IT admins of Microsoft systems have 55 new vulnerabilities to patch this month after the company issued its patches for November this week, including two that are currently under active exploitation and six rated as critical.
November’s Patch Tuesday releases fix security flaws in Microsoft products such as Azure, Azure RTOS, Azure Sphere, Microsoft Dynamics, Microsoft Edge (Chromium-based), Exchange Server, Microsoft Office and Office Components, Windows Hyper-V Windows Defender and Visual Studio, according to Zero Day Initiative, a software vulnerability reporting advocacy group operated by cybersecurity firm Trend Micro.
Zero Day Initiative (ZDI) calls the 55 patches released this month “relatively low” compared to previous years, including last year when there were more than double that number of vulnerabilities fixed.
“Given that December is typically a slower month patch-wise, it causes one to wonder if there is a backlog of patches awaiting deployment due to various factors,” ZDI said in a blog. “It seems odd that Microsoft would be releasing fewer patches after seeing nothing but increases across the industry for years.
Regardless of quantity, ZDI highlighted some of the more important vulnerabilities that IT admins should prioritize, including another remote code execution flaw in Exchange Sever, a security feature bypass vulnerability in Excel and more.
Here is a look at some of the more serious vulnerabilities addressed in November’s updates:
- Remote Code Execution in Microsoft Exchange Sever (CVE-2021-42321). According to Microsoft, this is a post-authentication vulnerability in Exchange 2016 and 2019, affecting on-premises Exchange Server, including those used by customers in Exchange Hybrid mode. Microsoft says it is aware of “limited targeted attacks in the wild” leveraging this vulnerability. Both Microsoft and ZDI urge immediate patching for this. Read this Microsoft blog to help with patch deployment.
- Security Feature Bypass In Microsoft Excel (CVE-2021-42292). This patch fixes a flaw in Excel that could allow code execution when a user opens a specially crafted file with an affected version of Excel. ZDI says this is likely due to loading code that could be behind a prompt, but the prompt doesn’t appear, thus bypassing the security feature. Because Microsoft lists this as under active attack, users should be wary of opening unexpected attachments for a while, especially for users of Office for Mac because there is currently no patch for those users.
- Remote Code Execution in Microsoft Virtual Machine Bus (CVE-2021-26443). According to ZDI, this is a guest-to-host escape vulnerability through the VMBus that allows a user on a guest VM to send a specially crafted communication on the VMBus channel to the host OS that could result in arbitrary code execution. ZDI labels this as one of the more sever vulnerabilities, and one that MIrosoft has been aware of for a few months.
- Remote Code Execution Vulnerability in Remote Desktop Client. (CVE-2021-38666). According to ZDI, attackers can exploit this vulnerability by luring a user to connect to a malicious RCP server and execute code on the connecting RDP client system.
- OpenSSL SM2 Decryption Buffer Overflow (CVE-2021-3711). With a CVSS of 9.8, this is the most severe vulnerability patched by Microsoft this month. According to Microsoft, this vulnerability is in OpenSSL software, which is consumed by Microsoft Virtual Studio. An attacker could exploit this to alter the contents of data, change application behavior or cause the application to crash.
Other patches to prioritize include RCE flaws in Defender and Dynamics 365 (CVE-2021-42298 and CVE-2021-42316).
Adobe also released patches for vulnerabilities but only three this month for flaws in Creative Cloud Desktop, InCopy and RoboHelp. None are listed as being publicly known or under active attack, ZDI says.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply