Hear what Automox Patch Tuesday experts have to say about this month’s Patch Tuesday releases. You can view a full list of the latest patches and updates from Microsoft and other third-party applications in our Patch Tuesday Index.
October 2021 Overview
While October brings us Halloween and all types of spookiness, fortunately, our worst nightmares did not come true with this month’s Patch Tuesday. With a relatively light number of critical and total vulnerabilities, your environment shouldn't turn into a house of horrors.
There were 74 vulnerabilities reported by Microsoft, three of which are rated as critical. There was one exploited vulnerability, and while this was only rated “High”, it is nonetheless important as it involved the Microsoft Windows Operating System. In addition, there were three vulnerabilities rated “High” that were publicly disclosed.
The trend for total number of vulnerabilities is stable, with October’s number of 74 slightly below the monthly average of 77 for the year. Good news for all IT Ops and SecOps professionals is the trend for critical vulnerabilities. October’s total of three not only matches September’s low point for the year, it represents a 66% reduction over the 2021 monthly average. And this trend looks solid when we see that October’s critical vulnerabilities number represents a 46% reduction compared to the six month moving average.
Automox recommends that all critical and exploited vulnerabilities are patched within a 72 hour window, in particular those highlighted this month. With a lighter load than average this month, hopefully SecOps and IT teams will not see their patching activities turned into “fright night.”
This month, Adobe issued updates for Acrobat DC, Acrobat Reader DC, as well as Acrobat and Acrobat Reader 2020 and 2017. The updates address Use After Free as well as Out of Bounds Read and Write vulnerabilities (CVE-2021-40728 through CVE-2021-40731) that allow for arbitrary code execution and privilege escalation on vulnerable versions of Acrobat and Acrobat Reader. There are currently no known exploits for any of the vulnerabilities, however due to the widespread utilization of both Acrobat and Acrobat Reader in enterprise environments, we recommend patching promptly.
Apple has released iOS 15.0.2 and iPadOS 15.0.2 to fix a zero-day vulnerability that is actively exploited in the wild with attacks targeting Phones and iPads. The vulnerability outlined in CVE-2021-30883 allows an application to execute arbitrary code with kernel privileges, possibly enabling a hacker to have complete and unrestricted access to the underlying hardware, thus executing any CPU instruction and reference any memory address. Kernel mode is generally reserved for the lowest-level, most trusted functions of the operating system. In this vulnerability, kernel privileges can be achieved by using a memory corruption issue in the “IOMobileFrameBuffer” component. While Apple does not typically discuss or confirm security issues until an investigation has occurred, Automox recommends prioritizing the update of all Apple mobile devices to the latest OS.
Critical Vulnerability Breakdown
Chris Hass - CVE-2021-38672 - Windows Hyper-V Remote Code Execution Vulnerability - Critical
CVE-2021-40461 - Windows Hyper-V Remote Code Execution Vulnerability - Critical
CVE-2021-38672 and CVE-2021-40461 are a pair of critical vulnerabilities found in Windows Hyper-V, a native hypervisor that can create and run virtual machines on x86-64 systems running Windows. Successful exploitation of this vulnerability could allow a malicious guest VM to read kernel memory in the host. To trigger this vulnerability the guest VM requires a memory allocation error to first occur on the guest VM. This bug could be used for a VM escape from guest to host. Neither vulnerability has been exploited publicly, and exploitation is less likely, however organizations utilizing Hyper-V should patch these vulnerabilities as soon as possible.
Gina Geisel - CVE-2021-40486 - Microsoft Word Remote Code Execution Vulnerability - Critical
CVE-2021-40486 is a Microsoft Word Remote Code Execution Vulnerability impacting Microsoft Office, Word, and some versions of SharePoint. This vulnerability is not new to Microsoft with several other similar CVEs documented this year. A remote code execution vulnerability exists in some Microsoft software when it fails to properly handle objects in memory. With a low attack complexity, this vulnerability requires a user opening a specially crafted file either by email or via a website, either hosted by the attacker or through a compromised website that accepts or hosts user-provided content. An attacker who successfully exploits this vulnerability can use this file to perform actions in the context of the current user. For example, the file could take actions on behalf of the logged-on user with the same permissions as the current user. Automox recommends patching all critical vulnerabilities within a 72 hour window.
Jay Goodman - CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability - High and Exploited
CVE-2021-40449 is an important-priority privilege elevation vulnerability found in Microsoft Windows’ Win32k process. This vulnerability has been exploited in the wild and is noted as a low complexity, more likely to be exploited vulnerability. CVE-2021-40449 could be used to elevate user privileges on the device once compromised. Privilege elevation attacks can be used to access beyond what the current user context of the device would allow, enabling attackers to perform unauthorized action, delete or move data, view private information, or install malicious software.
Maarten Buis- CVE-2021-40469 - Windows DNS Server Remote Code Execution Vulnerability - High and Publicly Disclosed
CVE-2021-40469 is a remote code execution vulnerability in the Windows Domain Name System (DNS) server. This is not the first time that Microsoft needed to remediate a vulnerability in the DNS server for a similar vulnerability this year. This time the vulnerability impacts various versions of Windows 7, 8.1 & 10 as well as Windows Server. A successful attacker that exploits this vulnerability could run arbitrary code on the endpoint, but they need to have administrative privileges before they can exploit this vulnerability meaningfully. However, there is still a significant risk because no user interaction is required, and no special endpoint conditions are required for an attack to succeed. There are no reports that the vulnerability has been actively exploited yet, but a rapid patch rollout is still advised because it has been publicly disclosed in a proof of concept.
Justin Knapp - CVE-2021-41335 - Windows Kernel Elevation of Privilege Vulnerability - High and Publicly Disclosed
CVE-2021-41335 is an elevation of privilege vulnerability that exists when the Windows kernel fails to properly handle objects in memory. The vulnerability has been publicly disclosed in a proof-of-concept (POC), showing how successful exploitation could allow an attacker to run arbitrary code in kernel mode. This would enable an attacker to install programs; view, change, or delete data; or create accounts with full user rights. To exploit this vulnerability, an attacker would first have to log on to the system and then run a specially crafted application to take control of the system. Elevation of privilege vulnerabilities like this are often an important step in the cyber kill chain and should be immediately prioritized and patched.
Aleks Haugom - CVE-2021-41338 - Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability - High and Publicly Disclosed
CVE-2021-41338 is a high severity vulnerability that allows an attacker to bypass the security rules of Windows AppContainer Firewall. This vulnerability results in loss of confidentiality and can be exploited without any user interaction. AppContainers are designed to protect against infiltration from third-party apps. They essentially isolate the runtime environment of applications with the goal of blocking malicious code. Given the sheer number of apps users download, making sure that AppContianers can not be compromised is important to every company’s security hygiene. Since this vulnerability has already been publicly disclosed by James Forshaw of Google’s Project Zero we recommend patching in 72 hours now that an official fix is available.
About Automox Automated Patch Management
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, macOS, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.