Last week Microsoft released its security updates for November 2021, which has fixes for 55 vulnerabilities in Microsoft products. Every month we will post our vulnerability risk and tips around each patch released, to provide advice for IT professionals and businesses. This month Daniel Robinson has provided our FIT score and tips.
Out of the 55 patches; 6 are classed as critical and 49 as important. There were also 6 Zero-Day vulnerabilities.
Zero-day vulnerabilities discovered this month:
Actively exploited vulnerabilities:-
- CVE-2021-42292 - Microsoft Excel Security Feature Bypass Vulnerability.
- CVE-2021-42321 - Microsoft Exchange Server Remote Code Execution Vulnerability.
Publicly disclosed vulnerabilities that are not known to be exploited:-
- CVE-2021-38631 - Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability.
- CVE-2021-41371 - Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability.
- CVE-2021-43208 - 3D Viewer Remote Code Execution Vulnerability.
- CVE-2021-43209 - 3D Viewer Remote Code Execution Vulnerability.
Other companies who have released security updates this week:
- Adobe's November security updates were released for various applications.
- Android's November security updates were released last week.
- Cisco released security updates for numerous products this month, including a hard-coded password and SSH key vulnerability.
- SAP released its November 2021 security updates.
All the patches can be found in the table below or alternatively downloaded here.
We have also curated a downloadable Patching Best Practice Guide.
|
Category |
CVE IDs |
CVE Title |
Severity |
FIT Score & Tip |
|
3D Viewer 2 |
CVE-2021-43209 CVE-2021-43208 |
3D Viewer Remote Code Execution Vulnerability |
Important |
4/5 - This is a Microsoft Store App, which should automatically be updated. You can check the package version in PowerShell, by using: Get-AppxPackage -Name Microsoft.Microsoft3DViewer |
|
Azure 1 |
CVE-2021-41373 |
FSLogix Information Disclosure Vulnerability |
Important |
4/5 - If you are using FSLogix, then this is highly recommended to mitigate against this vulnerability. The Microsoft link on the CVE has been causing problems with redirects, so the fix can be obtained here: https://docs.microsoft.com/en-us/fslogix/whats-new |
|
Azure RTOS 6 |
CVE-2021-42303 CVE-2021-42302 CVE-2021-42301 CVE-2021-42323 CVE-2021-26444 CVE-2021-42304 |
Azure RTOS Elevation of Privilege Vulnerability Azure RTOS Information Disclosure Vulnerability |
Important |
4/5 - If you are using RTOS, then you have to recompile your project with updated USBX source code if the project uses host audio/video/CDC-ECM/PIMA, or device storage class to mitigate this vulnerability. In addition, if your USB device driver uses vendor request (registered by ux_device_stack_microsoft_extension_register) you need to update your code to perform memory boundary check. If you are not using vendor requests, (i.e. you don’t register the callback function) you don’t need to update your code. |
|
Azure Sphere 4 |
CVE-2021-41374 CVE-2021-41376 CVE-2021-42300 CVE-2021-41375 |
Azure Sphere Information Disclosure Vulnerability Azure Sphere Tampering Vulnerability |
Important |
4/5 - Azure Sphere will automatically update itself when it is connected to the Internet, you can run: azsphere device show-deployment-status to show you the update status. |
|
Microsoft Dynamics 1 |
CVE-2021-42316 |
Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability |
Critical |
5/5 - If you use Dynamics 365 On-Prem, then this will be a priority for you. Download links are available from the Microsoft CVE link: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-42316 |
|
Microsoft Edge (Chromium-based) in IE Mode 1 |
CVE-2021-41351 |
Microsoft Edge (Chrome based) Spoofing on IE Mode |
Important |
3/5 - This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for supported operating systems. |
|
Microsoft Exchange Server 3 |
CVE-2021-42305 CVE-2021-41349 CVE-2021-42321 |
Microsoft Exchange Server Spoofing Vulnerability Microsoft Exchange Server Remote Code Execution Vulnerability |
Important |
4/5 - This vulnerability is for on-premise Microsoft Exchange Servers, if you have one of these you should get this applied ASAP. |
|
Microsoft Office Access 1 |
CVE-2021-41368 |
Microsoft Access Remote Code Execution Vulnerability |
Important |
3/5 - Updates have been released for all versions of Access which are currently within support. |
|
Microsoft Office Excel 2 |
CVE-2021-40442 CVE-2021-42292 |
Microsoft Excel Remote Code Execution Vulnerability Microsoft Excel Security Feature Bypass Vulnerability |
Important |
3/5 - Updates have been released for all versions of Excel which are currently within support. |
|
Microsoft Office Word 1 |
CVE-2021-42296 |
Microsoft Word Remote Code Execution Vulnerability |
Important |
3/5 - This update is available for long term support Office and also for the 365 apps. Updates for Office are typically delivered via the Office client. |
|
Microsoft Windows 1 |
CVE-2021-41356 |
Windows Denial of Service Vulnerability |
Important |
3/5 - This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for supported operating systems. |
|
Microsoft Windows Codecs Library 1 |
CVE-2021-42276 |
Microsoft Windows Media Foundation Remote Code Execution Vulnerability |
Important |
3/5 - This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for supported operating systems. |
|
Power BI 1 |
CVE-2021-41372 |
Power BI Report Server Spoofing Vulnerability |
Important |
3/5 - This is for the Power BI Report Server which is an on-premise application for Power Bi Premium licencing. |
