Mega Security Update from Microsoft after Major Bug Fixes

Microsoft had a tough month, with the monthly edition of bug fixes addressing over 60 vulnerabilities in Microsoft’s stable products, as well as additional 20 Chromium security issues in Microsoft Edge. Microsoft’s September Patch Tuesday affects over a dozen products, with 66 CVE-numbered vulnerabilities patched across the board, including a zero-day that is being actively exploited in the wild. The remote code execution MSHTML vulnerability CVE-2021-40444, which was actively exploited by attackers using infected MS Office documents, was the most crucial to address. “Security researchers and analysts began exchanging proof-of-concept examples of how an attacker may use the exploit after the flaw was identified and became public knowledge on September 7,” said SophosLabs Principal Researcher Andrew Brandt.

CVE-2021-36968, an elevation of privilege vulnerability in Windows DNS, is a second zero-day that was widely published but not actively exploited. Microsoft has classified it as “important,” and it only affects Windows 7 and Windows Server 2008.

The third vulnerability, CVE-2021-36958, is a Print Spooler vulnerability that was first fixed last month but was upgraded this month to address some new issues that researchers discovered after the original fix.

“Because the vulnerability has been publicly reported and usable exploit code is available, this month’s Windows OS upgrades to become even more critical,” says Chris Goettl, VP of product management at Ivanti.