Today is Microsoft’s October 2021 Patch Tuesday, and with it comes fixes for four zero-day vulnerabilities and a total of 74 flaws.
Microsoft has fixed 74 vulnerabilities (81 including Microsoft Edge) with today’s update, with three classified as Critical, and 70 as Important, and one as Low.
These 81 vulnerabilities (including Microsoft Edge) are classified as:
- 21 Elevation of Privilege Vulnerabilities
- 6 Security Feature Bypass Vulnerabilities
- 20 Remote Code Execution Vulnerabilities
- 13 Information Disclosure Vulnerabilities
- 5 Denial of Service Vulnerabilities
- 9 Spoofing Vulnerabilities
For information about the non-security Windows updates, you can read about today’s Windows 11 KB5006674 cumulative update (https://www.bleepingcomputer.com/news/microsoft/windows-11-kb5006674-update-released-with-compatibility-fixes/) and the Windows 10 updates KB5006670 & KB5006667 cumulative updates (https://www.bleepingcomputer.com/news/microsoft/windows-10-updates-kb5006670-and-kb5006667-released/).
Four zero-days fixed, with one actively exploited
October’s Patch Tuesday includes fixes for four zero-day vulnerabilities, with a Win32k Elevation of Privilege Vulnerability vulnerability known to have been actively exploited in attacks.
Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available.
The actively exploited vulnerability was discovered by Kaspersky’s Boris Larin (oct0xor) and allows malware or a threat actor to gain elevated privileges on a Windows device.
- CVE-2021-40449 (https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40449) – Win32k Elevation of Privilege Vulnerability
Kaspersky disclosed today that the vulnerability was used by threat actors in “widespread espionage campaigns against IT companies, military/defense contractors, and diplomatic entities.”
As part of the attacks, the threat actors installed a remote access trojan (RAT) that was elevated with higher permissions using the zero-day Windows vulnerability.
Kaspersky calls this cluster of malicious activity MysterSnail and is attributed to the IronHusky and Chinese-speaking APT activity.
Microsoft also fixed three other publicly disclosed vulnerabilities that are not known to be exploited in attacks.
- CVE-2021-40469 (https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-40469) – Windows DNS Server Remote Code Execution Vulnerability
- CVE-2021-41335 (https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-41335) – Windows Kernel Elevation of Privilege Vulnerability
- CVE-2021-41338 (https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-41338) – Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability
Recent updates from other companies
Other vendors who released updates in July include:
- Adobe’s October security updates (https://helpx.adobe.com/security/security-bulletin.html) were released for various applications.
- Android’s October security updates were released (https://www.bleepingcomputer.com/news/security/android-october-patch-fixes-three-critical-bugs-41-flaws-in-total/) last week.
- Apache released HTTP Web Server 2.4.51 (https://www.bleepingcomputer.com/news/security/apache-emergency-update-fixes-incomplete-patch-for-exploited-bug/) to fix an incompete patch for an actively exploited vulnerability.
- Apple released security updates (https://support.apple.com/en-us/HT212846) for iOS and iPadOS yesterday that an actively exploited zero-day vulnerability.
- Cisco released security updates (https://tools.cisco.com/security/center/publicationListing.x) for numerous products this month.
- SAP released (https://wiki.scn.sap.com/wiki/x/v4D-Ig) its October 2021 security updates.
- VMware released a two security updates (https://www.vmware.com/security/advisories/VMSA-2021-0022.html), (https://www.vmware.com/security/advisories/VMSA-2021-0023.html) for VMware vRealize Operations.
The October 2021 Patch Tuesday Security Updates
Below is the complete list of resolved vulnerabilities and released advisories in the October 2021 Patch Tuesday updates. To access the full description of each vulnerability and the systems that it affects, you can view the full report here (https://www.bleepingcomputer.com/microsoft-patch-tuesday-reports/October-2021.html).