Patch Tuesday September 2021 – Microsoft fixes MSHTML Zero-Day and Apple Blocks NSO Group Surveillance Spyware

This month, Microsoft released a fix for the MSHTML zero-day that emerged earlier in September. And it fixes a serious remote code execution bug in the WLAN AutoConfig service. There’s also a fix for a serious bug in Apple iOS. So, let’s get started!

Microsoft fixes MSHTML zero-day

Earlier this month, Microsoft released a security advisory for a remote code execution vulnerability (CVE-2021-40444) in Microsoft MSHTML, the rendering engine that Office apps use in Windows to display web content. The advisory said:

An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

Microsoft published a couple of workarounds in the advisory. But with this week’s updates, there’s now a fix. The fix is included in KB5005565, which is the monthly cumulative update for Windows 10.

For more information on this zero-day, see Microsoft Provides Temporary Fix for Office 365 Zero-Day on Petri.

Windows WLAN AutoConfig Service

This month also sees a patch for a remote code execution bug (CVE-2021-36965) in the Windows WLAN AutoConfig service. The vulnerability could let an attacker run code with SYSTEM privileges, allowing them to own the target device.

The bug can be exploited by an attacker on the same network as the target device. And it doesn’t require any specific user rights or interaction on the target system.

Open Management Infrastructure bug

Open Management Infrastructure (OMI) is Microsoft’s implementation of Distributed Management Task Force (DMTF) Common Information Model (CIM) and Web Services-Management (WSMAN) standards for managing operating systems and other IT infrastructure.

This month’s OMI patch has the highest CVSS rating of 9.8 and it addresses a remote code execution vulnerability in OMI. The bug doesn’t require any user interaction or special rights on the target system. An attacker could compromise a device by sending a specially crafted message.

Microsoft Edge gets patches for elevation of privilege bugs

In a slightly concerning note, Microsoft has managed to introduce some elevation of privilege vulnerabilities into its Edge browser that weren’t part of the Chromium project that Edge is based on.

Microsoft has patched these bugs separately. Chromium bugs are usually patched by Google. In addition this month, Google has fixed two zero-day flaws in Chrome.

Physical access to device could let attacker see BitLocker-encrypted data

There’s also a patch this month for BitLocker, the full disk encryption feature that’s built into Windows. The bug (CVE-2021-38632), could let an attacker with physical access to a device see data encrypted by BitLocker.

Other Microsoft patches for September include fixes for Office, SharePoint Server, DNS, and the Windows Subsystem for Linux (WSL).

Patches for Adobe Software

Adobe patched 59 CVEs, for products including Acrobat Reader, Photoshop, and ColdFusion. As is common, Acrobat Reader sees the biggest crop of fixes. No less than 26 vulnerabilities were patched in Acrobat Reader, 9 of them rated critical.

You can get more details on all of Adobe’s patches for September 2021 on their website here.

Apple issues emergency fix for iOS

I don’t usually cover Apple in these posts, but Apple has released an emergency fix for iOS, the operating system used on iPhone. The so called ‘zero-click’ vulnerability (CVE-2021-30860), reported by researchers at Citizen Labs, lets commands be run when certain types of files are opened.

The bug is already being exploited in the wild, notably by an Israeli company called the NSO Group. NSO’s software is used by government agencies to spy on smartphone activity.

And that is it for another month! Happy patching.