Patch Tuesday October 2021 – Microsoft Fixes Windows Kernel Zero-Day and Critical Bug in Exchange Server
This month’s Patch Tuesday for includes a cumulative update (CU) for Windows 11, which was made generally available October 4th. In total Microsoft released patches addressing 71 CVEs in Windows, Edge, Exchange Server, .NET Core, SharePoint Server, and many other products.
Two of the CVEs patched this month are rated Critical, and 68 Important. And three bugs are zero-days, with one apparently being actively exploited in the wild.
Patch Tuesday Windows and Windows Server
CVE-2021-40449 addresses a Windows kernel vulnerability that could be used to escalate privileges. While there’s not much detail on this bug, because it was reported by security company Kaspersky, it’s likely that it is already being exploited by hackers.
There’s a patch this month for an information disclosure bug (CVE-2021-40454) in the Rich Text Edit Control in Win32 apps. While nobody has been able to demonstrate how this flaw might be harnessed in practice, it could allow an attacker to access cleartext passwords and other information stored in memory.
This month there is a patch for a bug (CVE-2021-36970) in the Windows Print Spooler service. The flaw was reported by XueFeng Li and Zhiniang Peng with Sangfor, the researchers who earlier this year disclosed details about one of the flaws that later became known as PrintNightmare.
There are no details about the new flaw but considering the issues Microsoft has been having with the Print Spooler service this year, it’s probably wise to get this patch applied.
Microsoft Exchange Server
A remote code execution (RCE) vulnerability (CVE-2021-26427) in Exchange Server, reported by the National Security Agency (NSA), has been patched by Microsoft. To exploit this flaw, an attacker would need direct network access to an Exchange Server, so it isn’t easily exploitable from the Internet. But because email servers are frequently targeted, it would be wise to get your Exchange Servers patched as quickly as possible.
CVE-2021-40486 is an RCE in Microsoft Word. And because the Preview Pane is also an attack vector, there is a large attack surface for this vulnerability because it doesn’t require a user to necessarily open a malicious document designed to exploit this flaw. Using a specially crafted Word document, an attacker could use this vulnerability to take over an affected system.
As is almost always the case, Adobe has issued patches for Adobe Reader and Acrobat; and other products including Adobe Commerce, and Adobe Connect.
Patch Tuesday update testing and best practices
Organizations looking to deploy this month’s Patch Tuesday updates should conduct thorough testing before deploying them widely on production systems. That said, applying the patches widely shouldn’t be delayed longer than necessary as hackers start to work out how to weaponize newly reported vulnerabilities.
Best practice is to make sure you have backed up systems before applying updates. Every month, users experience issues with Windows updates that lead to systems not booting, application and hardware compatibility issues, or even data loss in extreme cases.
There are backup tools built into Windows and Windows Server that you can use to restore systems in the event a patch causes an problem. The backup features in Windows can be used to restore an entire system, or files and folders on a granular basis.
If you have any problems with this month’s patches, please let us know in the comments below. Other readers might be able to share their experiences in how to roll back problematic updates or mitigate issues caused by patches that are important to have in place.
But that is it for another month and happy patching!