This week Microsoft released its security updates for October 2021, which has fixes for 74 (81 including Microsoft Edge) vulnerabilities in Microsoft products. Every month we will post our vulnerability risk and tips around each patch released, to provide advice for IT professionals and businesses. This month Daniel Robinson has provided our FIT score and tips.
Out of the 74 patches; 3 are classed as critical, 70 as important and 1 as moderate. There were also 4 Zero-Day.
Zero-day vulnerabilities discovered this month:
Actively exploited vulnerability:-
- CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability.
Publicly disclosed vulnerabilities that are not known to be exploited:-
- CVE-2021-40469 - Windows DNS Server Remote Code Execution Vulnerability.
- CVE-2021-41335 - Windows Kernel Elevation of Privilege Vulnerability.
- CVE-2021-41338 - Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability.
Other companies who have released security updates this week:
- Adobe October security updates were released for various applications.
- Android's October security updates were released last week.
- Apache released HTTP Web Server 2.4.51 to fix an incompete patch for an actively exploited vulnerability.
- Apple released security updates for iOS and iPadOS yesterday that an actively exploited zero-day vulnerability.
- Cisco released security updates for numerous products this month.
- SAP released its October 2021 security updates.
- VMWare released a two security updates [1. 2, 3] for VMware vRealize Operations.
All the patches can be found in the table below or alternatively downloaded here.
We have also curated a downloadable Patching Best Practice Guide.
|
Category |
CVE IDs |
CVE Title |
Severity |
FIT Score & Tip |
|
.NET Core & Visual Studio |
CVE-2021-41355 |
.NET Core and Visual Studio Information Disclosure Vulnerability |
Important |
3/5 - If you utilise Visual Studio it would be worthwhile to apply this sooner rather than later, especially for what Visual Studio is used for. |
|
Active Directory Federation Services |
CVE-2021-41361 |
Active Directory Federation Server Spoofing Vulnerability |
Important |
4/5 - This vulnerability requires the attacked to leave an application behind, so would assume they already have access to the targetted system. The update is contained within the normal October Monthly Update. |
|
Console Window Host |
CVE-2021-41346 |
Console Window Host Security Feature Bypass Vulnerability |
Important |
3/5 - This update is contained within the October Monthly Update and can be applied during your normal cycle. |
|
HTTP.sys |
CVE-2021-26442 |
Windows HTTP.sys Elevation of Privilege Vulnerability |
Important |
4/5 - This vulnerability is not exploited nor publically disclosed. However, you should never leave the vulnerability door open for long. This is once again contained within the monthly October patches. |
|
Microsoft DWM Core Library |
CVE-2021-41339 |
Microsoft DWM Core Library Elevation of Privilege Vulnerability |
Important |
4/5 - Interestingly we haven't seen many updates required for Windows 11 pending its launch this month. However this update is contained within the monthly fixes for all supported operating systems, now including Windows 11. |
|
Microsoft Dynamics |
CVE-2021-40457 |
Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability Microsoft Dynamics 365 (on-premises) Spoofing Vulnerability Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability |
Important |
4/5 - A user would have to open a maliciously crafted email sent to Dynamics 365 Customer Engagement. This update only applies to Dynamics 365 Customer Engagement. |
|
Microsoft Edge (Chromium-based) |
CVE-2021-37978 |
Chromium: CVE-2021-37978 Heap buffer overflow in Blink Chromium: CVE-2021-37979 Heap buffer overflow in WebRTC Chromium: CVE-2021-37980 Inappropriate implementation in Sandbox Chromium: CVE-2021-37977 Use after free in Garbage Collection Chromium: CVE-2021-37974 Use after free in Safe Browsing Chromium: CVE-2021-37975 Use after free in V8 Chromium: CVE-2021-37976 Information leak in core |
Unknown |
4/5 - This issue resolves an active vulnerability within Edge, however it also has been fixed for Google Chrome too. Edge utilises the Chromium engine and is build similar to Chrome. Like most browser updates, opening the browser and navigating to Help > About will commence an update and display the version number. |
|
Microsoft Exchange Server |
CVE-2021-26427 |
Microsoft Exchange Server Remote Code Execution Vulnerability Microsoft Exchange Server Denial of Service Vulnerability Microsoft Exchange Server Elevation of Privilege Vulnerability Microsoft Exchange Server Spoofing Vulnerability |
Important |
5/5 - We are seeing less and less on-premise Exchange servers, however some hybrid environments still have Exchange 2016 on premise to support Office 365. The attacker is making specific requests over an adjacent network. |
|
Microsoft Graphics Component |
CVE-2021-41340 |
Windows Graphics Component Remote Code Execution Vulnerability |
Important |
3/5 - Exploitation of the vulnerability requires that a user open a specially crafted file. This fix is contained within the normal monthly patching for October. |
|
Microsoft Intune |
CVE-2021-41363 |
Intune Management Extension Security Feature Bypass Vulnerability |
