Microsoft Patch, Tuesday, November 2021
Microsoft Corp. today released updates to eliminate at least 55 security vulnerabilities in its Windows operating system and other software. Two of the patches target vulnerabilities that have already been used in online attacks, and four of them were publicly disclosed before today -- potentially giving attackers a head start in figuring out how to exploit them.
Among these, "zero days" vulnerabilities is CVE-2021-42292, a "security feature bypass" problem for Microsoft Excel 2013-2021, in which an attacker simply convince someone to open an Excel file with a trap,(Microsoft said the Mac version of Office was also affected, but several places reported that security updates for Office for Mac were not yet available.)
Microsoft's revised, more sparse security advice doesn't provide much detail on exactly what Excel bypassed by having the flaw. But the vulnerability that Dustin Childs at Trend Micro's Zero Day Initiative says could be because the loading code is supposed to restrict a user prompt -- like alerting external content or scripts -- but for whatever reason, the prompt doesn't appear, thus bypassing security features.
Another critical vulnerability that has been widely exploited is CVE-2021-42321, another zero-day vulnerability for Microsoft Exchange Server. As you may recall, most organizations around the world running Microsoft Exchange servers suffered four zero-day attacks earlier this year, allowing thieves to install backdoors and steal emails.
As Exchange zero-days pass, CVE-2021-42321's performance is relatively modest. Unlike the four zero-days involved in a massive leak of Exchange Server systems earlier this year, CVE-2021-42321 requires the attacker to have been authenticated by the target system. Microsoft has posted a blog about Exchange Zero-Day here.
The two vulnerabilities that were disclosed before today's patch are CVE-2021-38631 and CVE-2021-41371. Both involve weaknesses in Microsoft Remote Desktop Protocol (RDP), a remote management tool built into Windows, running on Windows 7 through Windows 11 and Windows Server 2008-2019. These vulnerabilities allow an attacker to see the RDP passwords of vulnerable systems.
Allan Liska, a senior security architect at Recorded Future, said: "Given the interest in RDP by cybercriminals, particularly ransomware initial access agents, it is likely that it will be exploited at some point."
Liska noted that the patch released this month also introduced the CVE-2021-38666 vulnerability, a remote code execution vulnerability in Windows RDP clients.
Liska added, "This is a serious vulnerability, and Microsoft is calling it a serious vulnerability."In the usability assessment section, Microsoft referred to the vulnerability as' more likely to be exploited. ''This vulnerability affects Windows 7-11 and Windows Server 2008-2019 and should be addressed as a priority."
For most Windows home users, applying security updates isn't a big deal. By default, Windows checks for updates that are available, and fairly persistently asks you to install and reboot, and so on. It's a good idea to get into the habit of patches every month, preferably within a few days of their release.
But don't neglect to back up your important files - before patching, if possible. Windows 10 has some built-in tools to help you do this, either on a per-file/folder basis or by creating a complete, bootable copy of your hard drive at a time. There are also excellent third-party products that make it easy to copy an entire hard drive regularly so you can restore the latest working image of your system at any time.
Please refer to this guide if you want to ensure that Windows has been set to pause updates so that you can back up your files and/or system before the operating system decides to reboot and install patches on its schedule.
If you experience any glitches or problems installing patches this month, consider leaving a comment below; It is likely that other readers have had the same experience and may offer helpful suggestions.