Microsoft has released September Patch Tuesday security updates with a total of 60 vulnerabilities, which include Three CVEs rated as critical and the rest rated as important. The products covered in September’s security update include Microsoft Office, Windows Common Log File System Driver, Windows Print Spooler Components, etc.
One of the already publicly disclosed CVEs resolves a critical zero-day vulnerability (CVE-2021-40444) in MSHTML, also known as Microsoft’s legacy Trident rendering engine.
CVE-2021-40444 – Microsoft’s MSHTML (Trident) engine Remote Code Execution Vulnerability. Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then need to convince the user to open the malicious document. Users whose accounts are configured to possess fewer user rights on the system might be less impacted than users who operate with administrative user rights.
CVE-2021-26435 – Windows Scripting Engine Memory Corruption Vulnerability. Microsoft released patches addressing a critical remote code execution vulnerability in Windows Scripting Engine. Exploiting this vulnerability requires an attacker to convince users to click a link then open a specially crafted file.
CVE-2021-36965 – Windows WLAN AutoConfig Service Remote Code Execution Vulnerability. Microsoft released patches addressing a remote code execution flaw in “WLAN AutoConfig,” the component in Windows 10 and many Server versions that handle auto-connections to Wi-Fi networks. One mitigating factor here is that the attacker and target would need to get on the same network. However, many systems are configured to auto-connect to Wi-Fi network names with which they have previously connected.
CVE-2021-38647 – Open Management Infrastructure Remote Code Execution Vulnerability. This vulnerability requires no user interaction or privileges, so an attacker can run their code on an affected system just by sending a specially crafted message to an affected system.
Microsoft security bulletin summary for August 2021
- Microsoft Azure Open Management Infrastructure
- Microsoft Edge (Chromium-based)
- Microsoft Office
- Microsoft Windows
- Visual Studio
- Windows Installer
- Windows Kernel
- Windows MSHTML Platform
- Windows SMB
- Windows Storage
Product: Microsoft Windows
CVEs/Advisory: CVE-2021-26435, CVE-2021-40447, CVE-2021-38671, CVE-2021-38667, CVE-2021-38639, CVE-2021-38638, CVE-2021-38636, CVE-2021-38635, CVE-2021-38634, CVE-2021-38633, CVE-2021-38630, CVE-2021-38629, CVE-2021-38628, CVE-2021-38624, CVE-2021-36974, CVE-2021-36973, CVE-2021-36972, CVE-2021-36969, CVE-2021-36967, CVE-2021-36965, CVE-2021-36964, CVE-2021-36963, CVE-2021-36962, CVE-2021-36961, CVE-2021-36960, CVE-2021-36959, CVE-2021-36955, CVE-2021-38632, CVE-2021-38637, CVE-2021-36975, CVE-2021-36966, CVE-2021-36954, CVE-2021-36968, CVE-2021-38626, CVE-2021-38625, CVE-2021-40444
Impact: Remote Code Execution, Elevation of Privilege, Information Disclosure, Security Feature Bypass, Denial of Service, Spoofing
Severity: Critical, Important
KBs: 5005569, 5005573, 5005568, 5005566, 5005565, 5005633, 5005615, 5005613, 5005627, 5005606, 5005618, 5005623, 5005607, 5005563, 5005575
Product: Microsoft Azure
CVEs/Advisory: CVE-2021-38649, CVE-2021-38648, CVE-2021-38645, CVE-2021-36956, CVE-2021-38647
Impact: Elevation of Privilege, Information Disclosure, Remote Code Execution
Severity: Critical, Important
Product: Microsoft Edge
CVEs/Advisory: CVE-2021-30604, CVE-2021-30603, CVE-2021-30602, CVE-2021-30601, CVE-2021-30599, CVE-2021-30598, CVE-2021-30632, CVE-2021-38642, CVE-2021-38641, CVE-2021-36930, CVE-2021-30624, CVE-2021-30623, CVE-2021-30622, CVE-2021-30621, CVE-2021-30620, CVE-2021-30619, CVE-2021-30618, CVE-2021-30617, CVE-2021-30616, CVE-2021-30615, CVE-2021-30614, CVE-2021-30613, CVE-2021-30612, CVE-2021-30611, CVE-2021-30610, CVE-2021-30609, CVE-2021-30608, CVE-2021-30607, CVE-2021-30606, CVE-2021-26436, CVE-2021-38669
Impact: Spoofing, Elevation of Privilege, Tampering
Product: Microsoft Office
CVEs/Advisory: CVE-2021-38658, CVE-2021-38650, CVE-2021-38646, CVE-2021-38655, CVE-2021-38654, CVE-2021-38653
Impact: Remote Code Execution, Spoofing
KBs: 4484103, 4484108, 5001958, 5001997, 5001999, 5002005, 5002007, 5002009