Among the 71 flaws corrected this October by Microsoft, only 3 are critical ratings, including two on Hyper-V and one in Word. Among the significant vulnerabilities, one flaw is already exploited and three others are publicly known.
Punctually, this 2nd Tuesday of the month, Microsoft delivered its regular security update, formerly called Patch Tuesday. That of October comes to correct 71 vulnerabilities of which 3 are critical. The severity of the other 68 is considered significant, four of them concerning publicly known flaws, including one already exploited. Across the update, fixes apply to Windows and its components, Chromium-based Edge web browser, Exchange Server, as well as .Net Core, Visual Studio, Office Services, Web Apps, SharePoint Server, Dynamics apps, InTune, and System Center Operations Manager. To make an accurate count of the total number of flaws fixed in October, we would have to add the patches delivered earlier in the month, for Edge and for OpenSSL, which brings the total to 82 flaws fixed, recall the Zero Day Initiative researchers who have for their part submitted 11 of these CVEs via their ZDI program.
At the top of the list is a fix for a zero-day flaw found in Windows’ Win32k driver. This vulnerability is already actively exploited. It is referenced CVE-2021-40449, with a severity level of 7.8. This flaw was reported to Microsoft by Boris Larin (oct0xor). This is a bug that can be exploited to escalate privileges on an already compromised system. Three other patches address vulnerabilities already publicly known and rated important: CVE-2021-41335 (rated 7.8), Windows Kernel Elevation of Privilege Flaw, CVE-2021-40469 (rated 7.2), vulnerability Windows DNS Server Remote Code Execution Vulnerability and CVE-2021-41338 (rated 5.5), Windows AppContainer Firewall Security Feature Bypass Vulnerability.
Two critical flaws in Hyper-V, one in Word
Of the three critical flaws, CVE-2021-38672 and CVE-2021-40461are remote code execution vulnerabilities in Hyper-V virtualization software, with a severity score of 8. The third, CVE-2021-40486 (scored 7.8), is in Word word processing. This is a remote code execution flaw in the software.
Note also, among the high scores, two flaws rated 8 (CVE-2021-41348, elevation of privilege) and 9 (CVE-2021-26427, remote code execution) in Exchange Server. The SharePoint Server collaboration software is affected by two flaws rated 8.1. In addition, many flaws have a score of 7.8, in particular 5 in the Excel spreadsheet with, again, risks of remote code execution: CVE-2021-40471, CVE-2021-40473, CVE-2021 -40474, CVE-2021-40479 and CVE-2021-40485. With the same score of 7.8, it is also found in DirectX Graphics, in Office Visio and 5 in Storage Spaces Controller.
As for Adobe’s patches delivered at the same time, there are 6 of them this month, covering 10 CVE flaws in Reader, Reader for Android, Campaign Standard, Commerce, Ops-CLI and Connect software.