IaaS, Azure & IT News | Foundation IT

Patch Tuesday Update - Sep 2021 | Foundation IT

Written by Lizzie Arcari | Sep 14, 2021 10:00:00 AM

This week Microsoft released its security updates for September 2021, which has fixes for 60 (86 including Microsoft Edge) vulnerabilities in Microsoft products. Every month we will post our vulnerability risk and tips around each patch released, to provide advice for IT professionals and businesses. This month Elliott McKenna has provided our FIT score and tips.

Out of the 60 patches; 3 are classed as critical, 56 as important and 1 as moderate. There were also 32 Zero-Day vulnerabilities publicly disclosed. 

Zero-day vulnerabilities discovered this month:

The publicly disclosed, but not exploited:-

  • CVE-2021-36968 - Windows DNS Elevation of Privilege Vulnerability.

The one actively exploited vulnerability is the Windows MSHTML remote code execution vulnerability:-

  • CVE-2021-40444 - Microsoft MSHTML Remote Code Execution Vulnerability.

Other companies who have released security updates this week:

  • Adobe released security updates for two products.
  • Android's September security updates were released last week.
  • Apple released security updates for iOS and macOS yesterday that fix two zero-day vulnerabilities exploited in the wild. One of the vulnerabilities was used to install the NSO Pegasus spyware on activists' devices.
  • Cisco released security updates for numerous products this month.
  • SAP released its September 2021 security updates.

All the patches can be found in the table below or alternatively downloaded here.

We have also curated a downloadable Patching Best Practice Guide.

 

Category

CVE IDs

CVE Title 

Severity

FIT Score & Tip

Azure Open Management Infrastructure
1

CVE-2021-38647

Open Management Infrastructure Remote Code Execution Vulnerability

Critical

4/5 - Flagged as critical, most of the Azure stack is automatically updated without intervention, but worth reviewing to ensure if you utilise the Management Infrastructure that you don't miss an important update.

Azure Open Management Infrastructure
3

CVE-2021-38648
CVE-2021-38645
CVE-2021-38649

Open Management Infrastructure Elevation of Privilege Vulnerability

Important

3/5 - Much like the above, typically automatically updated but worth paying attention to the CVE in case it changes or manual intervention is required.

Azure Sphere
1

CVE-2021-36956

Azure Sphere Information Disclosure Vulnerability

Important

3/5 - An active internet connection for the Azure Sphere will obtain the update automatically. If not the CVE has the steps within to verify.

Dynamics Business Central Control
1

CVE-2021-40440

Microsoft Dynamics Business Central Cross-site Scripting Vulnerability

Important

3/5 - If utilised, then it's worth obtaining this update which is a download from Microsoft.

Microsoft Accessibility Insights for Android
1

CVE-2021-40448

Microsoft Accessibility Insights for Android Information Disclosure Vulnerability

Important

2/5 - This is more of a placeholder, there doesn't seem to be a specific update available at the moment, but as ever keeping everything up to date will aid this.

Microsoft Edge (Chromium-based)
5

CVE-2021-38641
CVE-2021-38642
CVE-2021-38669
CVE-2021-36930
CVE-2021-26436

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

Microsoft Edge for Android Spoofing Vulnerability

Microsoft Edge for iOS Spoofing Vulnerability

Microsoft Edge (Chromium-based) Tampering Vulnerability

Important

4/5 - Microsoft Edge will automatically update, much like other browsers, when it has an active Internet connection. However, that being said, it's worth checking versions numbers and forcing an update if required. Triggered via Help > About

Microsoft Edge (Chromium-based)
20

CVE-2021-30606
CVE-2021-30609
CVE-2021-30608
CVE-2021-30607
CVE-2021-30632
CVE-2021-30610
CVE-2021-30620
CVE-2021-30619
CVE-2021-30618
CVE-2021-30621
CVE-2021-30624
CVE-2021-30623
CVE-2021-30622
CVE-2021-30613
CVE-2021-30612
CVE-2021-30611
CVE-2021-30614
CVE-2021-30617
CVE-2021-30616
CVE-2021-30615

A breakdown of the vulnerabilities can be found in the downloaded table.

