This week Microsoft released its security updates for September 2021, which has fixes for 60 (86 including Microsoft Edge) vulnerabilities in Microsoft products. Every month we will post our vulnerability risk and tips around each patch released, to provide advice for IT professionals and businesses. This month Elliott McKenna has provided our FIT score and tips.
Out of the 60 patches; 3 are classed as critical, 56 as important and 1 as moderate. There were also 32 Zero-Day vulnerabilities publicly disclosed.
Zero-day vulnerabilities discovered this month:
The publicly disclosed, but not exploited:-
- CVE-2021-36968 - Windows DNS Elevation of Privilege Vulnerability.
The one actively exploited vulnerability is the Windows MSHTML remote code execution vulnerability:-
Other companies who have released security updates this week:
- Adobe released security updates for two products.
- Android's September security updates were released last week.
- Apple released security updates for iOS and macOS yesterday that fix two zero-day vulnerabilities exploited in the wild. One of the vulnerabilities was used to install the NSO Pegasus spyware on activists' devices.
- Cisco released security updates for numerous products this month.
- SAP released its September 2021 security updates.
All the patches can be found in the table below or alternatively downloaded here.
We have also curated a downloadable Patching Best Practice Guide.
Category |
CVE IDs |
CVE Title |
Severity |
FIT Score & Tip |
Azure Open Management Infrastructure |
CVE-2021-38647 |
Open Management Infrastructure Remote Code Execution Vulnerability |
Critical |
4/5 - Flagged as critical, most of the Azure stack is automatically updated without intervention, but worth reviewing to ensure if you utilise the Management Infrastructure that you don't miss an important update. |
Azure Open Management Infrastructure |
CVE-2021-38648 |
Open Management Infrastructure Elevation of Privilege Vulnerability |
Important |
3/5 - Much like the above, typically automatically updated but worth paying attention to the CVE in case it changes or manual intervention is required. |
Azure Sphere |
CVE-2021-36956 |
Azure Sphere Information Disclosure Vulnerability |
Important |
3/5 - An active internet connection for the Azure Sphere will obtain the update automatically. If not the CVE has the steps within to verify. |
Dynamics Business Central Control |
CVE-2021-40440 |
Microsoft Dynamics Business Central Cross-site Scripting Vulnerability |
Important |
3/5 - If utilised, then it's worth obtaining this update which is a download from Microsoft. |
Microsoft Accessibility Insights for Android |
CVE-2021-40448 |
Microsoft Accessibility Insights for Android Information Disclosure Vulnerability |
Important |
2/5 - This is more of a placeholder, there doesn't seem to be a specific update available at the moment, but as ever keeping everything up to date will aid this. |
Microsoft Edge (Chromium-based) |
CVE-2021-38641 |
Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Microsoft Edge for Android Spoofing Vulnerability Microsoft Edge for iOS Spoofing Vulnerability Microsoft Edge (Chromium-based) Tampering Vulnerability |
Important |
4/5 - Microsoft Edge will automatically update, much like other browsers, when it has an active Internet connection. However, that being said, it's worth checking versions numbers and forcing an update if required. Triggered via Help > About |
Microsoft Edge (Chromium-based) |
CVE-2021-30606 |
A breakdown of the vulnerabilities can be found in the downloaded table. |
Unknown |
4/5 - Microsoft Edge will automatically update, much like other browsers, when it has an active Internet connection. However, that being said, it's worth checking versions numbers and forcing an update if required. Triggered via Help > About |
Microsoft Edge for Android |
CVE-2021-26439 |
Microsoft Edge for Android Information Disclosure Vulnerability |
Moderate |
3/5 - The Play Store will offer an update to Edge for Android which should be applied when available. |
Microsoft MPEG-2 Video Extension |
CVE-2021-38644 |
Microsoft MPEG-2 Video Extension Remote Code Execution Vulnerability |
Important |
