News

Microsoft September Security Patches Address 66 Vulnerabilities

• By Kurt Mackie
• 09/14/2021

Microsoft on Tuesday released September security patches, addressing an estimated 66 common vulnerabilities and exposures (CVEs).

The 66 CVE tally comes from Trend Micro's Zero Day Initiative review by Dustin Childs. Tallies by other security researchers varied, with Automox listing 86 vulnerabilities, Cisco Talos estimating 85 vulnerabilities, Ivanti saying 64 vulnerabilities and Tenable describing 60 CVEs.

The count differences possibly are explained by 20 CVEs associated with the Chromium-based Edge browser that got patched earlier this month, according to Childs' explanation.

Microsoft, for its part, doesn't publicize its total patch counts each month. Its voluminous "Security Update Guide" for September, with boilerplate descriptions, can be found here.

Affected Microsoft software includes the Azure Open Management Infrastructure, Edge browsers, Microsoft Office applications, Windows DNS, Windows BitLocker, Windows MSHTML, Windows Print Spooler components, the Windows Wireless Local Area Network (WLAN) service, and Visual Studio, among others. Microsoft's September "Release Notes" document offers a list.

Three Critical Vulnerabilities
Of the 66 CVEs, three are rated "Critical" by security researchers. They include:

• CVE-2021-38647, a remote code execution vulnerability in the Open Management Infrastructure, rated 9.8 on the Common Vulnerability Scoring System (CVSS).
• CVE-2021-36965, a remote code execution vulnerability in the Windows WLAN AutoConfig service, with a CVSS rating of 8.8.
• CVE-2021-26435, a memory corruption vulnerability in the Windows Scripting Engine, with a CVSS rating of 8.1.

Of the three Critical CVEs, it's the Windows WLAN AutoConfig vulnerability that stands out, according to Danny Kim, principle architect at Virsec.

"Looking at this month's Patch Tuesday updates, CVE-2021-36965 (Windows WLAN AutoConfig Service Remote Code Execution Vulnerability) -- given its combination of severity, lack of privilege escalation/user interaction, and affected Windows versions -- is especially alarming," Kim said in a released statement.

Kim's view was echoed by the Cisco Talos team, which described CVE-2021-36965 as "the most serious vulnerability" in the September patch bunch.

Two Publicly Known Important Vulnerabilities
Two vulnerabilities ranked "Important" by security researchers were also described as being publicly known before Microsoft's patch release. These public CVEs include:

• CVE-2021-40444, a remote code execution vulnerability in Microsoft MSHTML, otherwise known as the Trident rendering engine used in the Internet Explorer browser, rated at 8.8 on the CVSS scale, which was also listed as being "exploited."
• CVE-2021-36968, an elevation of privilege vulnerability in Windows DNS, with a CVSS rating of 7.8.

The first of these publicly known vulnerabilities -- the Microsoft MSHTML remote code execution flaw -- was described by Microsoft last week. An attacker can send a document attachment that, if clicked by a user, could gain user rights for the attacker.

Microsoft claimed that using its automatic update service or its anti-malware software offered protections from the MSHTML vulnerability. Its Protected View and Application Guard features also provided some safeguards, Microsoft claimed. However, there are ways of bypassing those safeguards, according to a Bleeping Computer article, citing comments by Will Dormann, an analyst with CERT/CC.

Microsoft had suggested disabling ActiveX as a workaround to the MSHTML vulnerability, but ActiveX isn't needed for this exploit, according to a Born's Tech and Windows World article. It was also subsequently discovered that documents in Rich Text Format could be used in these attacks, too.

Organizations should patch the MSHTML vulnerability, as it seems to be of interest to ransomware perpetrators, noted Satnam Narang, staff research engineer at Tenable.

"There have been warnings that this vulnerability will be incorporated into malware payloads and used to distribute ransomware," Narang said in a released comment regarding CVE-2021-40444. "There are no indications that this has happened yet, but with the patch now available, organizations should prioritize updating their systems as soon as possible."

What About PrintNightmare?
The September patch release included Windows Print Spooler fixes, which became infamously understood last month under the "PrintNightmare" appellation.

Apparently new Windows Print Spooler vulnerabilities are getting patched this month. They included the Important vulnerabilities CVE-2021-38667, CVE-2021-38671 and CVE-2021-40447, enabling elevation of privilege, with CVSS scores of 7.8, according to Tenable. Of the three, only CVE-2021-38671 got the "Exploitation More Likely" label from Microsoft.

Whether these Windows Print Spooler patches are new or holdovers from last month was questioned by Microsoft Most Valuable Professional Susan Bradley in this AskWoody post. Bradley had outlined the complexities and impossible choices for organizations trying to deal with PrintNightmare in this August Computerworld article.