|
Role: Windows Hyper-V 2 |
CVE-2021-42284 CVE-2021-42274 |
Windows Hyper-V Denial of Service Vulnerability Windows Hyper-V Discrete Device Assignment (DDA) Denial of Service Vulnerability |
Important |
3/5 - This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for supported operating systems. This update is more critical if you utilise Hyper-V |
|
Visual Studio 1 |
CVE-2021-3711 |
OpenSSL: CVE-2021-3711 SM2 Decryption Buffer Overflow |
Critical
|
4/5 - The update for Visual Studio is available from the Visual Studio portal. As this is flagged as critical, I would ensure this gets applied ASAP. |
|
Visual Studio 1 |
CVE-2021-42319 |
Visual Studio Elevation of Privilege Vulnerability |
Important |
4/5 - Although not flagged as critical, this vulnerability is mitigated in the same update which resolves the above. |
|
Visual Studio Code 1 |
CVE-2021-42322 |
Visual Studio Code Elevation of Privilege Vulnerability |
Important |
3/5 - Not to be confused with the above, this update is for Visual Studio Code and can be downloaded from a separate link: https://code.visualstudio.com/Download |
|
Windows Active Directory 4 |
CVE-2021-42278 CVE-2021-42291 CVE-2021-42287 CVE-2021-42282 |
Active Directory Domain Services Elevation of Privilege Vulnerability |
Important |
4/5 - This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for supported server operating systems. |
|
Windows COM 1 |
CVE-2021-42275 |
Microsoft COM for Windows Remote Code Execution Vulnerability |
Important |
4/5 - This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for supported server operating systems. |
|
Windows Core Shell 1 |
CVE-2021-42286 |
Windows Core Shell SI Host Extension Framework for Composable Shell Elevation of Privilege Vulnerability |
Important |
4/5 - This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for Windows 10 operating systems. |
|
Windows Cred SSProvider Protocol 1 |
CVE-2021-41366 |
Credential Security Support Provider Protocol (CredSSP) Elevation of Privilege Vulnerability |
Important |
4/5 - This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for supported operating systems. |
|
Windows Defender 1 |
CVE-2021-42298 |
Microsoft Defender Remote Code Execution Vulnerability |
Critical |
4/5 - This will be delivered automatically via Windows Update. Alternatively, it can be checked within the Windows Security App and the version can then be checked. |
|
Windows Desktop Bridge 1 |
CVE-2021-36957 |
Windows Desktop Bridge Elevation of Privilege Vulnerability |
Important |
4/5 - This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for supported operating systems. |
|
Windows Diagnostic Hub 1 |
CVE-2021-42277 |
Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability |
Important |
4/5 - This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for supported operating systems. |
|
Windows Fastfat Driver 1 |
CVE-2021-41377 |
Windows Fast FAT File System Driver Elevation of Privilege Vulnerability |
Important |
4/5 - This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for supported operating systems. |
|
Windows Feedback Hub 1 |
CVE-2021-42280 |
Windows Feedback Hub Elevation of Privilege Vulnerability |
Important |
4/5 - This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for supported operating systems. |
|
Windows Hello 1 |
CVE-2021-42288 |
Windows Hello Security Feature Bypass Vulnerability |
Important |
4/5 - This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for Windows 10 based operating systems. |
|
Windows Installer 1 |
CVE-2021-41379 |
Windows Installer Elevation of Privilege Vulnerability |
Important |
4/5 - This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for supported operating systems. |
|
Windows Kernel 1 |
CVE-2021-42285 |
Windows Kernel Elevation of Privilege Vulnerability |
Important |
4/5 - This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for supported operating systems. |
|
Windows NTFS 4 |
CVE-2021-42283 CVE-2021-41370 CVE-2021-41378 CVE-2021-41367 |
NTFS Elevation of Privilege Vulnerability Windows NTFS Remote Code Execution Vulnerability |
Important |
4/5 - This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for supported operating systems, Windows 10 and 11 based including server. |
|
Windows RDP 1 |
CVE-2021-38666 |
Remote Desktop Client Remote Code Execution Vulnerability |
Critical |
5/5 - Flagged as critical, This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for supported operating systems. |
|
Windows RDP 3 |
CVE-2021-38665 CVE-2021-38631 CVE-2021-41371 |
Remote Desktop Protocol Client Information Disclosure Vulnerability Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability |
Important |
4/5 - This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for supported operating systems. |
|
Windows Scripting 1 |
CVE-2021-42279 |
Chakra Scripting Engine Memory Corruption Vulnerability |
Critical |
5/5 - Flagged as critical, This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for supported operating systems, Windows 10 and 11 based including server. |
|
Windows Virtual Machine Bus 1 |
CVE-2021-26443 |
Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability |
Critical |
5/5 - Flagged as critical, This vulnerability is resolved within the normal monthly patching cycle, in the 2021-11 cumulative update for supported operating systems, Windows 10 and 11 based including server. |
Hope this table with helpful!
About the Author: Dan Robinson
Dan is a Senior Technical resource within the managed service team. He looks after 1st line personnel and has a specialist skills with SCCM, Intune, Patching processes and general Infrastructure.
