,

[updated] Patch now! Microsoft plugs actively exploited zero-days and other updates

On what might seem a relatively calm Patch Tuesday with 55 vulnerabilities being patched, the fact that six of them were rated “Critical” and two of them actively exploited spoils the Zen factor somewhat.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Let’s have a look at the most interesting ones that were patched in this Patch Tuesday update.

Exchange Server (again)

CVE-2021-42321: A Microsoft Exchange Server Remote Code Execution (RCE) vulnerability that is known to be exploited in the wild. This vulnerability was disclosed during the Tianfu International Cybersecurity Contest and requires an authenticated user to run arbitrary code on an on-premise Exchange Server.

Two other Exchange Server vulnerabilities, rated as “Important” are listed under CVE-2021-42305 and CVE-2021-41349. Both are Microsoft Exchange Server Spoofing vulnerabilities. The exploitation appears to be easy as the attack can be initiated remotely and no form of authentication is required for a successful exploitation. However, successful exploitation does require user interaction by the victim.

Excel

CVE-2021-42292: A Microsoft Excel Security Feature Bypass vulnerability which is also being exploited in the wild. Microsoft doesn’t suggest what effect the vulnerability might have, but its CVSS score of 7.8 out of 10 is worrying Two interesting notes in the Microsoft FAQ about this vulnerability:

  • No, the Preview Pane is not an attack vector.
  • The security update for Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021 are not immediately available. The updates will be released as soon as possible, and when they are available, customers will be notified via a revision to this CVE information.

Remote Desktop Protocol (RDP)

As if RDP wasn’t a big enough problem already, four vulnerabilities have been found in this widely abused protocol. Three of them are Information Disclosure vulnerabilities and one, listed under CVE-2021-38666 is a “Critical” RCE. The attack can be initiated remotely and no form of authentication is needed for a successful exploitation. It does however require the victim’s interaction.

3D Viewer

The Microsoft 3D Viewer lets you view 3D models with lighting controls, inspect model data and visualize different shading modes. Two “Important” RCE vulnerabilities in this utility have been patched in this update. They are listed under CVE-2021-43208 and CVE-2021-43209. The Microsoft Store will automatically update affected customers. Alternatively, customers can get the update immediately. App package versions 7.2107.7012.0 and later contain this update.

Microsoft Defender

CVE-2021-42298 is a Microsoft Defender Remote Code Execution vulnerability that is rated “Critical.” Defender is designed to scan every file and run with some of the highest levels or privileges in the operating system. An attack can be initiated remotely without any form of authentication. But successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available.

Other patches

It’s not just Microsoft who has issued patches recently, so check you’re using the most up to date version of the below, too.

Siemens issued updates to patch vulnerabilities in in the Nucleus RTOS (realtime operating system) versions Nucleus 4 and Nucleus ReadyStart (Nucleus 3). The vulnerabilities CVE-2021-31886, CVE-2021-31887 and CVE-2021-31888 have the highest CVSS scores with 10.0, 9.9 and 9.9 out of 10 respectively.

Citrix published information about vulnerabilities that have been discovered in Citrix ADC (formerly known as NetScaler ADC), Citrix Gateway (formerly known as NetScaler Gateway), and Citrix SD-WAN WANOP Edition models 4000-WO, 4100-WO, 5000-WO, and 5100-WO.

Adobe made security updates available for RoboHelp Server, Adobe InCopy, and Adobe Creative Cloud.

Android published a security bulletin last week, which we discussed in detail here.

Cisco published a security advisory that mentions two “Critical” issues. One in Cisco Policy Suite Static SSH Keys, and one concerning Cisco Catalyst PON Series Switches Optical Network Terminal.

SAP has its own Patch Day Security Notes. One vulnerability listed under CVE-2021-40501 has a CVSS score of 9.6 out of 10 and the description Missing Authorization check in ABAP Platform Kernel.

VMWare’s security advisory includes one critical update for VMware vCenter Server which addresses multiple security vulnerabilities.

Intel also issued several security advisories, which are fixes or workarounds for vulnerabilities identified in Intel products.

In case you have no idea where to start, maybe our post about the CISA directive to reduce the risk of known exploited vulnerabilities will help you on your way.

Update Novermber 17, 2021

Microsoft has released a patch for Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021 to tackle the possible security feature bypass listed as CVE-2021-42294. Customers running affected Mac software should install the update for their product to be protected from this vulnerability. Customers running other Microsoft Office software do not need to take any action.

The same patch includes a solution for CVE-2021-40442 a Microsoft Excel Remote Code Execution vulnerability which also affected Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021.

Stay safe, everyone!