Patch Analysis for October 2021

Welcome to my October Patch Tuesday newsletter.   Microsoft is addressing 71 different vulnerabilities this month.  This month we have one CVE (CVE-2021-40449) that is currently being exploited.  It's not public but you should make sure this patch gets applied.  There are three other vulnerabilities that are public but are not currently being exploited.  It's only a matter of time before these exploits are used so you'll want to make sure these are patched as well.  Another thing to pay attention to are the CVE's in bold in the chart below.  They are not public or currently being exploited but they are rated as "Exploitation More Likely" by Microsoft.  In the chart below you will see that Edge is missing "Severity" and "Vulnerability Info".  This isn't by mistake.  Microsoft says "The vulnerability assigned to this CVE is in Chromium Open Source Software (OSS) which is consumed by Microsoft Edge (Chromium-based). It is being documented in the Security Update Guide to announce that the latest version of Microsoft Edge (Chromium-based) is no longer vulnerable."  So although Edge has a list of CVE's this month, Chrome's updating will address these CVE's.  All in all it is a fairly lite month for Microsoft.  Let's hope this pattern continues for the rest of the year.  Happy updating!

So, without further ado, here’s the chart of MS patches that affect Windows platforms in the past month.

Patch data provided by:

 LOGbinder.com

Technology

Products Affected

Severity

Reference

Workaround/ Exploited / Publicly Disclosed

Vulnerability Info

Windows

Windows 7, 8.1, RT 8.1, 10, 11

Server 2008, 2008R2, 2012, 2012 R2, 2016, 2019, 2022 including Server Core Installations

Critical

CVE-2021-26441
CVE-2021-26442
CVE-2021-36953
CVE-2021-36970
CVE-2021-38662
CVE-2021-38663
CVE-2021-38672
CVE-2021-40443
CVE-2021-40449
CVE-2021-40450
CVE-2021-40454
CVE-2021-40455
CVE-2021-40456
CVE-2021-40460
CVE-2021-40461
CVE-2021-40462
CVE-2021-40463
CVE-2021-40464
CVE-2021-40465
CVE-2021-40466
CVE-2021-40467
CVE-2021-40468
CVE-2021-40469
CVE-2021-40470
CVE-2021-40475
CVE-2021-40476
CVE-2021-40477
CVE-2021-40478
CVE-2021-40488
CVE-2021-40489
CVE-2021-41330
CVE-2021-41331
CVE-2021-41332
CVE-2021-41334
CVE-2021-41335
CVE-2021-41336
CVE-2021-41337
CVE-2021-41338
CVE-2021-41339
CVE-2021-41340
CVE-2021-41342
CVE-2021-41343
CVE-2021-41345
CVE-2021-41346
CVE-2021-41347
CVE-2021-41357
CVE-2021-41361

Workaround: No
Exploited: Yes
Public: Yes

Denial of Service

Elevation of Privilege

Information Disclosure

Remote Code Execution

Security Feature Bypass

Spoofing


Edge

Chromium-based

Intentionally left blank

CVE-2021-30625
CVE-2021-30626
CVE-2021-30627
CVE-2021-30628
CVE-2021-30629
CVE-2021-30630
CVE-2021-30631
CVE-2021-30633
CVE-2021-37956
CVE-2021-37957
CVE-2021-37958
CVE-2021-37959
CVE-2021-37960
CVE-2021-37961
CVE-2021-37962
CVE-2021-37963
CVE-2021-37964
CVE-2021-37965
CVE-2021-37966
CVE-2021-37967
CVE-2021-37968
CVE-2021-37969
CVE-2021-37970
CVE-2021-37971
CVE-2021-37972
CVE-2021-37973
CVE-2021-37974
CVE-2021-37975
CVE-2021-37976
CVE-2021-37977
CVE-2021-37978
CVE-2021-37979
CVE-2021-37980

Workaround: No
Exploited: No
Public: No

Intentionally left blank

Visual Studio

2017 15.9 and earlier

2019 16.11 and earlier

Important

CVE-2021-1971
CVE-2021-3449
CVE-2021-3450
CVE-2021-41355

Workaround: No
Exploited: No
Public: Yes

Denial of Service

Information Disclosure

.NET

5.0

Important

CVE-2021-41355

Workaround: No
Exploited: No
Public: Yes

Information Disclosure

Dynamics 365

On-Premises 9.0, 9.1

Customer Engagement 9.0, 9.1

Important

CVE-2021-40457
CVE-2021-41353
CVE-2021-41354

Workaround: No
Exploited: No
Public: No

Spoofing

Office

365 Apps for Enterprise

Excel/Word 2013 RT SP1, 2013 SP1, 2016

Office 2013 RT SP1, 2013 SP1, 2016, 2019, 2019 for Mac, Offline Server, Web Apps Server 2013 SP1

SharePoint Enterprise 2013 SP1, 2016

SharePoint Foundation 2013 SP1

SharePoint Server 2019

LTSC 2021, LTSC for Mac 2021

Critical

 

CVE-2021-40474
CVE-2021-40479
CVE-2021-40471
CVE-2021-40472
CVE-2021-40485
CVE-2021-40481
CVE-2021-40480
CVE-2021-40454
CVE-2021-40473
CVE-2021-40486
CVE-2021-41344
CVE-2021-40484
CVE-2021-40487
CVE-2021-40483
CVE-2021-40482

Workaround: No
Exploited: No
Public: No

 

Information Disclosure

Remote Code Execution

Spoofing

 

Exchange

Server 2013 CU 23

Server 2016 CU21, CU22

Server 2019 CU10, CU11

Important

 

CVE-2021-26427
CVE-2021-34453
CVE-2021-41350
CVE-2021-41348

Workaround: No
Exploited: No
Public: No

 

Denial of Service

Elevation of Privilege

Remote Code Execution

Spoofing

 

Apps

Intune Management Extension

Important

CVE-2021-41363

Workaround: No
Exploited: No
Public: No

 

Security Feature Bypass

 

System Center

2012 R2, 2016, 2019 Operations Manager

Important

CVE-2021-41352

Workaround: No
Exploited: No
Public: No

Information Disclosure

Thanks as always for reading and best wishes on security,

Randy Franklin Smith

Receive Randy's same-day, independent analysis each Patch Tuesday

"Thank you. I am very glad I subscribed to this newsletter.  Relevant content clearly and concisely. Finally!!!"

- John K.

"I really like the Fast Facts on this Month's Microsoft Security Bulletins. Do you keep old copies? If yes, please let me know how I can access them?"

-Susan D.

"Thanks, Randy. Your regular updates have streamlined my monthly patching. Much appreciated,"

-  Steve T.

"Really appreciate your patch observor. In the corporate IT world, anything we can get our hands on that speeds the process of analyzing threats and how they may or may not apply to our environments is a God-send. Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the table. There are so many sources of patch information which can be very specific or surrounded by other stuff that it’s refreshing to get everything summarised like this. The "Randy’s Recommendation" comment is useful starting point too. Please keep up the good work."

- David A.

"Your Patch Observer is a very good tool in making the decision whether to patch or not to patch. And also to patch asap or to wait a while before patching. Also I do think the use of the table is realy improving the readability of the provided information."

- Gerard T.

 

Additional Resources