Microsoft Patches 55 CVEs and 6 Zero-Days with November 2021 Updates

Overview

Microsoft patches a total of 55 operating system and software flaws (CVEs) with November 2021 Patch Tuesday updates. 6 of these security flaws are zero-day vulnerabilities, 4 of which are known to be exploited in the wild.

What Is Patch Tuesday?

Patch Tuesday, a.k.a., Black Tuesday (or Update Tuesday), is an unofficial term used to refer to the scheduled updates rolled out on Tuesdays by Microsoft to fix for known bugs in the Windows operating system and the other Microsoft products.

It was introduced in 2003 to provide a routine schedule for the system administrators to plan for updates for Microsoft products. The idea was to simplify the patch management by regular schedules and save the network administrators from the hassle of unpredictable updates. With predetermined update schedules, system administrators could arrange compatibility and deployment tests before installing the updates.

About the Security Vulnerabilities

Microsoft released patches to address 55 vulnerabilities for the following products with the Patch Tuesday updates in November.

2 of the vulnerabilities are publicly disclosed (CVE-2021-38631, CVE-2021-41371) and 4 of the vulnerabilities are zero-days (CVE-2021-42292, CVE-2021-42321, CVE-2021-43208, CVE-2021-43209) that are known to be actively exploited in the wild, according to the Microsoft update guide. Regarding the potential impact, 1 of the patched vulnerabilities (CVE-2021-26443) is rated as critical in severity according to CVSS (Common Vulnerability Scoring System) scale.

Zero-Day Vulnerabilities:

• Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerabilities: If successfully exploited, these vulnerabilities (CVE-2021-38631, CVE-2021-41371), with a CVSS score of 4.4, could allow an authenticated (RDP server admin), local attacker to gain access to other RDP client passwords. Though these vulnerabilities are publicly disclosed, Microsoft has not reported their exploitation in the wild.
• Microsoft Exchange Server Remote Code Execution Vulnerability: This vulnerability (CVE-2021-42321), with a CVSS score of 8.8., allows a remote, authenticated attacker to take full control of the Exchange Server via sending maliciously crafted packets to the server. This Exchange Server RCE vulnerability is known to have been exploited in wild.
• Microsoft Excel Security Feature Bypass Vulnerability: With a CVSS score of 7.8, this vulnerability (CVE-2021-42292) is reported to have been exploited in the wild. Currently, no description has been provided for this security flaw.
• 3D Viewer Remote Code Execution Vulnerabilities: With a CVSS score of 7.8, these vulnerabilities (CVE-2021-43208, CVE-2021-43209) are reported to have been exploited in the wild. Currently, no descriptions have been provided for these security flaws.

Critical Vulnerabilities:

In this month’s updates, only one vulnerability has been rated as critical. Windows Virtual Machine Bus Vulnerability (CVE-2021-26443), with a CVSS score of 9.0, could allow an authenticated attacker to execute arbitrary code on the host operating system via sending maliciously crafted communication on the VMBus channel from the guest VM to the host.

Note that, these initial severity scores assigned by Microsoft could differ from the final severity evaluations of the NVD (National Vulnerability Database).

A list of all the security flaws that include the Remote Code Execution (RCE) and Elevation of Privilege (EoP) vulnerabilities categorized by the affected products are listed below:

Remote Code Execution (RCE) Vulnerabilities in:

• 3D Viewer (CVE-2021-43208, CVE-2021-43209)
• Microsoft Dynamics (CVE-2021-42316)
• Microsoft Exchange Server (CVE-2021-42321)
• Microsoft Office Access (CVE-2021-41368)
• Microsoft Office Excel (CVE-2021-40442)
• Microsoft Office Word (CVE-2021-42296)
• Windows COM (CVE-2021-42275)
• Windows Defender (CVE-2021-42298)
• Windows Media Foundation (CVE-2021-42276)
• Windows NTFS (CVE-2021-41378)
• Windows RDP (CVE-2021-38666, CVE-2021-41371)
• Windows Virtual Machine Bus (CVE-2021-26443)

Elevation of Privilege (EoP) Vulnerabilities in:

• Azure RTOS (CVE-2021-42302, CVE-2021-42303, CVE-2021-42304)
• Visual Studio (CVE-2021-42319)
• Visual Studio Code (CVE-2021-42322)
• Windows Active Directory (CVE-2021-42278, CVE-2021-42282, CVE-2021-42291)
• Windows Core Shell (CVE-2021-42286)
• Windows Cred SSProvider Protocol (CVE-2021-41366)
• Windows Desktop Bridge (CVE-2021-36957)
• Windows Diagnostic Hub (CVE-2021-42277)
• Windows Fast FAT File System Driver (CVE-2021-41377)
• Windows Feedback Hub (CVE-2021-42280)
• Windows Installer (CVE-2021-41379)
• Windows Kernel (CVE-2021-42285)
• Windows NTFS (CVE-2021-41367, CVE-2021-41370, CVE-2021-42283)

For a complete list of all the vulnerabilities, please refer to the Microsoft Security Update Guide.

References to Advisories, Solutions and Tools

• Microsoft Security Updates Summary (November 2021)
• Microsoft Security Guide (Vulnerabilities)

My message to companies that think they haven’t been attacked is: ‘You’re not looking hard enough.’

James Snook

Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.

To learn more about security vulnerabilities, you could also read our articles What is a Security Vulnerability? or What is Vulnerability Scanning?