Microsoft has released patches for over 55 security vulnerabilities in its latest November 2021 Patch Tuesday update. Six of these vulnerabilities are rated as critical and 49 as important in terms of severity. The update has addressed security flaws in Microsoft Windows and Windows Components, 3D Viewer, Azure, Azure RTOS, Azure Sphere, Microsoft Dynamics, Microsoft Edge (Chromium-based), Exchange Server, Microsoft Office and Office Components, Windows Hyper-V, Windows Defender, and Visual Studio.
Six Critical Bugs Fixed
The tech giant also released patches for two critical vulnerabilities – CVE-2021-42321 and CVE-2021-42292 – in Microsoft Exchange Server and Microsoft Excel that are actively exploited in the wild.
CVE-2021-42321 is a Microsoft Exchange Server Remote Code Execution flaw due to improper validation of cmdlet arguments, which can be exploited only by an authenticated hacker. Whereas CVE-2021-42292 is a Microsoft Excel Security Feature Bypass bug that allows an attacker to trick users into opening a specially crafted file with an infected version of Excel.
“We are aware of limited targeted attacks in the wild using one of the vulnerabilities (CVE-2021-42321), which is a post-authentication vulnerability in Exchange 2016 and 2019. Our recommendation is to install these updates immediately to protect your environment. These vulnerabilities affect on-premises Microsoft Exchange Server, including servers used by customers in Exchange Hybrid mode. Exchange Online customers are already protected and do not need to take any action,” Microsoft said in a statement.
Other critical vulnerabilities addressed in the update include:
- CVE-2021-38631– Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
- CVE-2021-41371– Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
- CVE-2021-43208– 3D Viewer Remote Code Execution Vulnerability
- CVE-2021-43209– 3D Viewer Remote Code Execution Vulnerability
Microsoft urged organizations and users to apply the patches to prevent potential exploits. “The monthly security release includes all security fixes for vulnerabilities that affect Windows 10, in addition to non-security updates. In addition to security changes for the vulnerabilities, updates include defense-in-depth updates to help improve security-related features,” Microsoft added.
CISA Recommends
The Cybersecurity and Infrastructure Security Agency (CISA) asked users and administrators to apply Microsoft’s November 2021 patches for better protection against rising cyberthreats. The agency recently issued a Binding Operational Directive (BOD) to reduce the risk of actively exploited vulnerabilities. The new Directive, which applies to all software and hardware found on federal information systems, requires federal civilian agencies to remediate such vulnerabilities within specific timeframes.