Microsoft's end-of-summer software security cleanse crushes more than 80 bugs

The Register - Wed Sep 15 00:54

Patch Tuesday For its September Patch Tuesday, Microsoft churned out fixes for 66 vulnerabilities, alongside 20 Chromium bugs in Microsoft Edge.

Affected products include: Azure, Edge (Android, Chromium, and iOS), Office, SharePoint Server, Windows, Windows DNS, and the Windows Subsystem for Linux.

Of these CVEs, three are rated critical, one is rated moderate, and the remainder are considered important.

One of the publicly disclosed CVEs, dating back to September 7, resolves a critical zero-day vulnerability in MSHTML, also known as Microsoft's legacy Trident rendering engine (CVE-2021-40444). The flaw allows an attacker to create a malicious ActiveX control within a Microsoft Office document that hosts the browser rendering engine.

Another CVE updates a publicly disclosed patch from August 11 which addressed last month's Print Spooler RCE (CVE-2021-36958).

"The update has removed the previously defined mitigation as it no longer applies and addresses the additional concerns that were identified by researchers beyond the original fix," explained Chris Goettl, VP of product management at Ivanti, an IT asset management firm, in a statement emailed to The Register. "The vulnerability has been publicly disclosed and functional exploit code is available, so this puts further urgency on this month’s Windows OS updates."

Goettl said the third previously disclosed vulnerability (CVE-2021-36968) addresses a privilege elevation flaw in Windows DNS. "This CVE applies to the legacy Windows OSs. Public disclosure gives threat actors a bit of a jump start on developing a working exploit."

There are other two critical flaws: a Windows WLAN AutoConfig Service Remote Code Execution Vulnerability (CVE-2021-36965) and an Open Management Infrastructure Remote Code Execution Vulnerability (CVE-2021-38647).

The former, said Zero-Day Initiative's Dustin Childs, in a blog post, allows an attacker on an adjacent network, like public Wi-Fi at a coffee shop, to take over a vulnerable target system.

The latter is even more serious. It's a critical severity (CVSS 9.8) remote code execution bug in the Open Management Infrastructure (OMI).

"This vulnerability requires no user interaction or privileges, so an attacker can run their code on an affected system just by sending a specially crafted message to an affected system," warned Childs. "OMI users should test and deploy this one quickly."

Speaking of CVE-2021-38647... That's part of a family of flaws, which includes CVE-2021-38648, CVE-2021-38645, and CVE-2021-38649, in OMI. When one spins up a Linux guest in Azure, and certain services are enabled, an OMI agent is automatically deployed in the virtual machine. See the aforelinked page for more information, and check you're using OMI version – particularly if OMI is listening on ports 5985, 5986, and 1270.

Kevin Breen, director of cyber threat research, Immersive Labs, told The Register in an email that three Local Privilege Escalation vulnerabilities in the Windows Common Log File System Driver (CVE-2021-36955, CVE-2021-36963, CVE-2021-38633) also deserve attention because they're listed as more likely to be exploited.

"Local Priv Esc vulnerabilities are a key component of almost every successful cyberattack, especially for the likes of ransomware operators who abuse this kind of exploit to gain the highest level of access," Breen explained. "This allows them to disable anti-virus, delete backups and ensure their encryptors can reach even the most sensitive of files. "

The exploits, however, can't be carried out remotely, he said, which means attackers have to use these in conjunction with a separate RCE flaw, like the MSHTML bug (CVE-2021-40444).

Apple, as we noted on Monday, released patches for macOS, iOS, and iPadOS addressing flaws in WebKit and CoreGraphics yesterday, one of which has been implicated in attacks on human rights advocates. And Google also pushed out fixes for 9 CVEs in Chromium, two of which are under active attack.

Adobe published 15 security advisories addressing 59 CVEs in Adobe Acrobat Reader, ColdFusion, Creative Cloud Desktop, Digital Editions, Experience Manager, Framemaker, Genuine Service, InCopy, InDesign, Photoshop, Photoshop Elements, Premiere Elements, Premiere Pro, SVG-Native-Viewer, and XMP Toolkit SDK.

Acrobat Reader alone has 26 bugs, 13 of which are rated critical.

"The most severe of these bugs could allow remote code execution through either a type confusion, heap-based buffer overflow, or a use after free vulnerability," said Childs. "The single bug fixed by the Photoshop patch could also lead to code execution when opening a specially crafted file."

SAP, meanwhile, released 19 security notes, two of which update previous patches, covering 23 CVEs.

Seven of these have been bestowed with the label "HotNews," SAP's maddening way of saying "critical." Two have earned a perfect severity score of 10. One is a Missing Authorization check in SAP NetWeaver Application Server for Java (CVE-2021-37535).

"Facing the integral role of the JMS Connector Service and the CVSS top score of the vulnerability, there should be no doubt that providing the corresponding patch is absolutely recommended," said Thomas Fritsch, a researcher at security firm Onapsis, in a blog post. "Otherwise, restricted data is at risk of being read, updated, or deleted."

The other 10 severity note updates an April 2018 Patch Day mitigation applied to a Google Chromium component in SAP Business Client. Among the remaining five "HotNews" notices, four describe 9.9 severity bugs and one refers to a 9.6 severity flaw. ®