Overview
Microsoft patches a total of 74 operating system and software flaws (CVEs) with October 2021 Patch Tuesday updates. 3 of these vulnerabilities are publicly known at the time of the patch release, and 1 of the vulnerabilities turns out to be a zero-day actively exploited in the wild.
What Is Patch Tuesday?
Patch Tuesday, a.k.a., Black Tuesday (or Update Tuesday), is an unofficial term used to refer to the scheduled updates rolled out on Tuesdays by Microsoft to fix for known bugs in the Windows operating system and the other Microsoft products.
It was introduced in 2003 to provide a routine schedule for the system administrators to plan for updates for Microsoft products. The idea was to simplify the patch management by regular schedules and save the network administrators from the hassle of unpredictable updates. With predetermined update schedules, system administrators could arrange compatibility and deployment tests before installing the updates.
About the Security Vulnerabilities
Microsoft released patches to address 74 vulnerabilities for the following products with the Patch Tuesday updates in October.
List the affected Microsoft products.
- .NET Core & Visual Studio
- Active Directory Federation Services
- Console Window Host
- HTTP.sys
- Microsoft DWM Core Library
- Microsoft Dynamics
- Microsoft Edge (Chromium-based)
- Microsoft Exchange Server
- Microsoft Graphics Component
- Microsoft Intune
- Microsoft Office Excel
- Microsoft Office SharePoint
- Microsoft Office Visio
- Microsoft Office Word
- Microsoft Windows Codecs Library
- Rich Text Edit Control
- Role: DNS Server
- Role: Windows Active Directory Server
- Role: Windows AD FS Server
- Role: Windows Hyper-V
- System Center
- Visual Studio
- Windows AppContainer
- Windows AppX Deployment Service
- Windows Bind Filter Driver
- Windows Cloud Files Mini Filter Driver
- Windows Common Log File System Driver
- Windows Desktop Bridge
- Windows DirectX
- Windows Event Tracing
- Windows exFAT File System
- Windows Fastfat Driver
- Windows Installer
- Windows Kernel
- Windows MSHTML Platform
- Windows Nearby Sharing
- Windows Network Address Translation (NAT)
- Windows Print Spooler Components
- Windows Remote Procedure Call Runtime
- Windows Storage Spaces Controller
- Windows TCP/IP
- Windows Text Shaping
- Windows Win32K
3 of the vulnerabilities are publicly disclosed (CVE-2021-40469, CVE-2021-41335, CVE-2021-41338) and 1 of the vulnerabilities is a zero-day (CVE-2021-40449) that is known to be actively exploited in the wild, according to the Microsoft update guide. Regarding the potential impact, 1 of the patched vulnerabilities (CVE-2021-26427) is rated as critical in severity according to CVSS (Common Vulnerability Scoring System) scale.
What is worth noting additionally in this month’s updates is the discovery of 2 more Print Spooler vulnerabilities, i.e., CVE-2021-41332 (Information Disclosure) and CVE-2021-36970 (Spoofing), after an actively exploited zero-day Remote Code Execution (RCE) vulnerability (CVE-2021-40444) that was patched with September 2021 Patch Tuesday updates.
Zero-Day Vulnerabilities:
- CVE-2021-40449 Win32k Elevation of Privilege Vulnerability
- CVE-2021-40469 Windows DNS Server Remote Code Execution (RCE) Vulnerability
- CVE-2021-41335 Windows Kernel Elevation of Privilege Vulnerability
- CVE-2021-41338 Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability
Critical Vulnerabilities:
In this month’s updates, only one vulnerability has been rated as critical with a CVSS score of 9.0. This Microsoft Exchange Server (CVE-2021-26427) vulnerability was detected by National Security Agency (NSA).
Note that, these initial severity scores assigned by Microsoft could differ from the final severity evaluations of the NVD (National Vulnerability Database).
Other notable security flaws include the Remote Code Execution (RCE) and Elevation of Privilege (EoP) vulnerabilities listed below:
Remote Code Execution (RCE) Vulnerabilities in:
- Microsoft SharePoint Server (CVE-2021-41344, CVE-2021-40487)
- Microsoft Word (CVE-2021-40486)
- Microsoft Excel (CVE-2021-40471, CVE-2021-40473, CVE-2021-40474, CVE-2021-40479, CVE-2021-40485)
- Microsoft Visio (CVE-2021-40480, CVE-2021-40481)
- Windows Hyper-V (CVE-2021-38672, CVE-2021-40461)
- Windows MSHTML (CVE-2021-41342)
- Windows Graphics Component (CVE-2021-41340)
- Windows Media Audio Decoder (CVE-2021-41331)
- Windows Media Foundation (CVE-2021-40462, CVE-2021-41330)
- Windows Text Shaping (CVE-2021-40465)
Elevation of Privilege (EoP) Vulnerabilities in:
- DirectX Graphics Kernel (CVE-2021-40470)
- Storage Spaces Controller (CVE-2021-26441, CVE-2021-40478, CVE-2021-40488, CVE-2021-40489, CVE-2021-41345)
- Microsoft DWM Core Library (CVE-2021-41339)
- Microsoft Exchange Server (CVE-2021-41348)
- Wind32k (CVE-2021-40450, CVE-2021-41357)
- Windows AppX Deployment Service (CVE-2021-41347)
- Windows Desktop Bridge (CVE-2021-41334)
- Windows HTTP.sys (CVE-2021-26442)
- Windows Event Tracing (CVE-2021-40477)
- Windows AppContainer (CVE-2021-40476)
- Windows Common Log File System Driver (CVE-2021-40443, CVE-2021-40466, CVE-2021-40467)
- Windows Nearby Sharing (CVE-2021-40464)
For a complete list of all the vulnerabilities, please refer to the Microsoft Security Update Guide.
References to Advisories, Solutions and Tools
- Microsoft Security Updates Summary (October 2021)
- Microsoft Security Guide (Vulnerabilities)
With efficiency, you focus in making the entire program faster. If there is one or two outlier cases, you typically don’t worry about them. But with security, it’s exactly the opposite. You secure the average but the outliers are really the ones you worry about. Because those are the ones that attackers look for.
Matt Bishop
Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.
To learn more about security vulnerabilities, you could also read our articles What is a Security Vulnerability? or What is Vulnerability Scanning?
