Microsoft September 2021 Patch Tuesday Fixes 2 zero-days, 60 Flaws
Today is Microsoft’s September 2021 Patch Tuesday, and with it comes fixes for two zero-day vulnerabilities and a total of 60 flaws.
Microsoft has fixed 60 vulnerabilities (86 including Microsoft Edge) with today’s update, with three classified as Critical, one as Moderate, and 56 as Important.
Of the total 86 vulnerabilities (including Microsoft Edge):
- 27 Elevation of Privilege Vulnerabilities
- 2 Security Feature Bypass Vulnerabilities
- 16 Remote Code Execution Vulnerabilities
- 11 Information Disclosure Vulnerabilities
- 1 Denial of Service Vulnerabilities
- 8 Spoofing Vulnerabilities
For information about the non-security Windows updates, you can read about today’s Windows 10 KB5005565 & KB5005566 cumulative updates.
Also Read: 12 Damaging Consequences of Data Breach
Microsoft fixes Windows MSHTML zero-day
Microsoft has released a security update for the Windows MSHTML remote code execution vulnerability tracked as CVE-2021-40444.
Last Tuesday, Microsoft disclosed a new zero-day Windows MSHTML remote code execution vulnerability that threat actors actively used in phishing attacks.
These attacks distributed malicious Word documents that exploited the CVE-2021-40444 to download and execute a malicious DLL file that installed a Cobalt Strike beacon on the victim’s computer.
This beacon allows a threat actor to gain remote access to the device to steal files and spread laterally throughout the network.
Soon after Microsoft disclosed the vulnerability, threat actors and security researchers began sharing guides on exploiting the vulnerability, which allowed anyone to start using it in attacks, as demonstrated below.
With the September 2021 Patch Tuesday updates, Microsoft has released a security update for this vulnerability.
As researchers discovered numerous ways to exploit the bug, including a bypass to mitigations, it is not clear if the security update fixes all of the techniques.
Two zero-days fixed, with one actively exploited
September’s Patch Tuesday includes fixes for two zero-day vulnerabilities, with the MSHTML bug actively exploited in the wild.
Microsoft classifies a vulnerability as a zero-day if publicly disclosed or actively exploited with no official security updates released.
The publicly disclosed, but not actively exploited, zero-day vulnerability is:
- CVE-2021-36968 – Windows DNS Elevation of Privilege Vulnerability
The only actively exploited vulnerability is the Windows MSHTML remote code execution vulnerability, as previously discussed:
- CVE-2021-40444 – Microsoft MSHTML Remote Code Execution Vulnerability
Outsourced Data Protection Officer – It is mandatory to appoint a Data Protection Officer. We help our clients quickly comply with their PDPA & data protection requirements.
Vulnerability Assessment Penetration Testing – Find loopholes in your websites, mobile apps or systems.
Smart Contract Audit – Leverage our industry-leading suite of blockchain security analysis tools, combined with hands-on review from our veteran smart contract auditors.