On 14 September 2021, Microsoft released the latest security updates fixing 86 vulnerabilities, including one that is publicly disclosed and one used in current campaigns.
- September 2021 updates from Microsoft include fixes for three Critical vulnerabilities, one Moderate, and 56 Important ones. Microsoft Edge received 26 patches.
- The updates address a currently exploited Windows MSHTML remote code execution vulnerability tracked as CVE-2021-40444. When a user opens a specially crafted document on an affected system, a threat actor is able to execute code at the level of the logged-on user. Previously, Microsoft suggested temporary mitigations but security researchers claim they do not fully protect from exploitation. Vulnerable systems require this update in order to reduce the risk.
- Microsoft stated that the details for CVE-2021-36968, a Windows DNS Elevation of Privilege vulnerability, were made public. CVSS:3.0 Base Score: 7.8. No exploitation was noted at this time for this flaw.
- The three vulnerabilities rated as Critical include:
- CVE-2021-38647, a remote code execution vulnerability in Azure Open Management Infrastructure. CVSS:3.0 Base Score: 9.8.
- CVE-2021-36965, a remote code execution vulnerability in Windows WLAN AutoConfig Service. CVSS:3.0 Base Score: 8.8.
- CVE-2021-26435, a memory corruption vulnerability in Windows Scripting Engine. CVSS:3.0 Base Score: 8.1.
- Microsoft Edge, because it is based on Chromium, was affected by a critical vulnerability in V8. It is tracked as CVE-2021-30632, and was also fixed in Chrome.
- Field Effect security research team discovered five vulnerabilities in Windows Ancillary Function Driver for WinSock included in the September update. These vulnerabilities could be exploited to gain kernel-level privilege — giving threat actors the ability to move deeply into operating systems, applications, and more — bypassing traditional controls.
- One of the flaws is an Information Disclosure issue tracked as CVE-2021-38629. The remaining are Elevation of Privilege flaws, with the first tracked as CVE-2021-38628 and three others bundled as CVE-2021-38638. The details for these vulnerabilities will be public on 14 October 2021.
- We recommend applying the latest Microsoft updates as soon as possible. Publicly disclosed and exploited flaws make it more likely for unpatched systems to become targets of exploitation.
- In order to expedite the updates, users should go to Settings > Windows Update > Check for Updates.