Patch Tuesday September 2021
Today is Microsoft’s September 2021 Patch Tuesday, and with it comes fixes for two zero-day vulnerabilities and a total of 60 flaws.
Microsoft has fixed 60 vulnerabilities (86 including Microsoft Edge) with today’s update, with three classified as Critical, one as Moderate, and 56 as Important.
Of the total 86 vulnerabilities (including Microsoft Edge):
- 27 Elevation of Privilege Vulnerabilities
- 2 Security Feature Bypass Vulnerabilities
- 16 Remote Code Execution Vulnerabilities
- 11 Information Disclosure Vulnerabilities
- 1 Denial of Service Vulnerabilities
- 8 Spoofing Vulnerabilities
Last week, Microsoft said a remote code execution flaw in MSHTML had been identified and was being used in a limited number of attacks against Windows systems. The zero-day vulnerability, tracked as CVE-2021-40444, has been resolved in this patch round and the firm is urging users to accept the security fix immediately.
Microsoft warned of “Azurescape,” last week a vulnerability mitigated by the Redmond giant that impacts Azure Container Instances (ACI).
Some other notable vulnerabilities resolved in this update are:
- CVE-2021-38647: With a CVSS score of 9.8, this is the most critical bug on September’s list. This vulnerability impacts the Open Management Infrastructure (OMI) program and allows attackers to perform RCE attacks without authentication by sending malicious messages via HTTPS to port 5986.
- CVE-2021-36968: A publicly disclosed Windows DNS privilege escalation zero-day vulnerability, issued a CVSS score of 7.8. Microsoft has not found any evidence, as of yet, of exploitation in the wild.
- CVE-2021-26435: A critical flaw (CVSS 8.1) in the Microsoft Windows scripting engine. However, this memory corruption flaw requires user interaction to trigger.
- CVE-2021-36967: A vulnerability, deemed critical and issued a CVSS score of 8.0, in the Windows WLAN AutoConfig service which can be used for elevation of privileges