Microsoft September 2021 Patch Tuesday: Distant code execution flaws in MSHTML, OMI mounted
Microsoft has launched over 60 safety fixes and updates resolving points together with a distant code execution (RCE) flaw in MSHTML and different crucial bugs.
The Redmond large’s newest round of patches, often launched on the second Tuesday of every month in what is called Patch Tuesday, landed on September 14.
Merchandise impacted by September’s safety replace embrace Azure Open Administration Infrastructure, Azure Sphere, Workplace Excel, PowerPoint, Phrase, and Entry; the kernel, Visible Studio, Microsoft Home windows DNS, and BitLocker, amongst different software program.
On September 7, Microsoft mentioned a distant code execution flaw in MSHTML had been recognized and was being utilized in a restricted variety of assaults in opposition to Home windows programs. The zero-day vulnerability, tracked as CVE-2021-40444, has been resolved on this patch spherical and the agency is urging customers to simply accept the safety repair instantly.
Another notable vulnerabilities resolved on this replace are:
- CVE-2021-38647: With a CVSS rating of 9.8, that is probably the most crucial bug on September’s checklist. This vulnerability impacts the Open Administration Infrastructure (OMI) program and permits attackers to carry out RCE assaults with out authentication by sending malicious messages through HTTPS to port 5986.
“Some Azure merchandise, reminiscent of Configuration Administration, expose an HTTP/S port for interacting with OMI (port 5986 often known as WinRMport),” Microsoft says. “This configuration the place the HTTP/S listener is enabled may enable distant code execution. You will need to point out that the majority Azure companies that use OMI deploy it with out exposing the HTTP/S port.”
- CVE-2021-36968: A publicly disclosed Home windows DNS privilege escalation zero-day vulnerability, issued a CVSS rating of seven.8. Microsoft has not discovered any proof, as of but, of exploitation within the wild.
- CVE-2021-26435: A crucial flaw (CVSS 8.1) within the Microsoft Home windows scripting engine. Nonetheless, this reminiscence corruption flaw requires person interplay to set off.
- CVE-2021-36967: A vulnerability, deemed crucial and issued a CVSS rating of 8.0, within the Home windows WLAN AutoConfig service which can be utilized for elevation of privileges.
In accordance with the Zero Day Initiative (ZDI), the 66 CVEs — together with three crucial, one average, and the remainder deemed vital — reveal a quantity barely increased than the typical patch fee throughout 2021, whereas that is nonetheless beneath 2020 quantity. As well as, 20 CVEs had been patched by Microsoft Edge (Chromium) earlier in September. In complete, 11 of those vulnerabilities had been submitted by the Zero Day Initiative, for a complete of 86 CVEs.
Final month, Microsoft resolved 44 vulnerabilities within the August batch of safety fixes. In complete, three had been categorized as zero-day flaws, and 13 allowed attackers to carry out RCE assaults. Included within the patch launch was a repair for a well-publicized Windows Print Spooler vulnerability which may very well be weaponized for the needs of native privilege escalation.
A month prior, the tech large tackled 117 bugs in the course of the July Patch Tuesday.
In different safety information, Apple has patched a zero-day vulnerability reportedly exploited by NSO Group to spy on customers of Mac, iPhone, iPad, and Watch merchandise. As well as, Google has pushed out a security update resolving two zero-day bugs being actively exploited within the wild.
Alongside Microsoft’s Patch Tuesday spherical, different distributors, too, have revealed safety updates which might be accessed beneath.