Today is the second Tuesday of October. Time to check out the latest security updates from Microsoft. In this month’s Patch Tuesday, Microsoft fixed a total of 74 vulnerabilities (81, counting Microsoft Edge for Chromium’s updates). Among the 74 bugs fixed today included four zero-day vulnerabilities, one of which was known to have been exploited in the wild. Three of the vulnerabilities were rated as Critical, one as Low, and the rest as Important.
The number of patches released this Tuesday is a bit higher than those from the last patch Tuesday. But for the eighth time in 2021, the monthly patch batch is well below the 100 mark.
Let’s look at the highlights from this month’s Windows security Patch Tuesday:
The Four Zero-day Bugs
All four zero-day bugs were publicly disclosed, but only one of them was actively exploited in the wild before today’s fixes.
CVE-2021-40449 is an EPV that affects the Win32K kernel driver. The CVE is based on a use-after-free error that occurs when a program utilizes dynamic memory during operation but fails to clear the pointer after freeing a memory location. Threat actors can exploit such a flaw to hack a program, which they did in the case of CVE-2021-40449.
This zero-day was discovered and reported to Microsoft by security researchers working at Kaspersky. The researchers observed that the zero-day exploit involved a malware payload known as MysterySnail, whose variants were found in extensive espionage attacks against multiple IT companies, diplomatic entities, and military and defense contractors. Kaspersky tracked this cluster of activities back to a threat actor known as IronHusky.
CVE-2021-40449 has a 7.8 severity score. And since the vulnerability has already been used to gain high-level Windows privileges, installing this patch should be a priority.
The other three zero-day vulnerabilities fixed in this round of patches were tracked as:
- CVE-2021-41335 (CVSS 7.8): Windows Kernel EPV
- CVE-2021-41338 (CVSS 5.5): A Firewall Security Feature Bypass vulnerability affecting Windows AppContainer
- CVE-2021-40469 (CVSS 7.2): An RCE bug in Windows DNS Server
The Three Critical Updates and Other Notable Fixes
Microsoft classified three vulnerabilities as Critical and tracked them as CVE-2021-40486—an RCE vulnerability in Microsoft Word, and CVE-2021-40461 and CVE-2021-38672—both RCE bugs in Windows Hyper-V. But despite their high severity scores, all three vulnerabilities were marked “Exploitation Less Likely.”
- CVE-2021-36970—Windows Print Spooler Spoofing bug: This is the fourth Patch Tuesday in a row that Microsoft is fixing a bug in Windows Print Spooler. Zhiniang Peng and XueFeng Li, who also discovered the notorious PrintNightmare just a few months back, brought CVE-2021-36970 to Microsoft’s attention. According to Microsoft’s Exploitability Index, an attack based on this flaw is quite possible.
- CVE-2021-26427—Microsoft Exchange Server RCE flaw: This had the highest CVSSv3 score (9.0) in today’s Microsoft patch Tuesday list. But despite the high severity rating, Microsoft says that exploiting this flaw is less likely because the attacker would have to use an adjacent network to gain access to a vulnerable system.
In addition to Microsoft security updates, this Patch Tuesday also brought Windows 11 and Windows 10 cumulative updates. These include security and features updates for Windows 10 and Windows Server builds 1903 and later. So, if you’re running any of these Windows versions, be sure you update them as you install the new patches.
That concludes our review of October’s Microsoft Windows Patch Tuesday. But we obviously haven’t covered all the 74 vulnerabilities fixed today. Read Microsoft’s Patch Tuesday release notes to get the full list of today’s patches and even more information about the new updates.
Stay tuned for more Microsoft Patch Tuesday news. And note, Action1 patch management tool is here to help you tackle any Microsoft Update or Patch Tuesday issues by automating patch deployment across remote endpoints. Feel free to try it out if you are looking for a solution to resolve any Microsoft Patch Tuesday problems, whether it’s finding and installing the right patches or automating the Windows patching and updating processes for multiple endpoints.