The monthly edition of bug fixes from Microsoft addresses over 60 vulnerabilities in products from Microsoft’s stable, and another 20 Chromium security bugs in Microsoft Edge.
Microsoft’s September Patch Tuesday impacts over a dozen products including Azure Open Management Infrastructure, Azure Sphere, Microsoft Office, Microsoft Windows DNS, Visual Studio, BitLocker, Windows Subsystem for Linux (WSL), and more.
Importantly however, the release also patches the recently disclosed zero-day vulnerability in Internet Explorer’s browsing engine MSHTML/Trident that was being exploited in the wild.
We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.
“The Zero Day vulnerability in MSHTML (CVE-2021-40444) has been resolved this month. Microsoft’s original mitigation guidance released on September 7 can be disabled once you have updated all Windows OSs this month,” Chris Goettl, Vice President of Product Management for Security at Ivanti shared with TechRadar Pro.
Patch without delay
Analyzing all the patched vulnerabilities, 27 are privilege escalation vulnerabilities, 16 could enable remote code execution, 11 are information disclosure vulnerabilities, eight are spoofing vulnerabilities, two could help bypass security features, and one could cause denial of service.
Goettl adds that in addition to the MSHTML vulnerability, the update includes a couple more that are of note.
One of them, tracked as CVE-2021-36958, is a Print Spooler vulnerability that was initially addressed last month, but has been updated this month to address some additional concerns that were identified by researchers beyond the original fix.
“The vulnerability has been publicly disclosed and functional exploit code is available, so this puts further urgency on this month’s Windows OS updates,” stresses Goettl.
The third vulnerability that Goettl points out is the elevation of privilege vulnerability in Windows DNS. Tracked as CVE-2021-36968, the vulnerability applies to the legacy Windows OSs, which is what makes it particularly attractive to threat actors.
“Public disclosure gives threat actors a bit of a jump start on developing a working exploit. In this case, they could find the fact that this only affects legacy OSs as attractive, banking on the fact that companies are still running on the legacy OSs but not continuing with ESU support from Microsoft,” he shares, urging businesses still using legacy Windows releases to either migrate off these platforms or at least subscribe to Microsoft’s extended security update (ESU) program.