Microsoft released patches to correct 86 flaws across its product range on September 2021 Patch Tuesday, including fixes for two zero-day bugs. 3 of the vulnerabilities addressed in this month’s updates fix critical flaws and 62 have been rated important.
One of the zero-day bugs – tracked as CVE-2021-40444 – is a remote code execution vulnerability in Windows MSHTML that is known to have been exploited in the wild for almost two weeks. The bug is being exploited via phishing emails that contain a malicious Word document. Macros in the file download and execute a DLL file that installs a Cobalt Strike beacon, which allows the attacker to remotely access the device, steal data, and move laterally within the network. Despite being actively exploited, the flaw has only been rated important.
The other zero-day bug is not believed to have been exploited, although it has been publicly disclosed. The flaw, tracked as CVE-2021-36968, is a Windows DNS elevation of privilege vulnerability that has been rated important.
The critical flaws, which should also be prioritized, affect Azure Open Management Infrastructure, Windows WLAN Auto Config Service, and Windows Scripting. The Azure Open Management Infrastructure vulnerability, tracked as CVE-2021-38647, has the highest severity score out of all this month’s disclosed bugs with a CVSS rating of 9.8 out of 10. This is a remote code execution vulnerability that requires no user interaction or privileges. An attacker could run code on an affected system by sending a specially crafted message.
The Windows WLAN AutoConfig Service bug, tracked as CVE-2021-36965, is a remote code execution vulnerability with a CVSS severity score of 8.8, although Microsoft rates this flaw as exploitation less likely. However, such a high CVSS score and no requirement for privilege escalation or user interaction means this patch should be prioritized. The third critical flaw, tracked as CVE-2021-26435, is a Windows Scripting Engine memory corruption vulnerability with a CVSS score of 8.1.
Microsoft has also released three patches to correct Windows Print Spooler elevation of privilege vulnerabilities (CVE-2021-38667, CVE-2021-38671, and CVE-2021-40447), all of which are rated important, and a new fix that addresses the remaining PrintNightmare vulnerability CVE-2021-36958.
In addition to addressing these flaws, it is important to apply the updates released by Adobe. Adobe released 59 updates to correct flaws in 15 products, with 36 of the bugs rated critical. It is also recommended to update Google Chrome, which has just had 25 flaws corrected. These have also been ported over to Microsoft’s Chromium-based Edge.