Microsoft September 2021 Updates: 60 CVEs, 1 Zero-Day

Microsoft September 2021 Updates: 60 CVEs, 1 Zero-Day

Microsoft September 2021 security updates patch 60 CVEs. 1 of the vulnerabilities is a zero-day that is known to be exploited in the wild.


Microsoft patches a total of 60 operating system and software flaws (CVEs) with September 2021 Patch Tuesday updates. 1 of these vulnerabilities is publicly known at the time of the patch release, and 1 of the vulnerabilities turns out to be a zero-day actively exploited in the wild.

What Is Patch Tuesday?

Patch Tuesday, a.k.a., Black Tuesday (or Update Tuesday), is an unofficial term used to refer to the scheduled updates rolled out on Tuesdays by Microsoft to fix for known bugs in the Windows operating system and the other Microsoft products.

What Is Patch Tuesday?
What Is Patch Tuesday?

It was introduced in 2003 to provide a routine schedule for the system administrators to plan for updates for Microsoft products. The idea was to simplify the patch management by regular schedules and save the network administrators from the hassle of unpredictable updates. With predetermined update schedules, system administrators could arrange compatibility and deployment tests before installing the updates.

About the Security Vulnerabilities

Microsoft released patches to address 60 vulnerabilities for the following products with the Patch Tuesday updates in September.

List the affected Microsoft products.
  • Azure Open Management Infrastructure
  • Azure Sphere
  • Dynamics Business Central Control
  • Microsoft Accessibility Insights for Android
  • Microsoft Edge (Chromium-based)
  • Microsoft Edge for Android
  • Microsoft MPEG-2 Video Extension
  • Microsoft Office
  • Microsoft Office Access
  • Microsoft Office Excel
  • Microsoft Office SharePoint
  • Microsoft Office Visio
  • Microsoft Office Word
  • Microsoft Windows Codecs Library
  • Microsoft Windows DNS
  • Visual Studio
  • Windows Ancillary Function Driver for WinSock
  • Windows Authenticode
  • Windows Bind Filter Driver
  • Windows BitLocker
  • Windows Common Log File System Driver
  • Windows Event Tracing
  • Windows Installer
  • Windows Kernel
  • Windows Key Storage Provider
  • Windows MSHTML Platform
  • Windows Print Spooler Components
  • Windows Redirected Drive Buffering
  • Windows Scripting
  • Windows SMB
  • Windows Storage
  • Windows Subsystem for Linux
  • Windows TDX.sys
  • Windows Update
  • Windows Win32K
  • Windows WLAN Auto Config Service
  • Windows WLAN Service

1 of the vulnerabilities is publicly disclosed (CVE-2021-36968) and 1 of the vulnerabilities is a zero-day (CVE-2021-40444) that is known to be actively exploited in the wild, according to the Microsoft update guide. Regarding the potential impact, 1 of the patched vulnerabilities (CVE-2021-38647) is rated as critical in severity according to CVSS (Common Vulnerability Scoring System) scale. However, these initial severity scores assigned by Microsoft could differ from the final severity evaluations made by NVD (National Vulnerability Database).

What is worth noting additionally in this month’s updates is the existence of 2 Server Message Block (SMB) Information Disclosure vulnerabilities (CVE-2021-36960, CVE-2021-36972) and 1 SMB Elevation of Privilege vulnerability (CVE-2021-36974).

Zero-Day, Publicly Disclosed and Critical Vulnerabilities

  • CVE-2021-40444 Microsoft MSHTML Remote Code Execution (RCE) Vulnerability: This zero-day vulnerability (CVSS Score: 8.8) exists in the MSHTML, which is the main HTML component of the Internet Explorer and is being used in Microsoft Office applications for rendering HTML content. For the exploitation, attackers could create a malicious ActiveX control to be executed in MSHTML hosted by a Microsoft Office document. To conduct a successful attack, adversaries would also have to convince the targeted users to open the malicious documents via social engineering techniques such as phishing. As a result of a successful attack, adversaries could gain the same level of privileges with the targeted users. Microsoft warned last week that this vulnerability was being exploited in the wild for targeted attacks and suggested updating Microsoft Defender Antivirus/Endpoint and disabling the ActiveX controls to thwart possible attacks.
  • CVE-2021-36968 Windows DNS Elevation of Privilege Vulnerability: Besides the MSHTML RCE vulnerability, this vulnerability (CVSS Score: 7.8) is the only flaw that is publicly known at the time of the patch release. Due to the vulnerability, attackers could elevate their privileges to administrator level on the vulnerable systems.
  • CVE-2021-38647 Open Management Infrastructure Remote Code Execution (RCE) Vulnerability: The most critical of all the patched vulnerabilities is a RCE vulnerability (CVSS Score: 9.8) that exist in the Open Management Infrastructure (OMI). This vulnerability allows an attacker to compromise vulnerable systems remotely and gain system level privileges via sending specially crafted HTTPS messages.

A complete list of all the vulnerabilities can be found at Microsoft Security Update Guide.

References to Advisories, Solutions and Tools

Quote by Michael Demon Calce
Quote by Michael Demon Calce

In the hacking world, security is more of a response than a proactive measure. They wait for hackers to attack and then they patch, based on the attacks.

Michael Demon Calce

Read more educational and inspirational cyber quotes at our page 100+ Best Cyber Security & Hacker Quotes.

To learn more about security vulnerabilities, you could also read our articles What is a Security Vulnerability? or What is Vulnerability Scanning?