Important |
5/5 - Although classified as important and not critical. Intune is a key component in to the security and protection of your estate. Therefore making note of this one is important. This vulnerability only exists when Intune Management Extension is enabled as managed installer. Enabling IME as managed installer requires local administrator privileges. |
|
Microsoft Office Excel |
CVE-2021-40473 |
Microsoft Excel Remote Code Execution Vulnerability Microsoft Excel Information Disclosure Vulnerability |
Important |
4/5 - It wouldn't be a patch Tuesday without the fixes for various Microsoft Office applications. Updates for this will be contained within the Office update process available within the applications, alternatively can be updated on volume. |
|
Microsoft Office Excel |
CVE-2021-38655 |
Microsoft Excel Remote Code Execution Vulnerability Microsoft Office Graphics Remote Code Execution Vulnerability |
Important |
4/5 - Similar to the above, later updates are available via a click to run, but older versions are update files. |
|
Microsoft Office SharePoint |
CVE-2021-40483 |
Microsoft SharePoint Server Spoofing Vulnerability |
Moderate |
3/5 - If you utilise on premise SharePoint then this update needs to be applied. SharePoint Online (the offering provided by Office 365) is already updated behind the scenes if required. |
|
Microsoft Office SharePoint |
CVE-2021-40487 |
Microsoft SharePoint Server Remote Code Execution Vulnerability Microsoft SharePoint Server Spoofing Vulnerability Microsoft SharePoint Server Information Disclosure Vulnerability Microsoft SharePoint Server Remote Code Execution Vulnerability |
Important |
3/5 - If you utilise on premise SharePoint then this update needs to be applied. SharePoint Online (the offering provided by Office 365) is already updated behind the scenes if required. |
|
Microsoft Office Visio |
CVE-2021-40480 |
Microsoft Office Visio Remote Code Execution Vulnerability |
Important |
3/5 - A user needs to be tricked into downloading and running malicious files. This is included in the Office updates which would be applied to the whole suite if Visio is installed. |
|
Microsoft Office Word |
CVE-2021-40486 |
Microsoft Word Remote Code Execution Vulnerability |
Critical |
5/5 - Unusual for a Word update to be classified as critical, so advisable to tackle this one sooner rather than later. |
|
Microsoft Windows Codecs Library |
CVE-2021-40462 |
Windows Media Foundation Dolby Digital Atmos Decoders Remote Code Execution Vulnerability Microsoft Windows Media Foundation Remote Code Execution Vulnerability Windows Media Audio Decoder Remote Code Execution Vulnerability |
Important |
3/5 - Included with the normal monthly October patching. |
|
Rich Text Edit Control |
CVE-2021-40454 |
Rich Text Edit Control Information Disclosure Vulnerability |
Important |
3/5 - An attacker that successfully exploited this vulnerability could recover cleartext passwords from memory. The update is located within the typical monthly updates for October 2021. |
|
Role: DNS Server |
CVE-2021-40469 |
Windows DNS Server Remote Code Execution Vulnerability |
Important |
4/5 - Most Windows based domains utilise the DNS feature. this vulnerability is only exploitable if the server is configured to be a DNS server. |
|
Role: Windows Active Directory Server |
CVE-2021-41337 |
Active Directory Security Feature Bypass Vulnerability |
Important |
4/5 - Once again, if you are utilising Active Directory then this is will be a key vulnerability to tackle. This vulnerability could allow an attacker to bypass Active Directory domain permissions for Key Admins groups. |
|
Role: Windows AD FS Server |
CVE-2021-40456 |
Windows AD FS Security Feature Bypass Vulnerability |
Important |
4/5 - This vulnerability could allow an attacker to bypass ADFS BannedIPList entries for WS-Trust workflows. This fix is located within the normal monthly patching for October. |
|
Role: Windows Hyper-V |
CVE-2021-38672 |
Windows Hyper-V Remote Code Execution Vulnerability |
Critical |
5/5 - As Hyper-V is for provisioning Virtual Machines, it's worth paying attention to this vulnerability and getting it applied. For successful exploitation, this vulnerability could allow a malicious guest VM to read kernel memory in the host. To trigger this vulnerability the guest VM requires a memory allocation error to first occur on the guest VM. This bug could be used for a VM escape from guest to host. |
|
System Center |
CVE-2021-41352 |
SCOM Information Disclosure Vulnerability |
Important |
4/5 - Worth being aware that this is for the SCOM Web Console only. Customers whose machines are not SCOM web console server machines do not need to install this update. |
|
Visual Studio |
CVE-2020-1971 |
OpenSSL: CVE-2020-1971 EDIPARTYNAME NULL pointer de-reference OpenSSL: CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT OpenSSL: CVE-2021-3449 NULL pointer deref in signature_algorithms processing |
Important |
3/5 - If utilised specific updates exist for Visual Studio that can be obtained from Microsoft. The vulnerability assigned to this CVE is in OpenSSL Software which is consumed by Microsoft Visual Studio |
|
Windows AppContainer |
CVE-2021-41338 |
Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability Windows AppContainer Elevation Of Privilege Vulnerability |
