This article is more than 1 year old
Microsoft Patch Tuesday bug harvest festival comes to town
With 71 new CVEs, there are patches enough for everyone
Microsoft's October Patch Tuesday has arrived with fixes for 71 new CVEs, two patch revisions to address bugs from previous months that just won't die, and three CVEs tied to OpenSSL flaws. That's in addition to eight Edge-Chromium CVEs dealt with earlier this month.
Two of the fresh bugs are rated Critical, 68 are designated Important, and one is rated Low severity.
Four among the overall October harvest have been publicly disclosed, including one from July, an Azure AD security feature bypass vulnerability (CVE-2021-33781). The other holdover from September is CVE-2021-38624, a Windows key storage provider security feature bypass flaw.
Microsoft says one of the bugs, a Win32K privilege elevation issue (CVE-2021-40449) is currently being exploited.
According to Kaspersky security researchers Costin Raiu and Boris Larin, Kaspersky initially spotted attacks using a privilege elevation exploit on Microsoft Windows servers in late August and early September.
"The exploit had numerous debug strings from an older, publicly known exploit for vulnerability CVE-2016-3309, but closer analysis revealed that it was a zero-day," said Raiu and Larin in a blog post. "We discovered that it was using a previously unknown vulnerability in the Win32k driver and exploitation relies heavily on a technique to leak the base addresses of kernel modules."
After Kaspersky reported the zero-day vulnerability to Microsoft, it was designated CVE-2021-40449.
Avoid a Halloween scare
Zero-Day Initiative's Dustin Childs in a blog post noted that an Exchange Server remote code execution vulnerability (CVE-2021-26427) is likely to get a fair amount of attention because it was reported to Microsoft by the US National Security Agency, even if it's not all that severe on its own. The NSA, America's signals intelligence agency, was last seen shoring up Exchange Server installations back in April. Coincidentally, Microsoft Exchange has been a popular target for state-sponsored hacking groups.
Childs also highlighted two other vulnerabilities, a Microsoft Word remote code execution bug (CVE-2021-40486) and a rich text edit control flaw in Power Apps (CVE-2021-40454) that can be used to expose sensitive information.
"We don’t often highlight information disclosure bugs, but this vulnerability goes beyond just dumping random memory locations," said Childs. "This bug could allow an attacker to recover cleartext passwords from memory, even on Windows 11."
In an email to The Register, Kevin Breen, director of cyber threat research at Immersive Labs, pointed to CVE-2021-40487, a Microsoft SharePoint remote code execution flaw, as another priority patch.
"This one requires an authenticated user on the domain, so it will be more difficult for an attacker to exploit; however, gaining remote code execution on a Sharepoint server opens up a lot of avenues for further exploitation," said Breen.
And the best of the rest
Adobe, meanwhile, has prepared six patches addressing 10 CVEs in Adobe Reader, Acrobat Reader for Android, Adobe Campaign Standard, Commerce, Ops-CLI, and Adobe Connect. That's significantly less than the 59 CVEs it tended to last month.
According to Childs, the Acrobat patch repairs four flaws, two of which are rated Critical and two of which are rated Moderate. "The Critical-rated bugs could allow remote code execution while the Moderate-rated bugs could allow a privilege escalation," he said, adding that the Reader for Android fix closes a single path traversal bug that provides an opportunity for code execution.
On Monday, Apple released iOS 15.0.2, and iPadOS 15.0.2 to address a CVE-2021-30883, an actively exploited zero-day bug in the IOMobileFrameBuffer kernel extension.
- Apple patches 'actively exploited' iPhone zero-day with iOS 15.0.2 update
- Story of the creds-leaking Exchange Autodiscover flaw – the one Microsoft wouldn't fix even after 5 years
- Apple warns of arbitrary code execution zero-day being actively exploited on Macs
- Break out your emergency change process and patch this ransomware-friendly bug ASAP, says VMware
Finally, SAP released 17 new and revised security patches, three of which have been classified HotNews and one of which has been filed under High Priority. That's a bit less of a dumpster fire than last month's drop with seven HotNews critical fixes. However, one of the HotNews notes refers to repairs to the SAP Business Client's Chromium implementation: It brings Chromium to version 94.0.4606.54 within the client software and fixes 65 browser bugs.
Onapsis security researcher Thomas Fritsch in blog post noted that another of the HotNews designees, SAP Security Note #3101406, carries a CVSS score of 9.8 and is the most critical of the bugs in the October harvest. The patch addresses an XML External Entity (XEE) Injection vulnerability in SAP Environmental Compliance (SAP EC), he explains, noting that SAP EC supports emission management and compliance relevant processes in industrial environments.
"Given the fact that the assigned CVSS vector indicates a high impact on confidentiality, integrity, and availability, let's assume that there is a wide range of possible exploits," said Fritsch. "In general, an XEE Injection vulnerability is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data." ®