Microsoft, Adobe, and Google all issued security updates to their products today. The Microsoft patches include six previously disclosed security flaws, and one that is already being actively exploited. But this month’s Patch Tuesday is overshadowed by the “Log4Shell” 0-day exploit in a popular Java library that web server administrators are now racing to find and patch amid widespread exploitation of the flaw.
Log4Shell is the name picked for a critical flaw disclosed Dec. 9 in the popular logging library for Java called “log4j,” which is included in a huge number of Java applications. Publicly released exploit code allows an attacker to force a server running a vulnerable log4j library to execute commands, such as downloading malicious software or opening a backdoor connection to the server.
According to researchers at Lunasec, many, many services are vulnerable to this exploit.
“Cloud services like Steam, Apple iCloud, and apps like Minecraft have already been found to be vulnerable,” Lunasec wrote. “Anybody using Apache Struts is likely vulnerable. We’ve seen similar vulnerabilities exploited before in breaches like the 2017 Equifax data breach. An extensive list of responses from impacted organizations has been compiled here.”
“If you run a server built on open-source software, there’s a good chance you are impacted by this vulnerability,” said Dustin Childs of Trend Micro’s Zero Day Initiative. “Check with all the vendors in your enterprise to see if they are impacted and what patches are available.”
Part of the difficulty in patching against the Log4Shell attack is identifying all of the vulnerable web applications, said Johannes Ullrich, an incident handler and blogger for the SANS Internet Storm Center. “Log4Shell will continue to haunt us for years to come. Dealing with log4shell will be a marathon,” Ullrich said. “Treat it as such.” SANS has a good walk-through of how simple yet powerful the exploit can be.
John Hultquist, vice president of intelligence analysis at Mandiant, said the company has seen Chinese and Iranian state actors leveraging the log4j vulnerability, and that the Iranian actors are particularly aggressive, having taken part in ransomware operations that may be primarily carried out for disruptive purposes rather than financial gain.
“We anticipate other state actors are doing so as well, or preparing to,” Hultquist said. “We believe these actors will work quickly to create footholds in desirable networks for follow-on activity, which may last for some time. In some cases, they will work from a wish list of targets that existed long before this vulnerability was public knowledge. In other cases, desirable targets may be selected after broad targeting.”
Researcher Kevin Beaumont had a more lighthearted take on Log4Shell via Twitter:
“Basically the perfect ending to cybersecurity in 2021 is a 90s style Java vulnerability in an open source module, written by two volunteers with no funding, used by large cybersecurity vendors, undetected until Minecraft chat got pwned, where nobody knows how to respond properly.”
The Cybersecurity and Infrastructure Security Agency (CISA) has joined with the FBI, National Security Agency (NSA) and partners abroad in publishing an advisory to help organizations mitigate Log4Shell and other Log4j-related vulnerabilities.
A half-dozen of the vulnerabilities addressed by Microsoft today earned its most dire “critical” rating, meaning malware or miscreants could exploit the flaws to gain complete, remote control over a vulnerable Windows system with little or no help from users.
The Windows flaw already seeing active exploitation is CVE-2021-43890, which is a “spoofing” bug in the Windows AppX installer on Windows 10. Microsoft says it is aware of attempts to exploit this flaw using specially crafted packages to implant malware families like Emotet, Trickbot, and BazaLoader.
Kevin Breen, director of threat research for Immersive Labs, said CVE-2021-43905 stands out of this month’s patch batch.
“Not only for its high CVSS score of 9.6, but also because it’s noted as ‘exploitation more likely’,” Breen observed.
Microsoft also patched CVE-2021-43883, an elevation of privilege vulnerability in Windows Installer.
“This appears to be a fix for a patch bypass of CVE-2021-41379, another elevation of privilege vulnerability in Windows Installer that was reportedly fixed in November,” Satnam Narang of Tenable points out. “However, researchers discovered that fix was incomplete, and a proof-of-concept was made public late last month.”
Google issued five security fixes for Chrome, including one rated critical and three others with high severity. If you’re browsing with Chrome, keep a lookout for when you see an “Update” tab appear to the right of the address bar. If it’s been a while since you closed the browser, you might see the Update button turn from green to orange and then red. Green means an update has been available for two days; orange means four days have elapsed, and red means your browser is a week or more behind on important updates. Completely close and restart the browser to install any pending updates.
