IaaS, Azure & IT News | Foundation IT

Patch Tuesday Update - Oct 2021 | Foundation IT

Written by Lizzie Arcari | Oct 15, 2021 3:01:18 PM

This week Microsoft released its security updates for October 2021, which has fixes for 74 (81 including Microsoft Edge) vulnerabilities in Microsoft products. Every month we will post our vulnerability risk and tips around each patch released, to provide advice for IT professionals and businesses. This month Daniel Robinson has provided our FIT score and tips.

Out of the 74 patches; 3 are classed as critical, 70 as important and 1 as moderate. There were also 4 Zero-Day. 

Zero-day vulnerabilities discovered this month:

Actively exploited vulnerability:-

  • CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability.

Publicly disclosed vulnerabilities that are not known to be exploited:-

  • CVE-2021-40469 - Windows DNS Server Remote Code Execution Vulnerability.
  • CVE-2021-41335 - Windows Kernel Elevation of Privilege Vulnerability.
  • CVE-2021-41338 - Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability.

Other companies who have released security updates this week:

  • Adobe October security updates were released for various applications.
  • Android's October security updates were released last week.
  • Apache released HTTP Web Server 2.4.51 to fix an incompete patch for an actively exploited vulnerability.
  • Apple released security updates for iOS and iPadOS yesterday that an actively exploited zero-day vulnerability.
  • Cisco released security updates for numerous products this month.
  • SAP released its October 2021 security updates.
  • VMWare released a two security updates [1. 2, 3] for VMware vRealize Operations.

All the patches can be found in the table below or alternatively downloaded here.

We have also curated a downloadable Patching Best Practice Guide.

 

Category

CVE IDs

CVE Title 

Severity

FIT Score & Tip

.NET Core & Visual Studio
1

CVE-2021-41355

.NET Core and Visual Studio Information Disclosure Vulnerability

Important

3/5 - If you utilise Visual Studio it would be worthwhile to apply this sooner rather than later, especially for what Visual Studio is used for.

Active Directory Federation Services
1

CVE-2021-41361

Active Directory Federation Server Spoofing Vulnerability

Important

4/5 - This vulnerability requires the attacked to leave an application behind, so would assume they already have access to the targetted system. The update is contained within the normal October Monthly Update.

Console Window Host
1

CVE-2021-41346

Console Window Host Security Feature Bypass Vulnerability

Important

3/5 - This update is contained within the October Monthly Update and can be applied during your normal cycle.

HTTP.sys
1

CVE-2021-26442

Windows HTTP.sys Elevation of Privilege Vulnerability

Important

4/5 - This vulnerability is not exploited nor publically disclosed. However, you should never leave the vulnerability door open for long. This is once again contained within the monthly October patches.

Microsoft DWM Core Library
1

CVE-2021-41339

Microsoft DWM Core Library Elevation of Privilege Vulnerability

Important

4/5 - Interestingly we haven't seen many updates required for Windows 11 pending its launch this month. However this update is contained within the monthly fixes for all supported operating systems, now including Windows 11.

Microsoft Dynamics
3

CVE-2021-40457
CVE-2021-41353
CVE-2021-41354

Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability

Microsoft Dynamics 365 (on-premises) Spoofing Vulnerability

Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

Important

4/5 - A user would have to open a maliciously crafted email sent to Dynamics 365 Customer Engagement. This update only applies to Dynamics 365 Customer Engagement.

Microsoft Edge (Chromium-based)
7

CVE-2021-37978
CVE-2021-37979
CVE-2021-37980
CVE-2021-37977
CVE-2021-37974
CVE-2021-37975
CVE-2021-37976

Chromium: CVE-2021-37978 Heap buffer overflow in Blink

Chromium: CVE-2021-37979 Heap buffer overflow in WebRTC

Chromium: CVE-2021-37980 Inappropriate implementation in Sandbox

Chromium: CVE-2021-37977 Use after free in Garbage Collection

Chromium: CVE-2021-37974 Use after free in Safe Browsing

Chromium: CVE-2021-37975 Use after free in V8

Chromium: CVE-2021-37976 Information leak in core

Unknown

4/5 - This issue resolves an active vulnerability within Edge, however it also has been fixed for Google Chrome too. Edge utilises the Chromium engine and is build similar to Chrome. Like most browser updates, opening the browser and navigating to Help > About will commence an update and display the version number.

Microsoft Exchange Server
4

CVE-2021-26427
CVE-2021-34453
CVE-2021-41348
CVE-2021-41350

Microsoft Exchange Server Remote Code Execution Vulnerability

Microsoft Exchange Server Denial of Service Vulnerability

Microsoft Exchange Server Elevation of Privilege Vulnerability

Microsoft Exchange Server Spoofing Vulnerability

Important

5/5 - We are seeing less and less on-premise Exchange servers, however some hybrid environments still have Exchange 2016 on premise to support Office 365. The attacker is making specific requests over an adjacent network.

Microsoft Graphics Component
1

CVE-2021-41340

Windows Graphics Component Remote Code Execution Vulnerability

Important

3/5 - Exploitation of the vulnerability requires that a user open a specially crafted file. This fix is contained within the normal monthly patching for October.

Microsoft Intune
1

CVE-2021-41363

Intune Management Extension Security Feature Bypass Vulnerability

Important

5/5 - Although classified as important and not critical. Intune is a key component in to the security and protection of your estate. Therefore making note of this one is important. This vulnerability only exists when Intune Management Extension is enabled as managed installer. Enabling IME as managed installer requires local administrator privileges.

Microsoft Office Excel
6

CVE-2021-40473
CVE-2021-40472
CVE-2021-40471
CVE-2021-40474
CVE-2021-40485
CVE-2021-40479

Microsoft Excel Remote Code Execution Vulnerability

Microsoft Excel Information Disclosure Vulnerability

Important

4/5 - It wouldn't be a patch Tuesday without the fixes for various Microsoft Office applications. Updates for this will be contained within the Office update process available within the applications, alternatively can be updated on volume.

Microsoft Office Excel
2

CVE-2021-38655
CVE-2021-38660

Microsoft Excel Remote Code Execution Vulnerability

Microsoft Office Graphics Remote Code Execution Vulnerability

Important

4/5 - Similar to the above, later updates are available via a click to run, but older versions are update files.

Microsoft Office SharePoint
1

CVE-2021-40483

Microsoft SharePoint Server Spoofing Vulnerability

Moderate

3/5 - If you utilise on premise SharePoint then this update needs to be applied. SharePoint Online (the offering provided by Office 365) is already updated behind the scenes if required.

Microsoft Office SharePoint
5

CVE-2021-40487
CVE-2021-40484
CVE-2021-40482
CVE-2021-41344

Microsoft SharePoint Server Remote Code Execution Vulnerability

Microsoft SharePoint Server Spoofing Vulnerability

Microsoft SharePoint Server Information Disclosure Vulnerability

Microsoft SharePoint Server Remote Code Execution Vulnerability

Important

3/5 - If you utilise on premise SharePoint then this update needs to be applied. SharePoint Online (the offering provided by Office 365) is already updated behind the scenes if required.

Microsoft Office Visio
2

CVE-2021-40480
CVE-2021-40481

Microsoft Office Visio Remote Code Execution Vulnerability

Important

3/5 - A user needs to be tricked into downloading and running malicious files. This is included in the Office updates which would be applied to the whole suite if Visio is installed.

Microsoft Office Word
1

CVE-2021-40486

Microsoft Word Remote Code Execution Vulnerability

Critical

5/5 - Unusual for a Word update to be classified as critical, so advisable to tackle this one sooner rather than later.

Microsoft Windows Codecs Library
3

CVE-2021-40462
CVE-2021-41330
CVE-2021-41331

Windows Media Foundation Dolby Digital Atmos Decoders Remote Code Execution Vulnerability

Microsoft Windows Media Foundation Remote Code Execution Vulnerability

Windows Media Audio Decoder Remote Code Execution Vulnerability

Important

3/5 - Included with the normal monthly October patching.

Rich Text Edit Control
1

CVE-2021-40454

Rich Text Edit Control Information Disclosure Vulnerability

Important

3/5 - An attacker that successfully exploited this vulnerability could recover cleartext passwords from memory. The update is located within the typical monthly updates for October 2021.

Role: DNS Server
1

CVE-2021-40469

Windows DNS Server Remote Code Execution Vulnerability

Important

4/5 - Most Windows based domains utilise the DNS feature. this vulnerability is only exploitable if the server is configured to be a DNS server.

Role: Windows Active Directory Server
1

CVE-2021-41337

Active Directory Security Feature Bypass Vulnerability

Important

4/5 - Once again, if you are utilising Active Directory then this is will be a key vulnerability to tackle. This vulnerability could allow an attacker to bypass Active Directory domain permissions for Key Admins groups.

Role: Windows AD FS Server
1

CVE-2021-40456

Windows AD FS Security Feature Bypass Vulnerability

Important

4/5 - This vulnerability could allow an attacker to bypass ADFS BannedIPList entries for WS-Trust workflows. This fix is located within the normal monthly patching for October.

Role: Windows Hyper-V
2

CVE-2021-38672
CVE-2021-40461

Windows Hyper-V Remote Code Execution Vulnerability

Critical

5/5 - As Hyper-V is for provisioning Virtual Machines, it's worth paying attention to this vulnerability and getting it applied. For successful exploitation, this vulnerability could allow a malicious guest VM to read kernel memory in the host. To trigger this vulnerability the guest VM requires a memory allocation error to first occur on the guest VM. This bug could be used for a VM escape from guest to host.

System Center
1

CVE-2021-41352

SCOM Information Disclosure Vulnerability

Important

4/5 - Worth being aware that this is for the SCOM Web Console only. Customers whose machines are not SCOM web console server machines do not need to install this update.

