Virtual Administrator’s December 2021 Patch Recommendations
This month Microsoft released patches for 67 vulnerabilities with 7 rated “Critical” and 60 “Important” in severity.
Office patches for CVE-2021-42293 (KB5002104, KB5002099) are being denied. All other patches have been approved in our patch policy.
67 patches for December. For those keeping count that brings the total for 2021 to 887 – down 29% from last year. Six are public and one (CVE-2021-43890) is being exploited. CVE-2021-43890 is a spoofing vulnerability in the Windows AppX Installer utility for loading Windows 10 apps from the App Store. The fix is to update the Windows AppX Installer or use some of the workarounds provided by Microsoft – see “Notable CVEs” below.
We are blocking KB5002104 (Office 2013) and KB5002099 (Office 2016) until Microsoft fixes a problem where “databases that are stored on a network share can’t be accessed by multiple users simultaneously”- see “Known Issues” below.
Of course the big news this month is Log4j. This vulnerability is not native to the Windows platform but we provided a link below with more information. No new standalone SSUs this month.
Head Up! Log4Shell vulnerability “Log4j”
Log4Shell log4j vulnerability (CVE-2021-44228 / CVE-2021-45046) – cheat-sheet reference guide
https://www.techsolvency.com/story-so-far/cve-2021-44228-log4j-log4shell/
FYI – Windows 10, version 2004 (OS Build 19041) has reached end of servicing as of this release on December 14, 2021. To continue receiving security and quality updates, Microsoft recommends that you update to the latest version of Windows 10.
Disclosed: CVE-2021-41333, CVE-2021-43240, CVE-2021-43880, CVE-2021-43883, CVE-2021-43890, CVE-2021-43893
Exploited: CVE-2021-43890
Security Update Guide
https://portal.msrc.microsoft.com/en-us/security-guidance
Morphus Labs patch dashboard here: https://patchtuesdaydashboard.com
We will no longer listing “affected software” in this post. Previously Microsoft listed affected “software”. This month the list includes “products, features and roles” which makes the list too long. If you look at the month’s Release Notes on the Security Update Guide page you can view this list.
Microsoft Security Advisories – None
Known Issues
Office update to resolve an elevation of privilege issue in Microsoft Jet database engine (CVE-2021-42293) can break multi-user access to database files. CVE-2021-42293 is not publically known or being exploited. Microsoft’s “Exploitability Assessment” is “Exploitation Less Likely”.
Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.
Microsoft Jet Red Database Engine and Access Connectivity Engine Elevation of Privilege Vulnerability
https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-42293
“After this update is installed, databases that are stored on a network share can’t be accessed by multiple users simultaneously. Microsoft is aware of this issue and will update this KB when a fix is available.”
Affected updates are KB5002104 (Office 2013), KB5002099 (Office 2016), Office Click-to-Run 16.0.14701.20248 (current channel version, other channels may also be affected)
Description of the security update for Office 2013: December 14, 2021 (KB5002104)
Description of the security update for Office 2016: December 14, 2021 (KB5002099)
Good resource for known issues with Windows 10 patches. Find the version and click on “Known issues”.
Windows release health
https://docs.microsoft.com/en-us/windows/release-health/
Monthly Rollup/Security Only/Windows 10/Server 2016,2019 KBs
Links are https://support.microsoft.com/en-us/help/####### with the KB number only.
Security and Quality Rollup
- KB5008244 – Windows 7, Windows Server 2008 R2 (ESU)
- KB5008263 – Windows 8.1, Windows Server 2012 R2
- KB5008277 – Windows Server 2012
- KB5008274 – Windows Server 2008 (ESU)
Security Only Update
- KB5008282 – Windows 7, Windows Server 2008 R2 (ESU)
- KB5008285 – Windows 8.1, Windows Server 2012 R2
- KB5008255 – Windows Server 2012
- KB5008271 – Windows Server 2008 (ESU)
Cumulative Updates
Windows 10
- KB5008230 – Original release version 1507 (OS Build 10240)
- KB5008207 – Version 1607 “Anniversary Update” (OS Build 14393)
- KB5008218 – Version 1809 “October 2018 Update” (OS Build 17763)
- KB5008206 – Version 1909 “November 2019 Update” (OS Build 18363)
- KB5008212 – Version 2004 “May 2020 Update” (OS Build 19041)
- KB5008212 – Version 20H2 “October 2020 Update” (OS Build 19042)
- KB5008212 – Version 21H1 “May 2021 Update” (OS Build 19043)
- KB5008212 – Version 21H2 “November 2021 Update” (OS Build 19044)
(Versions 1511,1703,1709,1803,1903 are no longer under support)
Windows 11
- KB5008215 – Original release (OS Build 22000)
Windows Server
- KB5008207 – Server 2016 (same KB as Windows 10 Version 1607)
- KB5008218 – Server 2019 (same KB as Windows 10 Version 1809)
- KB5008223 – Server 2022 (OS Build 20348)
December 2021 updates for Microsoft Office
Notable CVEs
CVE-2021-41333 | Windows Print Spooler Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-41333
CVE-2021-43240 | NTFS Set Short Name Elevation of Privilege Vulnerability (Cumulative Update)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43240
CVE-2021-43880 | Windows Mobile Device Management Elevation of Privilege Vulnerability (Cumulative Update)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43880
CVE-2021-43883 | Windows Installer Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43883
CVE-2021-43890 | Windows AppX Installer Spoofing Vulnerability (update application or workaround)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43890
CVE-2021-43893 | Windows Encrypting File System (EFS) Elevation of Privilege Vulnerability (Cumulative Update/Monthly Rollup)
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-43893
