Here is the October Patch Tuesday commentary from Chris Goettl, Vice President of Product Management, at Ivanti
October is Cybersecurity Awareness Month. It is a great time to evaluate your security strategy and ensure you are focusing on key ways to improve your overall cyber hygiene. Vulnerability management is always an area of concern as new vulnerabilities are constantly being discovered. Patch Tuesday is a specific event each month that helps companies identify and resolve security vulnerabilities in popular software, but it is primarily focused on Microsoft operating systems and applications. The challenge is all of the other vendor software in your environment that operate on different release cycles. This month we will cover the Patch Tuesday release, but also talk about a few others that you will want to be aware of.
Microsoft released updates resolving 74 new vulnerabilities (CVEs) and two re-released CVEs. There are four publicly disclosed CVEs and one zero day (CVE-2021-40449). Three of the 76 CVEs this month are rated as Critical.
This month’s updates affect the Windows OS, O365, Exchange Server, Intune, System Center, .Net Core & Visual Studio, and a number of roles in AD, ADFS, Hyper-V and DNS.
Starting with the known exploited vulnerability, CVE-2021-40449 is a Win32k Elevation of Privilege Vulnerability in the Windows OS from Windows 7 and Server 2008 up to Windows 11 and Server 2022. Microsoft only rated the vulnerability as Important by their severity scoring system, which is a good example of why organizations need to focus on vulnerability remediation based on risk. A risk-based approach to vulnerability management takes into account more real-world indicators such as known exploited, public disclosure, and usage trends by threat actors to better understand what exposures you should be focusing on first and quickest.
Microsoft resolved CVE-2021-41338, a Security Feature Bypass vulnerability in Windows AppContainer Firewall. The vulnerability has been publicly disclosed including proof-of-concept code giving threat actors a jumpstart on building an exploit to take advantage of the flaw. The vulnerability exists in Windows 10, Server 2016 and later versions.
Microsoft resolved CVE-2021-41335, an Elevation of Privilege vulnerability in the Windows Kernel. The flaw exists in Windows 7 to Windows 10 and Server 2008 to Server 2019 versions. The CVE has been publicly disclosed including proof-of-concept code giving threat actors a jumpstart on building an exploit to take advantage of the flaw. The vulnerability exists in Windows 7 and Server 2008 to Windows 10 and Server 2019.
Microsoft resolved CVE-2021-40469, a Remote Code Execution vulnerability in Windows DNS. The flaw only affects servers configured as DNS servers and affects Server 2008 to Server 2022. The vulnerability has been publicly disclosed including proof-of-concept code giving threat actors a jumpstart on building an exploit to take advantage of the flaw.
Microsoft resolved CVE-2021-33781, a Security Feature Bypass in Azure AD originally resolved in the July 13 Patch Tuesday release. The updated added additional affected versions of Windows 10 1607 Server 2016 and Windows 11.
Adobe has released six updates including an update for Acrobat and Reader, Connect, Reader Mobile, Commerce, Campaign Standard and ops-cli. The updates for Adobe Connect (APSB21-91) and ops-cli (APSB21-88) include Critical CVEs with a CVSS base score of 9.8 out of 10. Adobe Acrobat and Reader (APSB21-104) resolves the most CVEs out of the lineup. A total of four CVEs, two of which are rated as Critical with CVSS scores of 7.8 were resolved in this update.
FoxIt PDF released updates for Windows and MacOS editions resolving many vulnerabilities. Seven CVEs were identified and a number of IDs referenced by the Trend Zero Day Initiative and the China National Vulnerability Database were also resolved. For more details view the Foxit PDF Editor updates page.
Google Chrome has had four releases since September Patch Tuesday resolving a total of 25 CVEs.
Oracle is releasing their Quarterly CPU next Tuesday on October 19th. Be on the lookout for updates to Java, Oracle DB, Middleware and more products from Oracle.