QUALYS, INC. Microsoft patched 60 vulnerabilities in their September 2021 Patch Tuesday release, and an additional 26 CVEs since September 1st. Among the 60 released in the September Patch Tuesday, 3 of them are rated as critical severity, one as moderate, and 56 as important.
Critical Microsoft Vulnerabilities PatchedCVE-2021-40444 - Microsoft MSHTML Remote Code Execution Vulnerability
This vulnerability has been publicly disclosed and is known to be exploited. The vulnerability allows for remote code execution via MSHTML, a component used by Internet Explorer and Office. Microsoft also released a workaround to show how users can disable ActiveX controls in IE. The vendor has assigned a CVSSv3 base score of 8.8. It should be prioritized for patching.
CVE-2021-26435 - Windows Scripting Engine Memory Corruption Vulnerability
Microsoft released patches addressing a critical remote code execution vulnerability in Windows Scripting Engine. The exploitation of this vulnerability requires an attacker to convince users to click a link and then open a specially-crafted file. The vendor has assigned a CVSSv3 base score of 8.8. It should be prioritized for patching.
CVE-2021-36965 - Windows WLAN AutoConfig Service Remote Code Execution Vulnerability
This vulnerability does not allow user interaction and also has a low complexity for attack. The vendor has assigned a CVSSv3 base score of 8.8. It should be prioritized for patching.
CVE-2021-38633, CVE-2021-36963 - Windows Common Log File System Driver Elevation of Privilege Vulnerability
The vulnerabilities allow an attacker to gain elevated privileges to make changes to the victim's system. These CVEs have a high likelihood of exploitability and is assigned a CVSSv3 base score of 7.8 by the vendor. It should be prioritized for patching.
CVE-2021-38671 - Windows Print Spooler Elevation of Privilege Vulnerability
This CVE has a high likelihood of exploitability and is assigned a CVSSv3 base score of 7.8 by the vendor. It should be prioritized for patching.
Adobe Patch Tuesday - September 2021Adobe addressed 61 CVEs this Patch Tuesday impacting Adobe Acrobat and Reader, ColdFusion, Premiere Pro, Adobe InCopy, Adobe SVG-Native Viewer, InDesign, Framemaker, Creative Cloud Desktop Apps, Photoshop Elements, Premiere Elements, Digital Editions, Genuine Service, Photoshop, XMP Toolit SDK and Experience Manager.
The patches for Adobe Acrobat and Reader, ColdFusion and Experience Manager are labeled as Priority 2, while the remaining patches are labeled as Priority 3.
Patch Tuesday DashboardThe current updated Patch Tuesday dashboards are available in Dashboard Toolbox: 2021 Patch Tuesday Dashboard.
Webinar Series: This Month in Vulnerabilities and PatchesTo help customers leverage the seamless integration between Qualys VMDR and Patch Management and reduce the median time to remediate critical vulnerabilities, the Qualys Research team is hosting a monthly webinar series This Month in Vulnerabilities and Patches.
We discuss some of the key vulnerabilities disclosed in the past month and how to patch them:
- Microsoft Patch Tuesday, September 2021
- Adobe Patch Tuesday, September 2021
Join us live or watch on demand!
Thursday, September 16, 2021 or later on demand About Patch TuesdayPatch Tuesday QIDs are published at Security Alerts, typically late in the evening of Patch Tuesday, followed shortly after by PT dashboards.
Attachments
- Original document
- Permalink
Disclaimer
Qualys Inc. published this content on 14 September 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 14 September 2021 19:21:05 UTC.
