Microsoft released fixes for 60 security vulnerabilities in its latest September 2021 Patch Tuesday update. Out of 60 vulnerabilities, 56 were determined as important, and four as critical bugs existing in Microsoft Windows, SharePoint Server, Edge browser, Azure Sphere, Microsoft Edge for Android, Microsoft Visio, Visual Studio, Windows BitLocker, Microsoft Windows DNS, and the Windows Subsystem for Linux. The security update also patched a critical zero-day vulnerability CVE-2021-40444 in Windows MSHTML (Trident) engine that was exploited in the wild lately, along with three elevations of privilege vulnerabilities CVE-2021-38667, CVE-2021-38671 and CVE-2021-40447 in Windows Print Spooler.
Other critical flaws resolved in the update
- CVE-2021-38647 – This remote code execution (RCE) vulnerability affects the Open Management Infrastructure (OMI) program. If exploited, the vulnerability could allow an attacker to execute RCE attacks by sending malicious messages via HTTPS to port 5986.
- CVE-2021-36968 – Microsoft stated there is no sign of exploiting this Windows DNS privilege escalation zero-day vulnerability.
- CVE-2021-26435: Attackers could exploit this Windows Scripting Engine Memory Corruption vulnerability by sending a specially crafted file to the user and convince the user to open the file. An attacker could host a website containing a specially crafted file designed to exploit the vulnerability in a web-based attack scenario.
- CVE-2021-36967: Attackers could exploit this critical Windows WLAN AutoConfig Service Elevation of Privilege vulnerability to obtain the elevation of privileges on the targeted devices.
Diversity of Vulnerabilities
Microsoft stated that Elevation of Privilege (EoP) vulnerabilities accounted for 41.7%, followed by remote code execution (RCE) vulnerabilities (26.7%), information disclosure (16.7%), Spoofing (10%), Security feature bypass (3.3%), and Denial of service (1.7%).
Microsoft strongly recommended users and organizations apply the patches to fix the flaws and prevent potential hacker intrusions.
What Experts Say
Satnam Narang, Staff Research Engineer at Tenable, said, “This month’s Patch Tuesday release includes fixes for 60 CVEs, four of which are rated critical. So far in 2021, Microsoft patched less than 100 CVEs seven out of the last nine months, which is in stark contrast to 2020, which featured eight months of over 100 CVEs patched. This month’s release includes a fix for CVE-2021-40444, a critical vulnerability in Microsoft’s MSHTML (Trident) engine. This vulnerability was disclosed on September 7, and researchers developed several proof-of-concept exploits showing the ease and reliability of exploitation. An attacker would need to convince a user to open a specially crafted Microsoft Office document containing the exploit code. There have been warnings that this vulnerability will be incorporated into malware payloads and used to distribute ransomware. There are no indications that this has happened yet, but with the patch now available, organizations should prioritize updating their systems as soon as possible.”