3/5 - This vulnerability only affects the Microsoft Store offering, and the store will hold an update for this vulnerability. |
Microsoft Office |
CVE-2021-38657 |
Microsoft Office Graphics Component Information Disclosure Vulnerability Microsoft Office Graphics Remote Code Execution Vulnerability Microsoft Office Spoofing Vulnerability Microsoft Office Remote Code Execution Vulnerability |
Important |
4/5 - A click to run has been released for this update, which is attached to the CVE. However, checking for updates within your Office apps will trigger the update to take place. |
Microsoft Office Access |
CVE-2021-38646 |
Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability |
Important |
4/5 - Later versions of Office have a click to run available however earlier versions will require the download and installation of updates associated with this CVE. |
Microsoft Office Excel |
CVE-2021-38655 |
Microsoft Excel Remote Code Execution Vulnerability Microsoft Office Graphics Remote Code Execution Vulnerability |
Important |
4/5 - Similar to the above, later updates are available via a click to run, but older versions are update files. |
Microsoft Office SharePoint |
CVE-2021-38651 |
Microsoft SharePoint Server Spoofing Vulnerability |
Important |
3/5 - If you utilise on-premise SharePoint server then this update should be prioritised. If you use SharePoint Online, the platform is automatically updated in the background. |
Microsoft Office Visio |
CVE-2021-38654 |
Microsoft Office Visio Remote Code Execution Vulnerability |
Important |
4/5 - A click to run has been released for this update, which is attached to the CVE. However, checking for updates within your Office apps will trigger the update to take place. |
Microsoft Office Word |
CVE-2021-38656 |
Microsoft Word Remote Code Execution Vulnerability |
Important |
4/5 - A click to run has been released for this update, which is attached to the CVE. However, checking for updates within your Office apps will trigger the update to take place. |
Microsoft Windows Codecs Library |
CVE-2021-38661 |
HEVC Video Extensions Remote Code Execution Vulnerability |
Important |
3/5 - The Microsoft Store will automatically update the affected app, however you can version check manually using the CVE article. |
Microsoft Windows DNS |
CVE-2021-36968 |
Windows DNS Elevation of Privilege Vulnerability |
Important |
4/5 - This is for older operating systems, Server 2008 and Windows 7. You may find you need extended support with these to obtain these updates. |
Visual Studio |
CVE-2021-36952 |
Visual Studio Remote Code Execution Vulnerability Visual Studio Elevation of Privilege Vulnerability Visual Studio Code Spoofing Vulnerability |
Important |
3/5 - If you use Visual Studio, there is an update available for most of the recent versions which can be obtained from Microsoft and applied. |
Windows Ancillary Function Driver for WinSock |
CVE-2021-38628 |
Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability |
Important |
4/5 - This forms part of the monthly update cycle which is available for all Microsoft Operating System, currently within support. |
Windows Authenticode |
CVE-2021-36959 |
Windows Authenticode Spoofing Vulnerability |
Important |
4/5 - This forms part of the monthly update cycle which is available for all Microsoft Operating System, currently within support. |
Windows Bind Filter Driver |
CVE-2021-36954 |
Windows Bind Filter Driver Elevation of Privilege Vulnerability |
Important |
4/5 - This forms part of the monthly update cycle which is available for all Microsoft Operating System, currently within support. |
Windows BitLocker |
CVE-2021-38632 |
BitLocker Security Feature Bypass Vulnerability |
Important |
4/5 - This forms part of the monthly update cycle which is available for all Microsoft Operating System, currently within support. |
Windows Common Log File System Driver |
CVE-2021-38633 |
Windows Common Log File System Driver Elevation of Privilege Vulnerability |
Important |
4/5 - This forms part of the monthly update cycle which is available for all Microsoft Operating System, currently within support. |
Windows Event Tracing |
CVE-2021-36964 |
Windows Event Tracing Elevation of Privilege Vulnerability |
Important |
