News

Microsoft October Patches Address More Than 70 Vulnerabilities

• By Kurt Mackie
• 10/12/2021

Microsoft on Tuesday released security patches for more than 70 common vulnerabilities and exposures (CVEs).

The exact tally for the October patch bundle varies per the security-researcher organization that describes them. Microsoft doesn't count its patches, but does list them in a repetitious manner in its sprawling "Security Update Guide." A good summing up of the patch count can be found in Trend Micro's Zero Day Initiative blog by Dustin Childs.

The usual products are getting patches this month, such as Office and Windows, including the new Windows 11 operating system. However, items such as Exchange Server, Active Directory Federation Services, Microsoft Intune, DNS Server, Windows Active Directory Server, Windows Hyper-V, the Windows MSHTML platform, Windows Network Address Translation and Print Spooler components also are part of the list, as found in Microsoft's "Release Notes."

Microsoft indicated in the "Release Notes" that a "new, more user-friendly and flexible system for delivering Microsoft Technical Security Notifications" will be arriving "in the coming months." More information about it will be coming, but no further details were provided.

Three of the October CVEs were deemed "Critical" by researchers, with the rest mostly rated as "Important" (or "High"). The Important patches are troublesome because three of them have been publicly disclosed at the proof-of-concept stage, while one of them has been exploited.

Critical
Two of the three Critical vulnerabilities (CVE-2021-38672 and CVE-2021-40461) affect Windows Hyper-V, enabling remote code execution. Both are rated 8 (out of 10) on the Common Vulnerability Scoring System (CVSS) scale. The third Critical vulnerability is a remote code execution flaw in Microsoft Word (CVE-2021-40461) with a CVSS score of 7.8.

One problem with vulnerabilities subject to remote code execution is that they can be launching pads for ransomware, explained Danny Kim, principle architect at Virsec, via e-mail.

The Microsoft Word vulnerability can be additionally exploited via Microsoft's Preview Pane document viewing feature, Childs explained.

"Although Microsoft lists user interaction required [for CVE-2021-40461], the Preview Pane is also listed as an attack vector," Childs wrote. "This creates a much larger attack surface."

Exploited
The one exploited item (CVE-2021-40449) is an Important Win32k elevation of privilege vulnerability with a Common Vulnerability Scoring System (CVSS) score of 7.8. There's little description in Microsoft's bulletin, but it was discovered by a Kaspersky security researcher.

"Considering the source of this report, this bug is likely being used in a targeted malware attack," said Dustin Childs, writing in Trend Micro's Zero Day Initiative blog. "We will also likely see more information about this bug and the associated attack within the next few days."

Attackers use elevation of privilege to advance attacks on systems they've gained access to, according to Greg Wiseman, senior security researcher at Rapid7.

"Rated as Important, this [CVE-2021-40449] is likely being used alongside Remote Code Execution (RCE) and/or social engineering attacks to gain more complete control of targeted systems," Wiseman wrote, via e-mail.

The Important rating may not be a good enough descriptor, though, according to Chris Goettl, senior director of product management at Ivanti, via e-mail, regarding CVE-2021-40449:

Microsoft only rated the vulnerability as Important by their severity scoring system, which is a good example of why organizations need to focus on vulnerability remediation based on risk. A risk-based approach to vulnerability management takes into account more real-world indicators such as known exploited, public disclosure, and usage trends by threat actors to better understand what exposures you should be focusing on first and quickest. 

This vulnerability isn't the only one this month that's associated Win32k, noted Jon Munshaw of Cisco's Talos security blog.

"There are two other Win32k vulnerabilities in this month's Patch Tuesday, though neither has been exploited in the wild as of yet: CVE-2021-40450 and CVE-2021-41357," he wrote.

Publicly Disclosed
The three publicly known vulnerabilities are just rated as Important (or "High") by security researchers. They include:

• CVE-2021-41335, a Windows kernel elevation of privilege vulnerability (CVSS 7.8)
• CVE-2021-40469, a Windows DNS Server remote code execution vulnerability (CVSS 7.2), and
• CVE-2021-41338, a Windows AppContainer firewall rules bypass vulnerability (CVSS 5.5).

While they were publicly disclosed, these vulnerabilities "haven't yet been observed in active exploitation," Wiseman noted.

A proof-of-concept for CVE-2021-41335, the Windows kernel flaw, has been publicly shown, which "could allow an attacker to run arbitrary code in kernel mode" on Windows systems, explained Justin Knapp, a senior product marketing manager at Automox, in a compendium of Automox patch Tuesday commentary. Such an attack would first require logging into a system and then running a "specially crafted application," he added.

The Windows DNS Server vulnerability (CVE-2021-40469), disclosed as a proof-of-concept exploit, would require having administrative privileges to effectively carry out an attack, but "there is still a significant risk because no user interaction is required, and no special endpoint conditions are required for an attack to succeed," explained Maarten Buis, product marketing manager at Automox.

The Windows AppContainer vulnerability (CVE-2021-41338) can be exploited without user interaction and "results in a loss of confidentiality," explained Aleks Haugom, a product marketing manager at Automox. This vulnerability is important to patch in 72 hours because "AppContainers are designed to protect against infiltration from third-party apps," Haugom explained.

Print Spooler Patches
Possible "PrintNightmare" exploits likely bestowed an early Halloween frightful feeling in IT pros. Microsoft has issued many print spooler patches in the past months, accompanied with lots of confusing advice. This month, two Important print spooler patches were released, namely CVE-2021-36970 and CVE-2021-41332.

Possibly, the series of print spooler patches may be nearing a close, though.

"There are only a couple of print spooler bugs in this month’s release, so perhaps the days of PrintNightmare are finally behind us," Childs optimistically opined.

It's important to patch these vulnerabilities because PrintNightmare has been added to ransomware attack kits, explained Satam Narang, a staff research engineer at Tenable.

"While no details have been shared publicly about the flaw [CVE-2021-36970], this is definitely one to watch for, as we saw a constant stream of Print Spooler-related vulnerabilities patched over the summer while ransomware groups began incorporating PrintNightmare into their affiliate playbook," Narang stated, via e-mail.

Apple Zero Day
Adobe also released patches on Tuesday. Meanwhile, Apple recently issued patches for a zero-day vulnerability (CVE-2021-30883) affecting devices running iOS 15.0.2 and iPadOS 15.0.2.

"The vulnerability outlined in CVE-2021-30883 allows an application to execute arbitrary code with kernel privileges, possibly enabling a hacker to have complete and unrestricted access to the underlying hardware, thus executing any CPU instruction and reference any memory address," Automox explained.