Microsoft Fixes 74 Vulnerabilities on October Patch Tuesday, Including 1 Actively Exploited 0Day

October 2021 Patch Tuesday has seen Microsoft release fixes for 74 vulnerabilities across its product range with an additional 7 fixes for issues with Microsoft Edge. 4 of the fixes are for zero-day vulnerabilities, 3 are rated critical, 70 important, and 1 low severity.

The zero-day vulnerabilities are bugs which have been publicly disclosed or have been exploited in the wild ahead of a patch being released. Out of those flaws, only 1 is known to have been actively exploited. That flaw, tracked as CVE-2021-40449, is a privilege escalation flaw in the Win32k component of Windows. The flaw has been exploited in an espionage campaign on IT firms, military and defense contractors, and diplomatic entities by the Chinese APT group IronHusky. The attacks saw the MysterySnail Remote Access Trojan (RAT) installed.

The 3 publicly disclosed vulnerabilities all affect Windows and are: A RCE vulnerability (CVE-2021-40469) in Windows DNS Server, a Windows Kernel elevation of privilege vulnerability (CVE-2021-41335) and a Windows AppContainer Firewall Rules security bypass vulnerability (CVE-2021-41338).

The critical vulnerabilities are an RCE vulnerability in Microsoft Word (CVE-2021-40486), which also affects Microsoft Office and some versions of SharePoint Server and can be exploited via the preview pane, and 2 RCE vulnerabilities in Windows Hyper-V (CVE-2021-40461, CVE-2021-38672).

The remaining vulnerabilities are a mix of remote code execution, security feature bypass, elevation of privilege, information disclosure, denial of service, and spoofing vulnerabilities.

A Microsoft Exchange Server RCE vulnerability (CVE-2021-26427) has been fixed which has a CVSS score of 9 out of 10, and while this would normally be rated critical, Microsoft has rated it important due to exploitation being less likely.

Among the remaining updates are a fix for a Windows Print Spooler spoofing vulnerability (CVE-2021-36970) which is part of the PrintNightmare vulnerabilities that were first identified in June. The flaw has a CVSS of 8.8 out of 10.

As always, patches should be applied as soon as possible to prevent exploitation, with priority given to the most serious flaws.

Adobe Patches 10 Vulnerabilities

Adobe has released patches to fix 10 vulnerabilities across a range of its products this patch Tuesday. Fixes have been issued for Adobe Acrobat and Reader (4), Adobe Connect (2), Adobe Reader Mobile (1), Adobe Commerce (1), Adobe Campaign Standard (1), and Ops-cli (1).

Adobe Acrobat and Reader get the most updates with 4 vulnerabilities fixed, including two critical RCE flaws (CVE-2021-40728, CVE-2021-40731) each with a CVSS base score of 7.8 out of 10 and two moderate privilege escalation vulnerabilities (CVE-2021-40729, CVE-2021-40730) with a CVSS score of 3.3.

Two RCE flaws have been fixed in Adobe Connect, one of which is a critical vulnerability with a CVSS score of 9.8 (CVE-2021-40719), with the other (CVE-2021-40721) given a CVSS rating of 6.4.

One Important RCE flaw has been fixed in Adobe Reader Mobile (CVE-2021-40724) – no CVSS score provided, a security bypass flaw (CVE-2021-39864) has been corrected in Adobe Commerce which has a CVSS score of 6.5, and Adobe Campaign Standard has had a fix for a cross-site scripting vulnerability (CVE-2021-40744) – no CVSS score assigned. The last update is for Adobe ops-cli, which has had a critical RCE vulnerability (CVE-2021-40720) fixed that has a CVSS score of 9.8 out of 10.

None of the vulnerabilities have been exploited in the wild, with the most serious vulnerabilities given a priority rating of 2 meaning updates should be performed as soon as possible and within 30 days.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news