Another summer (in the northern hemisphere) has gone by the wayside, and fall is here. The days are getting shorter and cooler where I am here in Texas. School is back in session, folks are – for the most part – back from vacations, and we’re already looking ahead to the winter holiday season.
On the Microsoft security front, though, the topic of security and software vulnerabilities is still as hot as ever. We’ve seen a number of new vulnerabilities in the headlines since last month’s Patch Tuesday. These included a security issue in Azure Cosmos DB called ChaosDB that was reported in late August, the “Azurescape” vulnerability in Azure container instances that enables Kubernetes attacks within the multi-tenant architecture, and a zero-day remote execution code vulnerability in the MSHTML component of Windows. Microsoft has scrambled to address these issues.
Even after vulnerabilities are fixed, Microsoft’s research and security teams investigate and analyze major exploits and share that information with the public. On Sept. 2, the Microsoft Security Blog published a deep dive into the SolarWinds Serv-U SSH vulnerability patched in July. You can read that analysis here.
Microsoft also announced that they are quadrupling their cybersecurity investment over the next five years, to the tune of $20 billion. This comes in the wake of a series of attacks on large companies (including the above-mentioned SolarWinds attack). A portion of this, according to a CNBC interview with Microsoft president Brad Smith, will help address the shortage of cybersecurity personnel and will include $150 million in the next year in free engineering services to help federal, state, and local governments “catch up.”
Meanwhile, keeping your operating systems and applications up to date is a never-ending effort. Toward that end, Microsoft released more than 60 security fixes on Sept. 14. Let’s take a look at the critical and important updates in Microsoft Patch Tuesday for September.
As usual, you can download the Excel spreadsheet from the Microsoft Security Update Guide website for a full list of the September releases. This month’s updates apply to a broad range of Microsoft products, features, and roles, including Azure Open Management Infrastructure, Azure Sphere, Dynamics Business Central Control, Microsoft Accessibility Insights for Android, Microsoft Edge (Chromium-based), Microsoft Edge for Android, Microsoft MPEG-2 Video Extension, Microsoft Office, Microsoft Office Access, Microsoft Office Excel, Microsoft Office SharePoint, Microsoft Office Visio, Microsoft Office Word, Microsoft Windows Codecs Library, Microsoft Windows DNS, Visual Studio, Windows Ancillary Function Driver for WinSock, Windows Authenticode, Windows Bind Filter Driver, Windows BitLocker, Windows Common Log File System Driver, Windows Event Tracing, Windows Installer, Windows Kernel, Windows Key Storage Provider, Windows MSHTML Platform, Windows Print Spooler Components, Windows Redirected Drive Buffering, Windows Scripting, Windows SMB, Windows Storage, Windows Subsystem for Linux, Windows TDX.sys, Windows Update, Windows Win32K, Windows WLAN Auto Config Service, Windows WLAN Service.
Many of the CVEs that are addressed include mitigations, workarounds, or FAQs that may be relevant to specific cases, so be sure to check those out if you cannot install the updates due to compatibility or other reasons.
Also, as usual, in this article, we’ll focus on the critical issues since they pose the greatest threat.
Critical and exploited vulnerabilities
This year has seen an increase in the instance of zero-day disclosures and attacks, so we will look first at this month’s zero-day vulnerabilities that have been fixed.
Vulnerability exploited in the wild
The following vulnerability has been detected as having already been exploited in the wild:
CVE-2021-40444 – Microsoft MSHTML Remote Code Execution Vulnerability. This is a remote code execution flaw in MSHTML that had been identified and was being used in a limited number of attacks against Windows systems. It affects currently supported versions of both Windows client and server operating systems. It can result in a complete loss of integrity, some loss of confidentiality, and reduced or interrupted availability. For those unable to install the update, there is a workaround that consists of disabling ActiveX controls.
Other zero-day vulnerability patched
The following vulnerability was publicly exposed prior to the release of a fix:
- CVE-2021-36968 – Windows DNS Elevation of Privilege Vulnerability. This is a publicly disclosed privilege escalation zero-day vulnerability, but Microsoft has not found any evidence, as of the Sept. 14 Patch Tuesday releases, of exploitation in the wild. No user interaction is required to accomplish the exploit. It affects Windows 7 and Windows Server 2008 (including server core installations). It can result in a total loss of confidentiality, integrity, and availability.
Other critical vulnerabilities patched
Seven vulnerabilities this month were classified as critical, including the one above. The following six vulnerabilities are all rated critical but had not been disclosed or exploited before patch release:
- CVE-2021-26435 – Windows Scripting Engine Memory Corruption Vulnerability. This is a critical vulnerability (CVSS 8.1) in the Microsoft Windows scripting engine. The exploit requires user interaction, but access to settings or files is not required to carry out the attack. It affects current versions of Windows client and server operating systems. It can result in total loss of confidentiality and integrity; there is no impact on availability.
- CVE-2021-38647 – Open Management Infrastructure Remote Code Execution Vulnerability. This critical vulnerability impacts the Azure Open Management Infrastructure (OMI) program and allows attackers to perform remote code execution attacks without authentication by sending malicious messages via HTTP/S to port 5986, also known as WinRMport. This can result in a total loss of confidentiality, integrity, and availability. This applies to configurations where the HTTP/S port is exposed.
