Microsoft patches 66 vulnerabilities in September update

Microsoft has pushed fixes for a total of 66 common vulnerabilities and exposures (CVEs), three critical and one moderate in severity, as well as the previously disclosed CVE-2021-40444 zero-day, in its September 2021 Patch Tuesday update.

CVE-2021-40444 is a remote code execution vulnerability in Microsoft MSHTML, a component used in Internet Explorer and Office, and a workaround to address it was made available last week.

Christopher Hass, director of information security and research at Automox, described CVE-2021-40444 as a particularly nasty vulnerability and recommended that security teams prioritise remediation.

“Microsoft observed targeted attacks in the wild that exploited this vulnerability by using specially crafted Microsoft Office documents,” he said. “It was later discovered that rich text documents could be used to deliver malicious payloads as well.

“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document or a rich text file that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.

“Due to this vulnerability already being used by attackers, and a public proof of concept is available, defenders should patch this vulnerability as soon as possible.”

John Hammond, senior security researcher at Huntress, said the fix for CVE-2021-40444 appeared, on analysis, to be effective.

“In the RTF rendition of the CVE-2021-40444 exploit, the malicious CAB file that is used to prepare code execution is not downloaded and exploitation fails,” he said. “This also prevents the attack vector present in the Preview Mode of the Windows File Explorer.

“In the DOCX rendition of the exploit, it seems the CAB file is downloaded, but code does not execute and the exploit still fails. We are still analysing things further and will share updates as we find them. We still strongly encourage organisations to apply this patch as quickly as they can.”

The three critical CVEs patched this month are: CVE-2021-26435, an RCE vulnerability in the Windows Scripting Engine; CVE-2021-36956, an RCE vulnerability in Windows WLAN AutoConfig Service impacting versions of Windows 7, 8 and 10, and Windows Server; and CVE-2021-38647, another RCE vulnerability in the Open Management Infrastructure (OMI) stack.

Of these three vulnerabilities, CVE-2021-26435 requires a user to be duped into opening a specially crafted file, so exploitation is marginally less likely; CVE-2021-36965 requires a target device to be on a shared network, or for an attacker to already have a foothold on the target network, but is highly dangerous in those circumstances; and CVE-2021-38657 is regarded as relatively trivial to exploit. All three should be prioritised for patching within the next 48-72 hours, because weaponisation has probably begun.

Also of note in this month’s drop are a number of fixes for vulnerabilities in Windows Print Spooler, which became a hot topic in July after the botched disclosure of an RCE vulnerability, dubbed PrintNightmare. Print Spooler vulnerabilities are highly valuable to malicious actors because the native, built-in service is default-enabled on Windows machines to manage printers and print servers and, as such, is prevalent across enterprise IT estates.

The three Print Spooler vulnerabilities patched this month are CVE-2021-38667, CVE-2021-38671, and CVE-2021-40447. All three are elevation of privilege vulnerabilities.

“For the last few months, we have seen a steady stream of patches for flaws in Windows Print Spooler following the disclosure of PrintNightmare in July,” said Tenable staff research engineer Satnam Narang. “Researchers continue to discover ways to exploit Print Spooler, and we expect continued research in this area.

“Only one [CVE-2021-38671] of the three vulnerabilities is rated as exploitation more likely. Organisations should also prioritise patching these flaws as they are extremely valuable to attackers in post-exploitation scenarios.”

As usual, Redmond’s latest patch addresses multiple other vulnerabilities running the gamut of Microsoft’s product family, but also of note, multiple CVEs were patched in Microsoft’s Chromium-based Edge browser earlier in the month, taking the September total above 80.

Kevin Breen, Immersive Labs’ director of cyber threat research, said: “This cycle, we’ve seen 25 vulnerabilities that have been patched in Chrome and ported over to Microsoft’s Chromium-based Edge.

“I cannot underestimate the importance of patching your browsers and keeping them up to date. After all, browsers are the way we interact with the internet and web-based services that contain all sorts of highly sensitive, valuable and private information. Whether you’re thinking about your online banking or the data collected and stored by your organisation’s web apps, they could all be exposed by attacks that exploit the browser.”