4/5 - This forms part of the monthly update cycle which is available for all Microsoft Operating System, currently within support. |
Windows Installer |
CVE-2021-36962 |
Windows Installer Information Disclosure Vulnerability Windows Installer Denial of Service Vulnerability |
Important |
4/5 - This forms part of the monthly update cycle which is available for all Microsoft Operating System, currently within support. |
Windows Kernel |
CVE-2021-38626 |
Windows Kernel Elevation of Privilege Vulnerability |
Important |
4/5 - This vulnerability is specifically related to Windows Server 2008. Support for this may be required to apply the update, as Server 2008 is EOL. |
Windows Key Storage Provider |
CVE-2021-38624 |
Windows Key Storage Provider Security Feature Bypass Vulnerability |
Important |
4/5 - This forms part of the monthly update cycle which is available for all Microsoft Operating System, currently within support. |
Windows MSHTML Platform |
CVE-2021-40444 |
Microsoft MSHTML Remote Code Execution Vulnerability |
Important |
4/5 - Updates are available for Internet Explorer and there is also a workaround present on the CVE itself to mitigate this Active X based vulnerability. |
Windows Print Spooler Components |
CVE-2021-38667 |
Windows Print Spooler Elevation of Privilege Vulnerability |
Important |
4/5 - This forms part of the monthly update cycle which is available for all Microsoft Operating System, currently within support. |
Windows Redirected Drive Buffering |
CVE-2021-36969 |
Windows Redirected Drive Buffering SubSystem Driver Information Disclosure Vulnerability Windows Redirected Drive Buffering System Elevation of Privilege Vulnerability |
Important |
4/5 - This forms part of the monthly update cycle which is available for all Microsoft Operating System, currently within support. |
Windows Scripting |
CVE-2021-26435 |
Windows Scripting Engine Memory Corruption Vulnerability |
Critical |
5/5 - This forms part of the monthly update cycle which is available for all Microsoft Operating System, currently within support. |
Windows SMB |
CVE-2021-36960 |
Windows SMB Information Disclosure Vulnerability Windows SMB Elevation of Privilege Vulnerability |
Important |
4/5 - This forms part of the monthly update cycle which is available for all Microsoft Operating System, currently within support. |
Windows Storage |
CVE-2021-38637 |
Windows Storage Information Disclosure Vulnerability |
Important |
3/5 - Effecting later Operating Systems, this also forms part of your typical monthly patching cycle. |
Windows Subsystem for Linux |
CVE-2021-36966 |
Windows Subsystem for Linux Elevation of Privilege Vulnerability |
Important |
4/5 - This forms part of the monthly update cycle which is available for all Microsoft Operating System, currently within support. |
Windows TDX.sys |
CVE-2021-38629 |
Windows Ancillary Function Driver for WinSock Information Disclosure Vulnerability |
Important |
4/5 - This forms part of the monthly update cycle which is available for all Microsoft Operating System, currently within support. |
Windows Update |
CVE-2021-38634 |
Microsoft Windows Update Client Elevation of Privilege Vulnerability |
Important |
4/5 - This forms part of the monthly update cycle which is available for all Microsoft Operating System, currently within support. |
Windows Win32K |
CVE-2021-38639 |
Win32k Elevation of Privilege Vulnerability |
Important |
4/5 - This forms part of the monthly update cycle which is available for all Microsoft Operating System, currently within support. |
Windows WLAN Auto Config Service |
CVE-2021-36965 |
Windows WLAN AutoConfig Service Remote Code Execution Vulnerability |
Critical |
5/5 - This forms part of the monthly update cycle which is available for all Microsoft Operating System, currently within support. |
Windows WLAN Service |
CVE-2021-36967 |
Windows WLAN AutoConfig Service Elevation of Privilege Vulnerability |
Important |
4/5 - This forms part of the monthly update cycle which is available for all Microsoft Operating System, currently within support. |
Hope this table with helpful!
About the Author: Lizzie Arcari
Lizzie joined Foundation IT in 2019 after graduating from University. She is excited to develop her career in the IT industry, learning from the best.