Microsoft patches six zero-days in November 2021 Patch Tuesday update

Microsoft patches six zero-days in November 2021 Patch Tuesday update

Image:
Microsoft patches six zero-days in November 2021 Patch Tuesday update

And two of them are under active exploit

Microsoft has released its November 2021 Patch Tuesday update, addressing a total of 55 security bugs, including two zero-days that are currently being exploited in the wild.

Of all vulnerabilities fixed this month, six are listed as 'critical', while the remaining 49 are 'important' in severity.

Two patches address bugs that are already under active attacks online, while four vulnerabilities were known before the November security update.

The update this month covers a wide range of software, including Microsoft Windows and Windows Components, Microsoft Office and Office Components, Azure, the Chromium-based Edge browser, Visual Studio, Microsoft Dynamics, Windows Hyper-V and Exchange Server.

All in all, it's a pretty light month, according to the Zero Day Initiative's Dustin Childs.

"Historically speaking, 55 patches in November is a relatively low number," he commented.

One of the most newsworthy patches this month is for a zero-day bug in Exchange Server 2016 and 2019, which could allow authenticated attackers to run code remotely on vulnerable machines.

Listed as CVE-2021-42321, this post-authentication vulnerability is caused by improper validation of command-let (cmdlet) arguments, according to Microsoft, and has seen "limited targeted attacks" in the wild.

"At first glance, CVE-2021-42321 sounds pretty scary, as we have already seen several Exchange Server vulnerabilities this year that were quickly adopted by attackers for exploitation," said Kev Breen, Director of Cyber Threat Research, Immersive Labs.

"This one comes with a CVSS score of 8.8, as the attacker must already have authenticated access. While the release does not detail what level of authentication is required, this vulnerability is marked as being actively exploited in the wild - so it should definitely be high on your list to patch."

CVE-2021-42292, another zero-day under active exploit, impacts Microsoft Excel versions 2013-2021 and could enable threat actors to run malicious code just by convincing a person to open a booby-trapped Excel file.

"Microsoft does not offer any suggestion on what effect this vulnerability can have, but its CVSS score of 7.8 puts it in the 'high' severity rating category," Breen said.

Preview Pane is not an attack vector for this 'security feature bypass' bug, according to Microsoft.

No patch is currently available for Microsoft Office LTSC for Mac 2021 or Microsoft Office 2019 for Mac.

CVE-2021-38631 and CVE-2021-41371 are two vulnerabilities that were known prior to Tuesday's patches. Both impact Microsoft's Remote Desktop Protocol (RDP) running on Windows 7 through Windows 11 systems, and on Windows Server 2008-2019 systems.

The bugs could enable a malicious actor to view the RDP password for the vulnerable system.

CVE-2021-38666 is a remote code execution (RCE) bug in the Windows RDP Client, which could be exploited by attackers after tricking a user into connecting to a malicious RCP server.

CVE-2021-42298 is a Microsoft Defender RCE flaw that will be patched automatically on internet-connected devices when they receive the malware definition updates and the update for the Microsoft Malware Protection Engine.