- CVE-2021-36965 – Windows WLAN AutoConfig Service Remote Code Execution Vulnerability. This vulnerability in the WLAN AutoConfig Service is rated critical as an attacker can use it to launch an attack from the same shared physical (e.g., Bluetooth or IEEE 802.11) or logical (e.g., local IP subnet) network, or from within a secure or otherwise limited administrative domain. It affects current versions of Windows client and server operating systems. No user interaction is required to accomplish the exploit. It can result in a total loss of confidentiality, integrity, and availability.
- CVE-2021-36967 – Windows WLAN AutoConfig Service Elevation of Privilege Vulnerability. This vulnerability is rated critical and can be used for elevation of privileges. The exploit requires user interaction, but access to settings or files is not required to carry out the attack. It affects Windows 10 and Windows Server 2016, 20H2, and version 2004 (including server core installations). It can result in total loss of confidentiality, integrity, and availability.
Important and moderate updates
In addition to the critical and zero-day updates listed above, this month’s patches address a number of vulnerabilities that are rated important. These include elevation of privilege, information disclosure, spoofing, and remote code execution issues. You can find the full list in the Security Updates Guide. The following are a few of note:
- CVE-2021-36954 – Windows Bind Filter Driver Elevation of Privilege Vulnerability. This is a vulnerability of low attack complexity that requires no privileges or user interaction to exploit. It affects Windows 10 and Windows Server 2019, 20H2, 2022, and version 2004, including the server core installations. It can result in a total loss of confidentiality, integrity, and availability.
- CVE-2021-36959 – Windows Authenticode Spoofing Vulnerability. This is a spoofing vulnerability of low attack complexity that requires no user interaction to accomplish the exploit. It affects current versions of Windows client and server operating systems. It can result in a total loss of integrity, but no loss of confidentiality or availability.
- CVE-2021-36960 – Windows SMB Information Disclosure Vulnerability. This is a vulnerability in Windows Server Message Block protocol that has low attack complexity and requires no privileges or user interaction to accomplish the exploit. It affects current versions of Windows client and server operating systems. It can result in a complete loss of confidentiality, but no loss of integrity or availability.
The following cumulative update was released for Microsoft’s IE 11 web browser:
KB5005563 – Cumulative security update for Internet Explorer. This is a security update for Internet Explorer 11 on Windows Server 2008 Windows 7 Windows Server 2008 R2 Windows Server 2012 Windows 8.1 Windows Server 2012 R2.
KB5005565 – Security update for Windows 10 versions 2004, 20H2, and 21H1 and Window Server versions 2004 and 20H2. This updates security for the listed operating systems and includes quality improvements.
KB5005566 – Security update for Windows 10 version 1909. This updates security for the listed operating system.
NOTE: Starting in October 2021, there will no longer be optional, non-security releases for Windows 10, version 1909. Only cumulative monthly security updates will continue for Windows 10, version 1909.
KB5005573 – Cumulative Update for Windows Server 2016 and Windows 10 Version 1607. This update includes the Flash Removal Package that removes Adobe Flash from the machine. It also includes quality improvements.
KB5005575 – 2021-09 Cumulative Update for Microsoft server operating system version 21H2 for x64-based Systems. This is a security update that includes quality improvements.
KB5005613 – Monthly rollup for Windows 8.1 and Windows Server 2012 R2. This update includes the Flash Removal Package that removes Adobe Flash from the machine. It also includes quality improvements.
KB5005633 – Monthly Rollup for Windows 7 and Windows Server 2008 R2. This update contains miscellaneous security improvements to internal OS functionality.
ADV990001 – Latest Servicing Stack Updates. All servicing stack updates are classified as critical updates but this does not mean there is a critical vulnerability addressed in this update.
Applying the updates
Most organizations will deploy Microsoft and third-party software updates automatically to their servers and managed client systems using a patch management system of their choice, such as GFI’s LanGuard. Automated patch management saves time and reduces the risk of botched installations.
Most home users will receive the updates via the Windows Update service built into the operating system.
Microsoft provides direct downloads for those who need to install the updates manually. You can download these from the Microsoft Update Catalog.
Before installing updates, you should always research known issues that could affect your particular machines and configurations before rolling out an update to your production systems. There are a large number of such known issues that impact this month’s updates. A full list of links to the KB articles detailing these issues can be found here in the release notes.
Malicious Software Removal Tool (MSRT) update
The MSRT is used to find and remove malicious software from Windows systems, and its definitions are updated regularly. The updates are normally installed via Windows Update, but if you need to download and install them manually, you’ll find the links for the 32- and 64-bit versions in Remove specific, prevalent malware with Windows Malicious Software Removal Tool (KB890830) (microsoft.com)
In addition to Microsoft’s security updates, this month’s Patch Tuesday brought a whopping 15 update bulletins from Adobe, which will be discussed in more detail in this month’s Third-Party Patch Roundup at the end of this month.