computer receiving inbound network packets.

In other words, just processing the packets in order to decide to accept and trust them in the first place could be enough to crash the targeted computer – which could, of course, be a critical internet server.

What to do?

Microsoft itself is warning you to prioritize these fixes if you want to do your updates one by one, and has even offered scriptable workarounds for those who are still afraid of the “patch early” principle:

It is essential that customers apply Windows updates to address these vulnerabilities as soon as possible. If applying the update quickly is not practical, workarounds are detailed in CVEs that do not require restarting a server.

Despite the workarounds, we are with Microsoft here and we totally agree with the words essential and as soon as possible.

Do not be too long. Do it today!

---