Visual Studio
3

CVE-2020-1971
CVE-2021-3450
CVE-2021-3449

OpenSSL: CVE-2020-1971 EDIPARTYNAME NULL pointer de-reference

OpenSSL: CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT

OpenSSL: CVE-2021-3449 NULL pointer deref in signature_algorithms processing

Important

3/5 - If utilised specific updates exist for Visual Studio that can be obtained from Microsoft. The vulnerability assigned to this CVE is in OpenSSL Software which is consumed by Microsoft Visual Studio

Windows AppContainer
2

CVE-2021-41338
CVE-2021-40476

Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability

Windows AppContainer Elevation Of Privilege Vulnerability

Important

3/5 - The fixes for this vulnerability are located within the usual monthly patching for October.

Windows AppX Deployment Service
1

CVE-2021-41347

Windows AppX Deployment Service Elevation of Privilege Vulnerability

Important

3/5 - The fixes for this vulnerability are located within the usual monthly patching for October.

Windows Bind Filter Driver
1

CVE-2021-40468

Windows Bind Filter Driver Information Disclosure Vulnerability

Important

4/5 - The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.

Windows Cloud Files Mini Filter Driver
1

CVE-2021-40475

Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability

Important

3/5 - The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.

Windows Common Log File System Driver
3

CVE-2021-40443
CVE-2021-40467
CVE-2021-40466

Windows Common Log File System Driver Elevation of Privilege Vulnerability

Important

3/5 - The fixes for this vulnerability are located within the usual monthly patching for October.

Windows Desktop Bridge
1

CVE-2021-41334

Windows Desktop Bridge Elevation of Privilege Vulnerability

Important

3/5 - The fixes for this vulnerability are located within the usual monthly patching for October.

Windows DirectX
1

CVE-2021-40470

DirectX Graphics Kernel Elevation of Privilege Vulnerability

Important

3/5 - The fixes for this vulnerability are located within the usual monthly patching for October.

Windows Event Tracing
1

CVE-2021-40477

Windows Event Tracing Elevation of Privilege Vulnerability

Important

3/5 - The fixes for this vulnerability are located within the usual monthly patching for October.

Windows exFAT File System
1

CVE-2021-38663

Windows exFAT File System Information Disclosure Vulnerability

Important

3/5 - The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.

Windows Fastfat Driver
2

CVE-2021-41343
CVE-2021-38662

Windows Fast FAT File System Driver Information Disclosure Vulnerability

Important

3/5 - The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.

Windows Installer
1

CVE-2021-40455

Windows Installer Spoofing Vulnerability

Important

3/5 - The fixes for this vulnerability are located within the usual monthly patching for October.

Windows Kernel
2

CVE-2021-41336
CVE-2021-41335

Windows Kernel Information Disclosure Vulnerability

Windows Kernel Elevation of Privilege Vulnerability

Important

3/5 - The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process.

Windows MSHTML Platform
1

CVE-2021-41342

Windows MSHTML Platform Remote Code Execution Vulnerability

Important

4/5 - The MSHTML platform is used by Internet Explorer mode in Microsoft Edge as well as other applications through WebBrowser control. The EdgeHTML platform is used by WebView and some UWP applications.

Windows Nearby Sharing
1

CVE-2021-40464

Windows Nearby Sharing Elevation of Privilege Vulnerability

Important

3/5 - The fixes for this vulnerability are located within the usual monthly patching for October.

Windows Network Address Translation (NAT)
1

CVE-2021-40463

Windows NAT Denial of Service Vulnerability

Important

3/5 - The fixes for this vulnerability are located within the usual monthly patching for October.

Windows Print Spooler Components
2

CVE-2021-41332
CVE-2021-36970

Windows Print Spooler Information Disclosure Vulnerability

Windows Print Spooler Spoofing Vulnerability

Important

4/5 - Since the print spooler vulnerability announcement a few months back, I'd recommend paying closer attention to these vulnerabilities. It would appear they have become more prudent in Microsoft's eyes also. The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory.

Windows Remote Procedure Call Runtime
1

CVE-2021-40460

Windows Remote Procedure Call Runtime Security Feature Bypass Vulnerability

Important

3/5 - This vulnerability could allow an attacker to bypass Extended Protection for Authentication provided by SPN target name validation.

Windows Storage Spaces Controller
5

CVE-2021-40489
CVE-2021-41345
CVE-2021-26441
CVE-2021-40478
CVE-2021-40488

Storage Spaces Controller Elevation of Privilege Vulnerability

Important

4/5 - An authorized (medium integrity level) attacker could exploit this Windows Storport driver elevation of privilege vulnerability by locally sending through a user mode application a specially crafted request to the driver specifying an IOCTL parameter, which could lead to an out-of-bounds buffer write.

Windows TCP/IP
1

Windows TCP/IP

Windows TCP/IP Denial of Service Vulnerability

Important

 

Windows Text Shaping
1

CVE-2021-40465

Windows Text Shaping Remote Code Execution Vulnerability

Important

3/5 - The fixes for this vulnerability are located within the usual monthly patching for October.

Windows Win32K
3

CVE-2021-40449
CVE-2021-41357
CVE-2021-40450

Win32k Elevation of Privilege Vulnerability

Important

3/5 - The fixes for this vulnerability are located within the usual monthly patching for October.

 

Hope this table with helpful!