Microsoft Patches 55 CVEs and 6 Zero-Days with November 2021 Updates

Contents of The Article hide

4 References to Advisories, Solutions and Tools

Overview

Microsoft patches a total of 55 operating system and software flaws (CVEs) with November 2021 Patch Tuesday updates. 6 of these security flaws are zero-day vulnerabilities, 4 of which are known to be exploited in the wild.

What Is Patch Tuesday?

Patch Tuesday, a.k.a., Black Tuesday (or Update Tuesday), is an unofficial term used to refer to the scheduled updates rolled out on Tuesdays by Microsoft to fix for known bugs in the Windows operating system and the other Microsoft products.

It was introduced in 2003 to provide a routine schedule for the system administrators to plan for updates for Microsoft products. The idea was to simplify the patch management by regular schedules and save the network administrators from the hassle of unpredictable updates. With predetermined update schedules, system administrators could arrange compatibility and deployment tests before installing the updates.

About the Security Vulnerabilities

Microsoft released patches to address 55 vulnerabilities for the following products with the Patch Tuesday updates in November.

List the affected Microsoft products.

3D Viewer
Azure
Azure RTOS
Azure Sphere
Microsoft Dynamics
Microsoft Edge (Chromium-based)
Microsoft Edge (Chromium-based) in IE Mode
Microsoft Exchange Server
Microsoft Office
Microsoft Office Access
Microsoft Office Excel
Microsoft Office SharePoint
Microsoft Office Word
Microsoft Windows
Microsoft Windows Codecs Library
Power BI
Role: Windows Hyper-V
Visual Studio
Visual Studio Code
Windows Active Directory
Windows COM
Windows Core Shell
Windows Cred SSProvider Protocol
Windows Defender
Windows Desktop Bridge
Windows Diagnostic Hub
Windows Fastfat Driver
Windows Feedback Hub
Windows Hello
Windows Installer
Windows Kernel
Windows NTFS
Windows RDP
Windows Scripting
Windows Virtual Machine Bus

2 of the vulnerabilities are publicly disclosed (CVE-2021-38631, CVE-2021-41371) and 4 of the vulnerabilities are zero-days (CVE-2021-42292, CVE-2021-42321, CVE-2021-43208, CVE-2021-43209) that are known to be actively exploited in the wild, according to the Microsoft update guide. Regarding the potential impact, 1 of the patched vulnerabilities (CVE-2021-26443) is rated as critical in severity according to CVSS (Common Vulnerability Scoring System) scale.

Zero-Day Vulnerabilities:

Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerabilities: If successfully exploited, these vulnerabilities (CVE-2021-38631, CVE-2021-41371), with a CVSS score of 4.4, could allow an authenticated (RDP server admin), local attacker to gain access to other RDP client passwords. Though these vulnerabilities are publicly disclosed, Microsoft has not reported their exploitation in the wild.
Microsoft Exchange Server Remote Code Execution Vulnerability: This vulnerability (CVE-2021-42321), with a CVSS score of 8.8., allows a remote, authenticated attacker to take full control of the Exchange Server via sending maliciously crafted packets to the server. This Exchange Server RCE vulnerability is known to have been exploited in wild.
Microsoft Excel Security Feature Bypass Vulnerability: With a CVSS score of 7.8, this vulnerability (CVE-2021-42292) is reported to have been exploited in the wild. Currently, no description has been provided for this security flaw.
3D Viewer Remote Code Execution Vulnerabilities: With a CVSS score of 7.8, these vulnerabilities (CVE-2021-43208, CVE-2021-43209) are reported to have been exploited in the wild. Currently, no descriptions have been provided for these security flaws.

Critical Vulnerabilities:

In this month’s updates, only one vulnerability has been rated as critical. Windows Virtual Machine Bus Vulnerability (CVE-2021-26443), with a CVSS score of 9.0, could allow an authenticated attacker to execute arbitrary code on the host operating system via sending maliciously crafted communication on the VMBus channel from the guest VM to the host.

Note that, these initial severity scores assigned by Microsoft could differ from the final severity evaluations of the NVD (National Vulnerability Database).

A list of all the security flaws that include the Remote Code Execution (RCE) and Elevation of Privilege (EoP) vulnerabilities categorized by the affected products are listed below:

Remote Code Execution (RCE) Vulnerabilities in: