September Patch Tuesday: 66 Bulletins, Only 3 Critical

The September 2021 Patch Tuesday cycle is relatively good news for system administrators with only 66 total bulletins. Perhaps more significantly, only three of these were Critical bulletins. Eleven of these bulletins fixed vulnerabilities that were disclosed to Microsoft via the Zero Day Initiative. Overall, the month offers system administrators a chance to catch up on other necessary tasks.

Only 3 Critical Patches for September

As mentioned previously, only three of this month's bulletins were rated by Microsoft as Critical. One of these bulletins covers a vulnerability in the Windows Scripting Engine (CVE-2021-26435), another a vulnerability in the WLAN automatic configuration service (CVE-2021-36965). The third vulnerability is in the Open Management Infrastructure (CVE-2021-38647).

Another significant flaw fixed was CVE-2021-40444. This was a vulnerability that allowed malicious ActiveX controls to be executed via specially crafted Office documents, and was disclosed to the public last week due to its use in the wild.

The remaining vulnerabilities cover a variety of Microsoft products, as expected. Some of the products/components with multiple bulletins include Edge, Office, the print spooler, and the SMB stack. These components were featured prominently in previous Patch Tuesday cycles, so their presence in this month should not be a surprise.

Trend Micro Solutions

A proactive, multilayered approach to security is key against threats that exploit vulnerabilities - from the gateway, endpoints, networks, and servers.

The Trend Micro™ Deep Security™ solution provides network security, system security, and malware prevention. Combined with Vulnerability Protection, it can protect user systems from a wide range of upcoming threats that might target vulnerabilities. Note that filters shipped in earlier months provided zero-day protection for vulnerabilities covered this month. Both solutions protect users from exploits that target these vulnerabilities via the following rules:

• 39937: ZDI-CAN-13828: Zero Day Initiative Vulnerability (Microsoft Office Visio) (CVE-2021-38653)
• 39938: ZDI-CAN-14041: Zero Day Initiative Vulnerability (Microsoft Visual Studio) (CVE-2021-36952)
• 39999: ZDI-CAN-13918: Zero Day Initiative Vulnerability (Microsoft Word) (CVE-2021-38656)
• 40000: ZDI-CAN-14118: Zero Day Initiative Vulnerability (Microsoft Excel) (CVE-2021-38655)
• 40001: ZDI-CAN-14194: Zero Day Initiative Vulnerability (Microsoft Office Visio) (CVE-2021-38654)
• 40018: ZDI-CAN-14198: Zero Day Initiative Vulnerability (Microsoft Word) (CVE-2021-38658)
• 40074: ZDI-CAN-14451: Zero Day Initiative Vulnerability (Microsoft Office PowerPoint) (CVE-2021-38659)