September Patch Tuesday 2021
Microsoft released updates for Windows, Office, Azure and Visual Studio this month resolving a total of 64 vulnerabilities. The Zero Day vulnerability in MSHTML (CVE-2021-40444) has been resolved this month. Microsoft’s original mitigation guidance released on September 7 can be disabled once you have updated all Windows OSs this month. Besides the MSHTML RCE vulnerability there are also two publicly disclosed CVEs that warrant some attention this month.
While not the specific PrintNightmare CVE (CVE-2021-34527), one of the additional Print Spooler CVEs that was initially addressed in the August Patch Tuesday release (CVE-2021-36958) has been updated this month. The update has removed the previously defined mitigation as it no longer applies and addresses the additional concerns that were identified by researchers beyond the original fix. The vulnerability has been publicly disclosed and functional exploit code is available, so this puts further urgency on this month’s Windows OS updates.
The third public disclosure (CVE-2021-36968) resolves an Elevation of Privilege vulnerability in Windows DNS. This CVE applies to the legacy Windows OSs. Public disclosure gives threat actors a bit of a jump start on developing a working exploit. In this case, they could find the fact that this only affects legacy OSs as attractive, banking on the fact that companies are still running on the legacy OSs but not continuing with ESU support from Microsoft. If you fall into this group, there is yet more reason to either subscribe to Microsoft’s ESU for Windows 7 and Server 2008\2008 R2 or migrate off of these platforms as the risk of running these EoL systems continues to grow.
Google Chrome released a critical update today resolving 11 CVEs including two Zero Day vulnerabilities (CVE-2021-30632 and CVE-2021-30633). Adobe Acrobat and Reader updates resolve X CVEs.
Apple has also released security updates for Mac OS 11.6 and iOS 14.8 which resolve two Zero Day vulnerabilities (CVE-2021-30860 and CVE-2021-30858). CVE-2021-30860 is the vulnerability that was utilized to deploy Pegasus Spyware to a variety of Apple Devices giving near complete access to personal data on targeted devices. For iOS users you may see this available immediately, but Apple does a rolling update across iOS devices so not everyone would see an update available immediately. Best to check back daily to see when it is available for update.
Adobe Acrobat and Reader (APSB21-55), Adobe Experience Manager (APSB21-82) and Adobe ColdFusion (APSB21-75) are the top three updates from Adobe this month. Acrobat and Reader resolved 26 total CVEs (13 critical), Experience Manager resolved one critical and three important CVEs, and Fusion resolved two critical CVEs.
Priorities this month:
- Windows OS update to resolve the MSHTML Zero Day and the Print Spooler vulnerability
- Google Chrome to plug two Zero Day vulnerabilities
- Adobe Acrobat and Reader APSB21-55 to resolve the 13 critical CVEs
- Apple MacOS and iOS updates to plug two Zero Day vulnerabilities