Also, Adobe issued patches to correct more than 60 security flaws in a slew of products, including Adobe Audition, Lightroom, Media Encoder, Premiere Pro, Prelude, Dimension, After Effects, Photoshop, Connect, Experience Manager and Premiere Rush.
Standard disclaimer: Before you update Windows, please make sure you have backed up your system and/or important files. It’s not uncommon for a Windows update package to hose one’s system or prevent it from booting properly, and some updates have been known to erase or corrupt files.
So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.
And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.
If you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a decent chance other readers have experienced the same and may chime in here with useful tips.
Additional reading:
SANS ISC listing of each Microsoft vulnerability patched today, indexed by severity and affected component.
I totally disagree with your comment that “It’s not uncommon for a Windows update package to hose one’s system or prevent it from booting properly, and some updates have been known to erase or corrupt files.” Considering the millions of Windows systems around the globe, it’s VERY uncommon for an update to cause problems. Just because a few users have issues doesn’t mean there’s a major problem. In fact, it’s very uncommon to have issues when using Windows Update. I have been a technician for 30 years, and remember the days of failed updates in the 2000’s. We’re not there and Windows 10/11 don’t seem to have these issues unless you have some weird combination of issues and likely messed with your system by editing the registry.
Don’t be afraid to update your systems, and you should ALWAYS back up your system/files, not just when doing updates.
Your definition of uncommon is not everyone’s. When you’re impacted it’s a sample size of 1.
Nobody knows how common it is overall, MS doesn’t even.
If you in fact haven’t seen a failed update in 30 years, 1 of 3 is true:
your enterprise solution is well managed, you are incompetently not discovering any failures,
or you are lying. Any of those are more plausible than you actually never seeing an update fail,
& as you’re actually pretending you have to “mess up editing the registry” to get a WU error,
that’s just illiteracy or laziness in reading about this topic before offering your single anecdote.
The world isn’t making it up just because you never saw it yourself, for whatever reason of the 3.
You’re right…I’m lying…even though I said I remember the failed updates of the 2000’s. I agree that is sucks when a system is hosed due to a failed/misapplied update. What I stated was that it is less common than inferred in the story. But you’re right, I’m illiterate and a liar.
If you can see through my “lies”, I would tell you that I run a small MSP and have had zero “hosed” systems upgrading servers and PC’s for clients over the last 4 years. And personally, none of my systems have been hosed. I also worked for an enterprise at one point, and only saw hosed systems in the 2000’s (rebuilding an Exchange server SUCKS, btw). That’s not to say it doesn’t happen, but in my experience (which is what I stated) I’ve seen it once, perhaps, in the tens of thousands of systems I’ve worked on.
It was one of three options. I guess this is you ruling out the other two? Fair enough.
I’m not even saying your anecdote isn’t possibly based on “a” truth, but the presentation?
Is nonsense. Rebuilding exchange servers in the 2000’s is not what we’re talking about.
Your claims are distilled to windows update errors being a nonfactor in realtime. Wrong.
YMMV and your definition of uncommon need updating.
Go back to Slashdot…
Go back to work for Clippy suite 11, the “secure” version.
i concur with tech company on your assessment of win10/11.
compared to win95, xp, even win7.. win10,11 is a breeze but watch out lots bloatware and stuff you don’t need or want if you have a company to secure.
youngbucks..offline backups are your friend just like vibranium condoms.. use them and they will save your job or wallet and you won’t have to work at whack arnold.. word.
broh.. win10even has its own image creation util, use it.. it works.
eat your veggies, take your vitamins and sleep in its much easier on your constitution.. lol
“compared to win95, xp, even win7.. win10,11 is a breeze”
What does this refer to?
It doesn’t take a failed update to render a computer not functioning, ask anyone who prints to (or any tech that services) a Konica Minolta or Zebra printer how many updates this year made them unable to print.
https://www.bleepingcomputer.com/news/microsoft/microsoft-december-2021-patch-tuesday-fixes-6-zero-days-67-flaws/
Log4shell is like the new SQL injection.
I wonder about the fate of legacy systems, created by companies which dont exist anymore.
Shells for years to come…
Removal or replacing are the only options, the companies have to decide between the two.
