Microsoft's September 2021 Patch Tuesday fixes 86 flaws

On 14 September 2021, Microsoft released the latest security updates fixing 86 vulnerabilities, including one that is publicly disclosed and one used in current campaigns.

Details

• September 2021 updates from Microsoft include fixes for three Critical vulnerabilities, one Moderate, and 56 Important ones. Microsoft Edge received 26 patches.
• The updates address a currently exploited Windows MSHTML remote code execution vulnerability tracked as CVE-2021-40444. When a user opens a specially crafted document on an affected system, a threat actor is able to execute code at the level of the logged-on user. Previously, Microsoft suggested temporary mitigations but security researchers claim they do not fully protect from exploitation. Vulnerable systems require this update in order to reduce the risk.
• Microsoft stated that the details for CVE-2021-36968, a Windows DNS Elevation of Privilege vulnerability, were made public. CVSS:3.0 Base Score: 7.8. No exploitation was noted at this time for this flaw.
• The three vulnerabilities rated as Critical include:
  • CVE-2021-38647, a remote code execution vulnerability in Azure Open Management Infrastructure. CVSS:3.0 Base Score: 9.8.
  • CVE-2021-36965, a remote code execution vulnerability in Windows WLAN AutoConfig Service. CVSS:3.0 Base Score: 8.8.
  • CVE-2021-26435, a memory corruption vulnerability in Windows Scripting Engine. CVSS:3.0 Base Score: 8.1.

• Microsoft Edge, because it is based on Chromium, was affected by a critical vulnerability in V8. It is tracked as CVE-2021-30632, and was also fixed in Chrome.
• The Field Effect security research team discovered five vulnerabilities in Windows Ancillary Function Driver for WinSock included in the September update. These vulnerabilities could be exploited to gain kernel-level privilege — giving threat actors the ability to move deeply into operating systems, applications, and more — bypassing traditional controls.
  • One of the flaws is an Information Disclosure issue tracked as CVE-2021-38629. The remaining are Elevation of Privilege flaws, with the first tracked as CVE-2021-38628 and three others bundled as CVE-2021-38638. The details for these vulnerabilities will be public on 14 October 2021.

Recommendations

• We recommend applying the latest Microsoft updates as soon as possible. Publicly disclosed and exploited flaws make it more likely for unpatched systems to become targets of exploitation.
• In order to expedite the updates, users should go to Settings > Windows Update > Check for Updates.

References

• Microsoft Updates