Microsoft released fixes for 60 security vulnerabilities in its latest September 2021 Patch Tuesday update. Out of 60 vulnerabilities, 56 were determined as important, and four as critical bugs existing in Microsoft Windows, SharePoint Server, Edge browser, Azure Sphere, Microsoft Edge for Android, Microsoft Visio, Visual Studio, Windows BitLocker, Microsoft Windows DNS, and the Windows Subsystem for Linux. The security update also patched a critical zero-day vulnerability CVE-2021-40444 in Windows MSHTML (Trident) engine that was exploited in the wild lately, along with three elevations of privilege vulnerabilities CVE-2021-38667, CVE-2021-38671 and CVE-2021-40447 in Windows Print Spooler.
Other critical flaws resolved in the update
- CVE-2021-38647 – This remote code execution (RCE) vulnerability affects the Open Management Infrastructure (OMI) program. If exploited, the vulnerability could allow an attacker to execute RCE attacks by sending malicious messages via HTTPS to port 5986.
- CVE-2021-36968 – Microsoft stated there is no sign of exploiting this Windows DNS privilege escalation zero-day vulnerability.
- CVE-2021-26435: Attackers could exploit this Windows Scripting Engine Memory Corruption vulnerability by sending a specially crafted file to the user and convince the user to open the file. An attacker could host a website containing a specially crafted file designed to exploit the vulnerability in a web-based attack scenario.
- CVE-2021-36967: Attackers could exploit this critical Windows WLAN AutoConfig Service Elevation of Privilege vulnerability to obtain the elevation of privileges on the targeted devices.
Diversity of Vulnerabilities
Microsoft stated that Elevation of Privilege (EoP) vulnerabilities accounted for 41.7%, followed by remote code execution (RCE) vulnerabilities (26.7%), information disclosure (16.7%), Spoofing (10%), Security feature bypass (3.3%), and Denial of service (1.7%).
Microsoft strongly recommended users and organizations apply the patches to fix the flaws and prevent potential hacker intrusions.