Unknown

4/5 - Microsoft Edge will automatically update, much like other browsers, when it has an active Internet connection. However, that being said, it's worth checking versions numbers and forcing an update if required. Triggered via Help > About

Microsoft Edge for Android
1

CVE-2021-26439

Microsoft Edge for Android Information Disclosure Vulnerability

Moderate

3/5 - The Play Store will offer an update to Edge for Android which should be applied when available.

Microsoft MPEG-2 Video Extension
1

CVE-2021-38644

Microsoft MPEG-2 Video Extension Remote Code Execution Vulnerability

Important

3/5 - This vulnerability only affects the Microsoft Store offering, and the store will hold an update for this vulnerability.

Microsoft Office
4

CVE-2021-38657
CVE-2021-38658
CVE-2021-38650
CVE-2021-38659

Microsoft Office Graphics Component Information Disclosure Vulnerability

Microsoft Office Graphics Remote Code Execution Vulnerability

Microsoft Office Spoofing Vulnerability

Microsoft Office Remote Code Execution Vulnerability

Important

4/5 - A click to run has been released for this update, which is attached to the CVE. However, checking for updates within your Office apps will trigger the update to take place.

Microsoft Office Access
1

CVE-2021-38646

Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability

Important

4/5 - Later versions of Office have a click to run available however earlier versions will require the download and installation of updates associated with this CVE.

Microsoft Office Excel
2

CVE-2021-38655
CVE-2021-38660

Microsoft Excel Remote Code Execution Vulnerability

Microsoft Office Graphics Remote Code Execution Vulnerability

Important

4/5 - Similar to the above, later updates are available via a click to run, but older versions are update files.

Microsoft Office SharePoint
2

CVE-2021-38651
CVE-2021-38652

Microsoft SharePoint Server Spoofing Vulnerability

Important

3/5 - If you utilise on-premise SharePoint server then this update should be prioritised. If you use SharePoint Online, the platform is automatically updated in the background.

Microsoft Office Visio
2

CVE-2021-38654
CVE-2021-38653

Microsoft Office Visio Remote Code Execution Vulnerability

Important

4/5 - A click to run has been released for this update, which is attached to the CVE. However, checking for updates within your Office apps will trigger the update to take place.

Microsoft Office Word
1

CVE-2021-38656

Microsoft Word Remote Code Execution Vulnerability

Important

4/5 - A click to run has been released for this update, which is attached to the CVE. However, checking for updates within your Office apps will trigger the update to take place.

Microsoft Windows Codecs Library
1

CVE-2021-38661

HEVC Video Extensions Remote Code Execution Vulnerability

Important

3/5 - The Microsoft Store will automatically update the affected app, however you can version check manually using the CVE article.

Microsoft Windows DNS
1

CVE-2021-36968

Windows DNS Elevation of Privilege Vulnerability

Important

4/5 - This is for older operating systems, Server 2008 and Windows 7. You may find you need extended support with these to obtain these updates.

Visual Studio
3

CVE-2021-36952
CVE-2021-26434
CVE-2021-26437

Visual Studio Remote Code Execution Vulnerability

Visual Studio Elevation of Privilege Vulnerability

Visual Studio Code Spoofing Vulnerability

Important

3/5 - If you use Visual Studio, there is an update available for most of the recent versions which can be obtained from Microsoft and applied.

Windows Ancillary Function Driver for WinSock
2

CVE-2021-38628
CVE-2021-38638

Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability

Important

4/5 - This forms part of the monthly update cycle which is available for all Microsoft Operating System, currently within support.

Windows Authenticode
1

CVE-2021-36959

Windows Authenticode Spoofing Vulnerability

Important

4/5 - This forms part of the monthly update cycle which is available for all Microsoft Operating System, currently within support.

Windows Bind Filter Driver
1

CVE-2021-36954

Windows Bind Filter Driver Elevation of Privilege Vulnerability

Important

4/5 - This forms part of the monthly update cycle which is available for all Microsoft Operating System, currently within support.

Windows BitLocker
1

CVE-2021-38632

BitLocker Security Feature Bypass Vulnerability

Important

4/5 - This forms part of the monthly update cycle which is available for all Microsoft Operating System, currently within support.

Windows Common Log File System Driver
3

CVE-2021-38633
CVE-2021-36963
CVE-2021-36955

Windows Common Log File System Driver Elevation of Privilege Vulnerability

Important

4/5 - This forms part of the monthly update cycle which is available for all Microsoft Operating System, currently within support.

