On 12 October 2021, Microsoft released updates to address 81 vulnerabilities; these included the last of a set of seven vulnerabilities discovered by Field Effect. We recommend timely updates.
- Microsoft’s October 2021 Patch Tuesday updates include three vulnerabilities classified as Critical, three that were publicly disclosed, and one actively abused flaw.
- The actively abused flaw, tracked as CVE-2021-40449, is a use-after-free type of Elevation of Privilege vulnerability in the Win32k kernel driver. Researchers report that it is being used in espionage activity.
- After gaining initial access to a host, the actors are reported to have used this flaw to gain administrator rights and to read and write kernel memory. The vulnerability was assigned a CVSS Base Score of 7.8.
- The latest updates also include fixes for three vulnerabilities that were publicly disclosed:
- CVE-2021-40469 affects domain controllers running as Windows Domain Name System (DNS) servers. Provided successful authentication with high privileges, a threat actor could use it to run arbitrary code. CVSS Base Score: 7.2.
- CVE-2021-41335 is an Elevation of Privilege vulnerability in Windows kernel. Successful exploitation requires prior authentication; a threat actor would also need to run a specially crafted application in order to execute arbitrary code in kernel mode. CVSS Base Score: 7.8.
- CVE-2021-41338 is a Security Feature Bypass vulnerability affecting Windows AppContainer Firewall. Provided successful authentication with admin privileges, one could use this vulnerability to run arbitrary code on the affected endpoint. CVSS Base Score: 5.5.
- The three critical fixes in this update include:
- CVE-2021-40486 could allow arbitrary code execution if a target views a malicious Word document in the Preview Pane; no clicking or opening of the document is required making it a more successful vector. CVSS Base Score: 7.8.
- CVE-2021-38672 and CVE-2021-40461 affect Hyper-V, Microsoft’s native hypervisor for creating Virtual Machines (VMs). They could allow malicious code in a guest VM to read kernel memory. This requires a memory allocation error to first occur on the guest VM. The flaws could also be used for a VM escape from guest to host. CVSS Base Score: 8.0.
- Other updates worth noting:
- CVE-2021-26442 – a Windows HTTP.sys Elevation of Privilege vulnerability discovered by Field Effect. This update is part of our coordinated disclosure of seven vulnerabilities dubbed Blackswan.
- Microsoft Exchange Server received four security fixes; one of them, CVE-2021-26427, was assigned a CVSS Base Score of 9.0. The exploitation does not require user interaction, but a threat actor would need to make specific requests over an adjacent network in order to execute malicious code. The other three vulnerabilities were assigned Medium severity, and are tracked as CVE-2021-34453, CVE-2021-41348, and CVE-2021-41350.
- An update related to a spoofing vulnerability in Windows Print Spooler appears to address operational impact from previous fixes implemented by Microsoft to address vulnerabilities collectively known as PrintNightmare. It is tracked as CVE-2021-36970, and was assigned a CVSS Base Score of 8.8.
- Microsoft also released the latest Microsoft Edge Stable Channel (Version 94.0.992.47), which incorporates the latest security updates of the Chromium project.
- We recommend timely updates for the noted Microsoft flaws as publicly disclosed and exploited flaws make it more likely for vulnerable systems to become targets of exploitation.
- In order to expedite the updates, users should go to Settings > Windows Update > Check for Updates.