Hear what Automox Patch Tuesday experts have to say about this month’s Patch Tuesday releases. You can view a full list of the latest patches and updates from Microsoft and other third-party applications in our Patch Tuesday Index.
September 2021 Overview
September is not just the end of summer, but the beginning of school for millions of students. University and college campuses go from empty with virtually no connected devices, to tens of thousands in one week, putting enormous pressure on their SecOps and IT teams. And, while this month has seen an increase in the total number of vulnerabilities reported by Microsoft, fortunately there is a dramatic reduction in the number of critical vulnerabilities. The back-to-school season is stressful enough, and fewer critical vulnerabilities to address can only help campus IT teams in their mission to help students and protect school infrastructure.
Microsoft reported 86 vulnerabilities, three of which are rated as critical. In addition, there was one vulnerability that while only rated as “High Severity,” nonetheless was exploited and publicly disclosed.
September’s 86 vulnerabilities were the fourth highest monthly amount so far in 2021, and represents a 68% increase over August. September’s total was also higher than the average of 77 vulnerabilities per month so far this year. Thankfully, the three reported critical vulnerabilities were 57% less than the seven reported in August, and dramatically fewer - 67% - than the monthly average of nine critical vulnerabilities this year.
Automox recommends that all critical and exploited vulnerabilities are patched within a 72 hour window. Fortunately for university SecOps and IT teams, the dramatic reduction in the number of these vulnerabilities should reduce some pressure during this hectic back-to-school season.
Adobe has released a massive list of 15 security updates for a large number of products and components including Photoshop, Premiere Pro, Experience Manager, Premiere Elements, Photoshop Elements, Creative Cloud Desktop Application, ColdFusion, Framemaker, InDesign, InCopy, Acrobat and Reader and different toolkits. Security updates include APSB21-55, APSB21-67, APSB21-71 through APSB21-78, APSB21-80 through APSB21-82, APSB21-84 and APSB21-85. Vulnerabilities include arbitrary code executions, arbitrary file system reads, arbitrary file system writes, memory leaks, application denial of service, privilege escalation, and security feature bypass. Adobe has given these security updates a “Priority Rating” of either "2" or "3." While not their highest remediation priority, those rated with level "2" priority do require some attention. Priority 2 vulnerabilities have no known exploits, and Adobe has communicated that they do not anticipate any imminent exploits. As a result, Adobe recommends administrators install the update “soon,” which essentially means within 30 days.
Apple released an emergency software patch for iOS 14.8 and iPadOS 14.8 and macOS to fix a security vulnerability that could allow hackers to directly infect iPhones and other Apple devices without any user action. While Apple does not typically discuss or confirm security issues until an investigation has occurred, news reports have attributed the discovery of this vulnerability to researchers at the University of Toronto’s Citizen Lab, who claimed that flaw allowed spyware from the NSO Group to directly infect the iPhone of a Saudi activist. Some claim that NSO is the world’s most infamous hacker-for-hire firm. This is the first time a “zero-click” exploit has been caught and analyzed, according to the researchers at Citizen Lab, who discovered the malicious code on September 7. Due to the serious nature of this vulnerability, Automox recommends the immediate update of all Apple devices including the iPhone and iPad.
Critical Vulnerability Breakdown
Justin Knapp - CVE-2021-26435 - Windows Scripting Engine Memory Corruption Vulnerability - Critical
CVE-2021-26435 presents a critical remote code execution (RCE) vulnerability discovered within the Windows Scripting Engine. While the attack complexity is considered low, successful exploitation does require user interaction, which means an attacker would need to lure a user into opening a specially crafted file. This can be accomplished either through baiting users to open a malicious file attached in an email or through a web-based attack scenario in which the specially crafted file is hosted on a compromised website. Since there’s no way to force users to visit the website, an attacker would have to entice users to click a link and then convince them to open the malicious file once on the website. While exploitation of this vulnerability is considered less likely, the number of Windows and Windows Server versions impacted should justify immediate prioritization and remediation.
Aleks Haugom - CVE-2021-36965 - Windows WLAN AutoConfig Service Remote Code Execution Vulnerability- Critical
CVE-2021-36965 is a critical remote code execution vulnerability that impacts various versions of Windows 7, 8, & 10 as well as Windows Servers via Wireless Local Area Network (WLAN). Essentially, this vulnerability leverages the mechanism that enables your Windows devices to auto-connect to Wi-Fi. When exploited, attackers gain complete access to your device. The only refuge from an attack is that this vulnerability on its own can not be weaponized over the internet; it requires a shared physical network, like a college campus. However, when leveraged along with other vulnerabilities, an attacker that already has a foothold in your network can extend their reach to additional devices. As weaponization has likely already begun, we recommend patching within 72 hours, or by 09/17/21.
Chad McNaughton - CVE-2021-38647 - Open Management Infrastructure Remote Code Execution Vulnerability - Critical
CVE-2021-38647 is a critical vulnerability in the OMI stack (Azure Open Management Infrastructure) that could allow attackers to execute remote code. This is a low-complexity exploit that requires no user interaction or elevated privileges, however, it’s more interesting in relation to another open/known vulnerabilities in OMI (see CVE-2021-38648, “Elevation of Privilege Vulnerability”). In short, Open Management Infrastructure is a free/open-source Common Information Model (CIM) management server that strives to remove obstacles standing in the way of implementing standards-based management so that any device worldwide can then be managed “in a clear, consistent, coherent way and to nurture [and] spur a rich ecosystem of standards-based management products." Due to the low-complexity/low-interaction level of this vulnerability - and as viewed alongside its counterpart mentioned above - it’s been deemed critical, and should be patched within 72 hours.
Chris Hass - CVE-2021-40444 - Microsoft MSHTML Remote Code Execution Vulnerability - High and Exploited and Publicly Disclosed
A nasty Microsoft MSHTML Remote Code Execution Vulnerability was initially disclosed by Microsoft early last week. Microsoft observed targeted attacks in the wild that exploited this vulnerability by using specially-crafted Microsoft Office documents. It was later discovered that rich text documents could be used to deliver malicious payloads as well. An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document or a rich text file that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Due to this vulnerability already being used by attackers, and a public proof of concept is available, defenders should patch this vulnerability as soon as possible.
About Automox Automated Patch Management
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, macOS, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.