Important |
3/5 - The fixes for this vulnerability are located within the usual monthly patching for October. |
|
Windows AppX Deployment Service |
CVE-2021-41347 |
Windows AppX Deployment Service Elevation of Privilege Vulnerability |
Important |
3/5 - The fixes for this vulnerability are located within the usual monthly patching for October. |
|
Windows Bind Filter Driver |
CVE-2021-40468 |
Windows Bind Filter Driver Information Disclosure Vulnerability |
Important |
4/5 - The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process. |
|
Windows Cloud Files Mini Filter Driver |
CVE-2021-40475 |
Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability |
Important |
3/5 - The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process. |
|
Windows Common Log File System Driver |
CVE-2021-40443 |
Windows Common Log File System Driver Elevation of Privilege Vulnerability |
Important |
3/5 - The fixes for this vulnerability are located within the usual monthly patching for October. |
|
Windows Desktop Bridge |
CVE-2021-41334 |
Windows Desktop Bridge Elevation of Privilege Vulnerability |
Important |
3/5 - The fixes for this vulnerability are located within the usual monthly patching for October. |
|
Windows DirectX |
CVE-2021-40470 |
DirectX Graphics Kernel Elevation of Privilege Vulnerability |
Important |
3/5 - The fixes for this vulnerability are located within the usual monthly patching for October. |
|
Windows Event Tracing |
CVE-2021-40477 |
Windows Event Tracing Elevation of Privilege Vulnerability |
Important |
3/5 - The fixes for this vulnerability are located within the usual monthly patching for October. |
|
Windows exFAT File System |
CVE-2021-38663 |
Windows exFAT File System Information Disclosure Vulnerability |
Important |
3/5 - The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory. |
|
Windows Fastfat Driver |
CVE-2021-41343 |
Windows Fast FAT File System Driver Information Disclosure Vulnerability |
Important |
3/5 - The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process. |
|
Windows Installer |
CVE-2021-40455 |
Windows Installer Spoofing Vulnerability |
Important |
3/5 - The fixes for this vulnerability are located within the usual monthly patching for October. |
|
Windows Kernel |
CVE-2021-41336 |
Windows Kernel Information Disclosure Vulnerability Windows Kernel Elevation of Privilege Vulnerability |
Important |
3/5 - The type of information that could be disclosed if an attacker successfully exploited this vulnerability is the contents of Kernel memory. An attacker could read the contents of Kernel memory from a user mode process. |
|
Windows MSHTML Platform |
CVE-2021-41342 |
Windows MSHTML Platform Remote Code Execution Vulnerability |
Important |
4/5 - The MSHTML platform is used by Internet Explorer mode in Microsoft Edge as well as other applications through WebBrowser control. The EdgeHTML platform is used by WebView and some UWP applications. |
|
Windows Nearby Sharing |
CVE-2021-40464 |
Windows Nearby Sharing Elevation of Privilege Vulnerability |
Important |
3/5 - The fixes for this vulnerability are located within the usual monthly patching for October. |
|
Windows Network Address Translation (NAT) |
CVE-2021-40463 |
Windows NAT Denial of Service Vulnerability |
Important |
3/5 - The fixes for this vulnerability are located within the usual monthly patching for October. |
|
Windows Print Spooler Components |
CVE-2021-41332 |
Windows Print Spooler Information Disclosure Vulnerability Windows Print Spooler Spoofing Vulnerability |
Important |
4/5 - Since the print spooler vulnerability announcement a few months back, I'd recommend paying closer attention to these vulnerabilities. It would appear they have become more prudent in Microsoft's eyes also. The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory. |
|
Windows Remote Procedure Call Runtime |
CVE-2021-40460 |
Windows Remote Procedure Call Runtime Security Feature Bypass Vulnerability |
Important |
3/5 - This vulnerability could allow an attacker to bypass Extended Protection for Authentication provided by SPN target name validation. |
|
Windows Storage Spaces Controller |
CVE-2021-40489 |
Storage Spaces Controller Elevation of Privilege Vulnerability |
Important |
4/5 - An authorized (medium integrity level) attacker could exploit this Windows Storport driver elevation of privilege vulnerability by locally sending through a user mode application a specially crafted request to the driver specifying an IOCTL parameter, which could lead to an out-of-bounds buffer write. |
|
Windows TCP/IP |
Windows TCP/IP |
Windows TCP/IP Denial of Service Vulnerability |
Important |
|
|
Windows Text Shaping |
CVE-2021-40465 |
Windows Text Shaping Remote Code Execution Vulnerability |
Important |
3/5 - The fixes for this vulnerability are located within the usual monthly patching for October. |
|
Windows Win32K |
CVE-2021-40449 |
Win32k Elevation of Privilege Vulnerability |
Important |
3/5 - The fixes for this vulnerability are located within the usual monthly patching for October. |
Hope this table with helpful!
About the Author: Lizzie Arcari
Lizzie joined Foundation IT in 2019 after graduating from University. She is excited to develop her career in the IT industry, learning from the best.
