November 2021 Patch Tuesday has seen Microsoft release patches to correct 55 security vulnerabilities, including 6 zero-day bugs. Two of the 0-day bugs are being exploited in the wild: A security feature bypass vulnerability -CVE-2021-42292 – in Microsoft Excel and a remote code execution vulnerability in Microsoft Exchange Server – CVE-2021-42321.
The Microsoft Excel flaw is known to have been used in malicious attacks, although Microsoft has confirmed it cannot be exploited via the Preview Pane. A patch has yet to be released to address the flaw in Office 2019 and Microsoft Office LTSC for Mac 2021. The flaw has a CVSS base score of 7.8 out of 10.
The Microsoft Exchange Server vulnerability has been exploited in the wild, but is an authenticated vulnerability, although it can lead to remote code execution. The vulnerability has been assigned a CVSS base score of 8.8.
The four other zero days have been publicly disclosed, although they have not been exploited in the wild. Two of the flaws are remote code execution flaws in 3D Viewer. CVE-2021-43209 can be exploited locally to trigger RCE and the other flaw – CVE-2021-43208 – could be weaponized by a local attacker to execute arbitrary code. Both have a CVSS severity score of 7.8.
The other two zero-day bugs are in Windows Remote Desktop Protocol and are information disclosure issues. The 0-Days are tracked as CVE-2021-38631 and CVE-2021-41371 and both have a CVSS severity score of 4.4.
This month’s updates include fixes for 6 critical flaws with the remaining 49 rated important. The 6 critical vulnerabilities affect Microsoft Dynamics, Visual Studio, Windows Defender, Windows Remote Desktop Protocol, Windows Scripting, and Windows Virtual Bus.
The remaining vulnerabilities affect Microsoft Azure, Azure RTOS, Azure Sphere, Microsoft Edge, Microsoft Exchange Server, Microsoft Office (Access, Excel, & Word), Microsoft Windows, Windows Codecs Library, Power BI, Windows Hyper-V, Visual Studio, Visual Studio Code, Windows Active Directory, Windows COM, Windows Core Shell, Windows Cred SSProvider Protocol, Windows Desktop Bridge, Windows Diagnostic Hub, Windows Fastfat Driver, Windows Feedback Hub, Windows Hello, Windows Installer, Windows Kernel, and Windows NTFS.
Adobe Releases Patches for Four Vulnerabilities
Adobe issued patches to correct four vulnerabilities in RoboHelp Server, Adobe InCopy, and Adobe Creative Cloud Desktop Application on November 2021 Patch Tuesday.
The most serious flaw – CVE-2021-39858 – affects RoboHelp Server and is a path traversal remote code execution flaw in RoboHelp Server RHS2020.0.1 and earlier versions for Microsoft Windows. The flaw has been assigned a CVSS base score of 8.8 out of 10.
Two vulnerabilities have been fixed in Adobe InCopy, the most serious is a critical access of memory location after end of buffer issue, exploitation of which would allow arbitrary code execution. The vulnerability – CVE-2021-43015 – has been assigned a CVSS base score of 7.8 out of 10. The second vulnerability is a NULL pointer deference issue that could be exploited in a denial-of-service attack. The flaw has been rated important and has a CVSS base score of 5.5.
A patch has been released to fix a single vulnerability in Adobe Creative Cloud Desktop Application. The issue is due to the creation of a temporary file in a directory with incorrect permissions and could be used in an application denial-of-service attack. The flaw has been assigned a CVSS base score of 6.5.
Adobe is unaware of any public exploits for the flaws. All four issues have been assigned a priority rating of 3 as the products have not historically been a target for hackers; however, prompt patching is still recommended.