Windows Event Tracing
2

CVE-2021-36964
CVE-2021-38630

Windows Event Tracing Elevation of Privilege Vulnerability

Important

4/5 - This forms part of the monthly update cycle which is available for all Microsoft Operating System, currently within support.

Windows Installer
2

CVE-2021-36962
CVE-2021-36961

Windows Installer Information Disclosure Vulnerability

Windows Installer Denial of Service Vulnerability

Important

4/5 - This forms part of the monthly update cycle which is available for all Microsoft Operating System, currently within support.

Windows Kernel
2

CVE-2021-38626
CVE-2021-38625

Windows Kernel Elevation of Privilege Vulnerability

Important

4/5 - This vulnerability is specifically related to Windows Server 2008. Support for this may be required to apply the update, as Server 2008 is EOL.

Windows Key Storage Provider
1

CVE-2021-38624

Windows Key Storage Provider Security Feature Bypass Vulnerability

Important

4/5 - This forms part of the monthly update cycle which is available for all Microsoft Operating System, currently within support.

Windows MSHTML Platform
1

CVE-2021-40444

Microsoft MSHTML Remote Code Execution Vulnerability

Important

4/5 - Updates are available for Internet Explorer and there is also a workaround present on the CVE itself to mitigate this Active X based vulnerability.

Windows Print Spooler Components
3

CVE-2021-38667
CVE-2021-38671
CVE-2021-40447

Windows Print Spooler Elevation of Privilege Vulnerability

Important

4/5 - This forms part of the monthly update cycle which is available for all Microsoft Operating System, currently within support.

Windows Redirected Drive Buffering
4

CVE-2021-36969
CVE-2021-38635
CVE-2021-36973
CVE-2021-38636

Windows Redirected Drive Buffering SubSystem Driver Information Disclosure Vulnerability

Windows Redirected Drive Buffering System Elevation of Privilege Vulnerability

Important

4/5 - This forms part of the monthly update cycle which is available for all Microsoft Operating System, currently within support.

Windows Scripting
1

CVE-2021-26435

Windows Scripting Engine Memory Corruption Vulnerability

Critical

5/5 - This forms part of the monthly update cycle which is available for all Microsoft Operating System, currently within support.

Windows SMB
3

CVE-2021-36960
CVE-2021-36972
CVE-2021-36974

Windows SMB Information Disclosure Vulnerability

Windows SMB Elevation of Privilege Vulnerability

Important

4/5 - This forms part of the monthly update cycle which is available for all Microsoft Operating System, currently within support.

Windows Storage
1

CVE-2021-38637

Windows Storage Information Disclosure Vulnerability

Important

3/5 - Effecting later Operating Systems, this also forms part of your typical monthly patching cycle.

Windows Subsystem for Linux
1

CVE-2021-36966

Windows Subsystem for Linux Elevation of Privilege Vulnerability

Important

4/5 - This forms part of the monthly update cycle which is available for all Microsoft Operating System, currently within support.

Windows TDX.sys
1

CVE-2021-38629

Windows Ancillary Function Driver for WinSock Information Disclosure Vulnerability

Important

4/5 - This forms part of the monthly update cycle which is available for all Microsoft Operating System, currently within support.

Windows Update
1

CVE-2021-38634

Microsoft Windows Update Client Elevation of Privilege Vulnerability

Important

4/5 - This forms part of the monthly update cycle which is available for all Microsoft Operating System, currently within support.

Windows Win32K
2

CVE-2021-38639
CVE-2021-36975

Win32k Elevation of Privilege Vulnerability

Important

4/5 - This forms part of the monthly update cycle which is available for all Microsoft Operating System, currently within support.

Windows WLAN Auto Config Service
1

CVE-2021-36965

Windows WLAN AutoConfig Service Remote Code Execution Vulnerability

Critical

5/5 - This forms part of the monthly update cycle which is available for all Microsoft Operating System, currently within support.

Windows WLAN Service
1

CVE-2021-36967

Windows WLAN AutoConfig Service Elevation of Privilege Vulnerability

Important

4/5 - This forms part of the monthly update cycle which is available for all Microsoft Operating System, currently within support.

 

Hope this table with helpful!