Microsoft & Adobe Patch Tuesday (October 2021) – Microsoft 74 Vulnerabilities with 3 Critical, 4 Zero-Days. Adobe 10 Vulnerabilities

Anand Paturi

Microsoft Patch Tuesday – October 2021

Microsoft patched 74 vulnerabilities in their October 2021 Patch Tuesday release, of which three are rated as critical severity and four were previously reported as zero-days.

Critical Microsoft Vulnerabilities Patched

CVE-2021-40449 – Win32k Elevation of Privilege Vulnerability

This was a zero-day, and one of the four addressed by Microsoft this month. This vulnerability impacts the Win32K kernel driver. This is being actively exploited by IronHusky and Chinese APT groups. Microsoft has assigned a CVSSv3 base score of 7.8 to this vulnerability and it should be prioritized for patching.

CVE-2021- 40486 – Microsoft Word Remote Code Execution Vulnerability

This vulnerability is due to improper input validation in Microsoft Word. Adversaries can exploit this vulnerability by tricking target users to open a specially crafted file and perform arbitrary code execution. Microsoft has assigned a CVSSv3 base score of 7.8 to this vulnerability.

CVE-2021-40461, CVE-2021-38672– Windows Hyper-V Remote Code Execution Vulnerabilities

These vulnerabilities are due to a set of flaws in the Network Virtualization Service Provider. They could allow an attacker to execute remote code on the target machine. These CVEs are assigned a CVSSv3 base score of 8.0 by the vendor.

CVE-2021-26427: Microsoft Exchange Server Remote Code Execution Vulnerability

This is an RCE vulnerability targeting Microsoft Exchange Server. Adversaries can only exploit this vulnerability on target machines from an adjacent network. Microsoft assigned a base score of 9.0 for this vulnerability.

Following were the three of the four zero-day vulnerabilities

CVE-2021-41338: Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability

CVE-2021-40469: Windows DNS Server Remote Code Execution Vulnerability

CVE-2021-41335: Windows Kernel Elevation of Privilege Vulnerability

Adobe Patch Tuesday – October 2021

Adobe addressed 10 CVEs this Patch Tuesday, and 6 of them are rated as critical severity impacting Acrobat and Reader, Adobe Connect, Opd-cli, Commerce, and Campaign products.

Discover Patch Tuesday Vulnerabilities in VMDR

Qualys VMDR automatically detects new Patch Tuesday vulnerabilities using continuous updates to its Knowledge Base (KB).

You can see all your impacted hosts by these vulnerabilities using the following QQL query:

vulnerabilities.vulnerability:(qid:`50115` OR qid:`91822` OR qid:`91823` OR qid:`91824` OR qid:`91825` OR qid:`91826` OR qid:`91827` OR qid:`91828` OR qid:`100416` OR qid:`110392` OR qid:`110393` OR qid:`375952` OR qid:`375953`)

Respond by Patching

VMDR rapidly remediates Windows hosts by deploying the most relevant and applicable per-technology version patches. You can simply select respective QIDs in the Patch Catalog and filter on the “Missing” patches to identify and deploy the applicable, available patches in one go.

The following QQL will return the missing patches pertaining to this Patch Tuesday.

(qid:`50115` OR qid:`91822` OR qid:`91823` OR qid:`91824` OR qid:`91825` OR qid:`91826` OR qid:`91827` OR qid:`91828` OR qid:`100416` OR qid:`110392` OR qid:`110393` OR qid:`375952` OR qid:`375953`)

Patch Tuesday Dashboard

The current updated Patch Tuesday dashboards are available in Dashboard Toolbox: 2021 Patch Tuesday Dashboard.

Webinar Series: This Month in Vulnerabilities and Patches

To help customers leverage the seamless integration between Qualys VMDR and Patch Management and reduce the median time to remediate critical vulnerabilities, the Qualys Research team is hosting a monthly webinar series This Month in Vulnerabilities and Patches.

We discuss some of the key vulnerabilities disclosed in the past month and how to patch them: 

  • Microsoft Patch Tuesday, October 2021 
  • Adobe Patch Tuesday, October 2021 

Join us live or watch on demand!

Thursday, October 14, 2021 or later on demand

About Patch Tuesday

Patch Tuesday QIDs are published at Security Alerts, typically late in the evening of Patch Tuesday, followed shortly after by PT dashboards.

Share your Comments

Comments

Your email address will not be published. Required fields are marked *