This “zero-day” is 9 month old: https://github.com/nice0e3/log4j_POC
It was out in the wild since March
also Intel wireless driver comp 2021.12.0.5979 what that means?
A nit to pick. The initial use of the word “Chrome” should always be followed by either the word “browser” or “OS” if applicable so that the reader will understand what product is being discussed.
I second that!
I installed the updates this morning and now I can’t open Lightroom! Anyone else having this issue? This is a big problem.
I don’t understand the excitement about the log4j exploit. This is not an exploit either, but a property that has long been promised. This is the first time ever that “Write one, run everywhere” works properly.
From a security standpoint, it’s possibly the dumbest idea ever. Code execution from a log file? No input sanitization? Just dumb.
At least someone sees the sarcasm in my remark. It is not that easy to find the place where the CLASSPATH expands into nirvana. On the other hand, there was once a control option: Oracle SM. Deprecated at 17, now probably gone: https://openjdk.java.net/jeps/411. Very funny.
The October PrintNightmare KB update gave me a networking print nightmare. It cost me hours and I had to suspend updates for the first time ever. Also had to restore Windows from a backup.
For the latter I *highly* recommend the free, industrial strength “Macrium Reflect” which I have used for years. I’ve set it to make weekly full and daily differential full system images to a bulk drive. Fast and silent background ops; has saved me many times.
The October PrintNightmare KB update gave me a networking print nightmare. It cost me hours and I had to suspend updates for the first time ever. Also had to restore Windows from a backup.
For the latter I *highly* recommend the free, industrial strength “Macrium Reflect” which I have used for years. I’ve set it to make weekly full and daily differential full system images to a bulk drive. Fast and silent background ops; has saved me many times
From Canonical for Ubuntu, I’m not sure if this will work on other distros:
$ sudo ua fix CVE-2021-44228
$ sudo ua fix CVE-2021-45046
Ideally you want the result:
CVE-2021-45046: Apache Log4j 2 vulnerability
https://ubuntu.com/security/CVE-2021-45046
No affected packages are installed.
✔ CVE-2021-45046 does not affect your system.
which one is the safest?
They all issued patches for the same reason here.
Affected Intel :
Intel Audio Development Kit
Intel Datacenter Manager
oneAPI sample browser plugin for Eclipse
Intel System Debugger
Intel Secure Device Onboard (GitHub)
Intel Genomics Kernel Library
Intel System Studio
Computer Vision Annotation Tool maintained by Intel
Intel Sensor Solution Firmware Development Kit
Affected Nvidia:
CUDA Toolkit Visual Profiler and Nsight Eclipse Edition
DGX Systems
NetQ
vGPU Software License Server
Affected AMD:
Nothing
I went to the GitHub list of affected products (https://github.com/cisagov/log4j-affected-db/blob/develop/SOFTWARE-LIST.md) but could not find entries for certain prominent operating systems (Android, Chrome OS, iOS, iPadOS, macOS, Windows). Just products that run on those operating systems (like Dell Display Manager 1.5 for Windows / macOS).
OTOH, I could find Linux distros Debian, Red Hat, and Ubuntu (the only distros whose names I know off the top of my head). In the table, the Red Hat entries had status info (“unaffected,” etc.) but Debian and Ubuntu’s entries were blank. I assume these are placeholders?
I conclude that proprietary OSes are themselves unaffected. This makes sense because log4j is open source.
But anyone running a Debian or Ubuntu needs to take some kind of action.
Am I right about this?
Hm. As a Concerned Citizen, I’m puzzled by the missing information. Why O Why would the table be so incomplete?
Separation or replacement is the only option, companies must choose between the two.
Which is the safest?
The Nightmare KB update in October gave me a nightmare to print. It took me a few hours and I postponed the update for the first time. Windows must be restored from a backup.
Secondly, I recommend the * very * free, industrial “Macrim Reflect” energy that I use every year. I configured it for weekly and daily differentiated images of the entire system to access the disk. Fast and quiet background activities that I have recorded many times
I don’t understand the thrill of working with log4j. Nor is it a farm, but a long-promised property. This is the first time “Write One, Run Everywhere” works properly.
I don’t understand the thrill of working with log4j. Nor is it a farm, but a long-promised property. This is the first time “Write One, Run Everywhere” works properly.