Security

Patch Tuesday October 2021 – Microsoft Fixes Windows Kernel Zero-Day and Critical Bug in Exchange Server

This month’s Patch Tuesday for includes a cumulative update (CU) for Windows 11, which was made generally available October 4th. In total Microsoft released patches addressing 71 CVEs in Windows, Edge, Exchange Server, .NET Core, SharePoint Server, and many other products.

Two of the CVEs patched this month are rated Critical, and 68 Important. And three bugs are zero-days, with one apparently being actively exploited in the wild.

Patch Tuesday Windows and Windows Server

CVE-2021-40449 addresses a Windows kernel vulnerability that could be used to escalate privileges. While there’s not much detail on this bug, because it was reported by security company Kaspersky, it’s likely that it is already being exploited by hackers.

There’s a patch this month for an information disclosure bug (CVE-2021-40454) in the Rich Text Edit Control in Win32 apps. While nobody has been able to demonstrate how this flaw might be harnessed in practice, it could allow an attacker to access cleartext passwords and other information stored in memory.

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

Windows Hyper-V gets patches for two remote code execution vulnerabilities, CVE-2021-38672 and CVE-2021-40461, that also apply to Windows 11 and Windows Server 2022.

This month there is a patch for a bug (CVE-2021-36970) in the Windows Print Spooler service. The flaw was reported by XueFeng Li and Zhiniang Peng with Sangfor, the researchers who earlier this year disclosed details about one of the flaws that later became known as PrintNightmare.

There are no details about the new flaw but considering the issues Microsoft has been having with the Print Spooler service this year, it’s probably wise to get this patch applied.

Microsoft Exchange Server

A remote code execution (RCE) vulnerability (CVE-2021-26427) in Exchange Server, reported by the National Security Agency (NSA), has been patched by Microsoft. To exploit this flaw, an attacker would need direct network access to an Exchange Server, so it isn’t easily exploitable from the Internet. But because email servers are frequently targeted, it would be wise to get your Exchange Servers patched as quickly as possible.

Microsoft Office

CVE-2021-40486 is an RCE in Microsoft Word. And because the Preview Pane is also an attack vector, there is a large attack surface for this vulnerability because it doesn’t require a user to necessarily open a malicious document designed to exploit this flaw. Using a specially crafted Word document, an attacker could use this vulnerability to take over an affected system.

Adobe Software

As is almost always the case, Adobe has issued patches for Adobe Reader and Acrobat; and other products including Adobe Commerce, and Adobe Connect.

Patch Tuesday update testing and best practices

Organizations looking to deploy this month’s Patch Tuesday updates should conduct thorough testing before deploying them widely on production systems. That said, applying the patches widely shouldn’t be delayed longer than necessary as hackers start to work out how to weaponize newly reported vulnerabilities.

Best practice is to make sure you have backed up systems before applying updates. Every month, users experience issues with Windows updates that lead to systems not booting, application and hardware compatibility issues, or even data loss in extreme cases.

There are backup tools built into Windows and Windows Server that you can use to restore systems in the event a patch causes an problem. The backup features in Windows can be used to restore an entire system, or files and folders on a granular basis.

If you have any problems with this month’s patches, please let us know in the comments below. Other readers might be able to share their experiences in how to roll back problematic updates or mitigate issues caused by patches that are important to have in place.

But that is it for another month and happy patching!

Related Topics:

BECOME A PETRI MEMBER:

Don't have a login but want to join the conversation? Sign up for a Petri Account

Register
Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
Live Webinar - Thursday, December 2nd! Active Directory Masterclass: AD Configuration Strategies for Stronger SecurityREGISTER NOW - Thursday, December 2, 2021 @ 1 pm ET

Active Directory (AD) is leveraged by over 90% of enterprises worldwide as the authentication and authorization hub of their IT infrastructure—but its inherent complexity leaves it prone to misconfigurations that can allow attackers to slip into your network and wreak havoc. 

Join this session with Microsoft MVP and MCT Sander Berkouwer, who will explore:

  • Whether you should upgrade your domain controllers to Windows Server
    2019 and beyond
  • Achieving mission impossible: updating DCs within 48 hours
  • How to disable legacy protocols and outdated compatibility options in
    Active Directory

Sponsored by: