Microsoft Patch Tuesday bug harvest festival comes to town

With 71 new CVEs, there are patches enough for everyone

Microsoft's October Patch Tuesday has arrived with fixes for 71 new CVEs, two patch revisions to address bugs from previous months that just won't die, and three CVEs tied to OpenSSL flaws. That's in addition to eight Edge-Chromium CVEs dealt with earlier this month.

Two of the fresh bugs are rated Critical, 68 are designated Important, and one is rated Low severity.

Four among the overall October harvest have been publicly disclosed, including one from July, an Azure AD security feature bypass vulnerability (CVE-2021-33781). The other holdover from September is CVE-2021-38624, a Windows key storage provider security feature bypass flaw.

Microsoft says one of the bugs, a Win32K privilege elevation issue (CVE-2021-40449) is currently being exploited.

According to Kaspersky security researchers Costin Raiu and Boris Larin, Kaspersky initially spotted attacks using a privilege elevation exploit on Microsoft Windows servers in late August and early September.

"The exploit had numerous debug strings from an older, publicly known exploit for vulnerability CVE-2016-3309, but closer analysis revealed that it was a zero-day," said Raiu and Larin in a blog post. "We discovered that it was using a previously unknown vulnerability in the Win32k driver and exploitation relies heavily on a technique to leak the base addresses of kernel modules."

After Kaspersky reported the zero-day vulnerability to Microsoft, it was designated CVE-2021-40449.

Avoid a Halloween scare

Zero-Day Initiative's Dustin Childs in a blog post noted that an Exchange Server remote code execution vulnerability (CVE-2021-26427) is likely to get a fair amount of attention because it was reported to Microsoft by the US National Security Agency, even if it's not all that severe on its own. The NSA, America's signals intelligence agency, was last seen shoring up Exchange Server installations back in April. Coincidentally, Microsoft Exchange has been a popular target for state-sponsored hacking groups.

Childs also highlighted two other vulnerabilities, a Microsoft Word remote code execution bug (CVE-2021-40486) and a rich text edit control flaw in Power Apps (CVE-2021-40454) that can be used to expose sensitive information.

"We don’t often highlight information disclosure bugs, but this vulnerability goes beyond just dumping random memory locations," said Childs. "This bug could allow an attacker to recover cleartext passwords from memory, even on Windows 11."

In an email to The Register, Kevin Breen, director of cyber threat research at Immersive Labs, pointed to CVE-2021-40487, a Microsoft SharePoint remote code execution flaw, as another priority patch.

"This one requires an authenticated user on the domain, so it will be more difficult for an attacker to exploit; however, gaining remote code execution on a Sharepoint server opens up a lot of avenues for further exploitation," said Breen.

And the best of the rest

Adobe, meanwhile, has prepared six patches addressing 10 CVEs in Adobe Reader, Acrobat Reader for Android, Adobe Campaign Standard, Commerce, Ops-CLI, and Adobe Connect. That's significantly less than the 59 CVEs it tended to last month.

According to Childs, the Acrobat patch repairs four flaws, two of which are rated Critical and two of which are rated Moderate. "The Critical-rated bugs could allow remote code execution while the Moderate-rated bugs could allow a privilege escalation," he said, adding that the Reader for Android fix closes a single path traversal bug that provides an opportunity for code execution.

On Monday, Apple released iOS 15.0.2, and iPadOS 15.0.2 to address a CVE-2021-30883, an actively exploited zero-day bug in the IOMobileFrameBuffer kernel extension.

Finally, SAP released 17 new and revised security patches, three of which have been classified HotNews and one of which has been filed under High Priority. That's a bit less of a dumpster fire than last month's drop with seven HotNews critical fixes. However, one of the HotNews notes refers to repairs to the SAP Business Client's Chromium implementation: It brings Chromium to version 94.0.4606.54 within the client software and fixes 65 browser bugs.

Onapsis security researcher Thomas Fritsch in blog post noted that another of the HotNews designees, SAP Security Note #3101406, carries a CVSS score of 9.8 and is the most critical of the bugs in the October harvest. The patch addresses an XML External Entity (XEE) Injection vulnerability in SAP Environmental Compliance (SAP EC), he explains, noting that SAP EC supports emission management and compliance relevant processes in industrial environments.

"Given the fact that the assigned CVSS vector indicates a high impact on confidentiality, integrity, and availability, let's assume that there is a wide range of possible exploits," said Fritsch. "In general, an XEE Injection vulnerability is a web security vulnerability that allows an attacker to interfere with an application's processing of XML data." ®

Similar topics

Other stories you might like

  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading
  • Utility biz Delta-Montrose Electric Association loses billing capability and two decades of records after cyber attack

    All together now - R, A, N, S, O...

    A US utility company based in Colorado was hit by a ransomware attack in November that wiped out two decades' worth of records and knocked out billing systems that won't be restored until next week at the earliest.

    The attack was detailed by the Delta-Montrose Electric Association (DMEA) in a post on its website explaining that current customers won't be penalised for being unable to pay their bills because of the incident.

    "We are a victim of a malicious cyber security attack. In the middle of an investigation, that is as far as I’m willing to go," DMEA chief exec Alyssa Clemsen Roberts told a public board meeting, as reported by a local paper.

    Continue reading

Biting the hand that feeds IT © 1998–2021