December 2021: Microsoft Patches 74 Security Vulnerabilities

Microsoft patched 74 unique security vulnerabilities in December 2021, including six zero-day exploits. We analyzed these weaknesses and spotlighted the most important vulnerabilities that ought to be fixed on priority.

Microsoft Patches – Overview

This December, Microsoft patched 74 vulnerabilities discovered in 2021.

  • The number of CVEs classified as remote code execution bugs: 26

  • The number of CVEs with privilege escalation capabilities: 22

  • The number of CVEs linked to information disclosure: 10

  • The number of CVEs with denial-of-service capabilities: 3

  • The number of CVEs with spoofing possibilities: 7

Five of these bugs are listed as publicly known, and one is listed as being publicly exploited.

Zero-Days

Microsoft had released fixes for six zero-day vulnerabilities this month.

CVE-2021-43890 is a zero-day spoofing vulnerability in Windows AppX Installer, issued a CVSS severity score of 7.1 (High), and is publicly known and under exploitation. According to Microsoft, it has been linked to attacks tied to the Emotet/TrickBot/BazaLoader malware families. An attacker would need to force a user to open a malicious attachment to exploit this vulnerability, which would most likely be done through a phishing attack.

For those who have not been able to install a patch, Microsoft has provided a few workarounds.

Severity Scores

CWE Analysis

When analyzing these vulnerabilities based on the Common Weakness Enumeration (CWE) categorization, 19 CVEs carry a CWE of CWE-269 (Improper Privilege Management) that falls under 2021 CWE Top 30 Most Dangerous Software Weaknesses. On the whole, 25 CVEs have not been assigned a CWE Identifier yet.

Product Analysis

The December patch package influences the following products: Microsoft Azure, the Chromium-based Edge browser, and Microsoft Office, as well as associated products such SP.NET Core and Visual Studio, Microsoft PowerShell, Windows Codecs Library, Remote Desktop Client, Windows Hyper-V, Visual Studio Code, Windows Installer, Windows Encrypting file system, Windows Kernel, Windows Media, Windows NTFS, Windows Print Spooler Components, and Windows Mobile Device Management. Windows products received a fix for 21 vulnerabilities.

Table: Microsoft December Patches 2021

Microsoft fixed a total of 887 CVEs this year, a 29% drop from 2020. We recommend prompt patching in all circumstances, and priority should be given to the critical and zero-day bugs.

Share This Post On