On October 12th, this month’s Patch Tuesday (the phrase coined by Microsoft and others for the day in the month they issue their security patches), Microsoft released updates to fix more than 70 security holes in the Windows operating systems and other software. This Patch Tuesday was Microsoft’s first Patch for Windows 11.
The October 2021 patch day also included Microsoft releasing updates for other company products such as Active Directory Federation Services, .NET Core, Visual Studio, and Microsoft Office.
Have you deployed your patches this month?
Out of the 74 vulnerabilities, three were rated as a critical severity, and four were previously reported as zero-days. The three vulnerabilities that were rated as critical meant that malware or cybercriminals could exploit them to gain complete remote control over the vulnerable systems.
- CVE-2021-40461, CVE-2021-38672 – Windows Hyper-V Remote Code Execution Vulnerabilities
These two vulnerabilities are down to flaws in the Network Virtualisation Service Provider. This means that they could allow an attacker to execute remote code on the target machine. The CVE-2021-38672 affects Windows 11 and Windows Server 2022, and the CVE-2021-40461 impacts both Windows 11 and Windows 10 systems and the Server versions. These CVEs were assigned a base score of 8.0 by the vendor (10 is the most dangerous).
- CVE-2021- 40486– Microsoft Word Remote Code Execution Vulnerability
The vulnerability was due to improper input validation in Microsoft Word. Cybercriminals could exploit this by tricking target users into opening a specifically crafted file that then performs arbitrary code execution. Microsoft assigned a CVSSv3 base score of 7.8 to this vulnerability.
- CVE-2021-26427: Microsoft Exchange Server Remote Code Execution Vulnerability
Microsoft assigned this vulnerability with a score of 9.0. It is a vulnerability that targets Microsoft Exchange Servers, meaning that an attacker can only exploit this if they already have access to your network.
Kevin Breen of Immersive Labs explained:
“Email servers will always be prime targets, simply due to the amount of data contained in emails and the range of possible ways attackers could use them for malicious purposes. While it is not right at the top of my list of priorities to patch, it’s certainly one to be wary of.”
The 4 Zero-days Vulnerabilities
- CVE-2021-40449– Win32k Elevation of Privilege Vulnerability
This is one of the four zero-days addressed by Microsoft. This affects the Win32K kernel driver. IronHusky and Chinese APT groups were exploiting this. This vulnerability was assigned a base score of 7.8 and has been prioritised for patching from Microsoft.
The other three zero-day vulnerabilities were:
CVE-2021-41338: Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability
CVE-2021-40469: Windows DNS Server Remote Code Execution Vulnerability
CVE-2021-41335: Windows Kernel Elevation of Privilege Vulnerability
It is important to remember that before you do any updates to your systems or files, you back them up.
If you do experience any issues or problems when deploying these patches, please get in touch with SCS Technology Solutions, and we will be more than happy to assist.