Back to Blog
Exposure Management

Patch Tuesday - September 2021

Adam Bunn
Adam Bunn
|Last updated on Sep 15, 2021|1 min read
LinkedInFacebookX
Patch Tuesday - September 2021

Microsoft has fixed a total of 60 vulnerabilities this month, including two publicly disclosed 0-days. Fortunately there are only a few issues rated critical this month with the vast majority of the remainder being rated important. Here’s three big things you can go patch right now.

MSHTML Remote Code Execution 0-day (CVE-2021-40444)

The hot topic this month is the most recent remote code execution 0-day vulnerability in MSHTML. When it was first discovered it was only being used in a limited number of attacks, however this quickly changed once instructions for exploiting the vulnerability were published online. This vulnerability was severe enough to warrant publishing patches for older operating systems including Windows 7, Windows Server 2008 R2, and Windows Server 2008. Now that updates have been published for this vulnerability they should be applied as soon as possible.

Windows DNS Local Elevation of Privilege (CVE-2021-36968)

This is the second publicly disclosed vulnerability updated this month. While the details surrounding this CVE are sparse, we do know that Microsoft has not detected exploitation in the wild.

Updates to PrintNightmare (CVE-2021-1678)

Microsoft has made additional patches available for older operating systems. If you were previously unable to patch against this vulnerability you may want to review this new information.

Summary Graphs

output_26_1.pngoutput_25_1.pngoutput_20_2.pngoutput_18_2-1.png

Summary Tables

Azure Vulnerabilities

CVETitleExploitedDisclosedCVSS3FAQ
CVE-2021-38647Open Management Infrastructure Remote Code Execution VulnerabilityNoNo9.8Yes
CVE-2021-38645Open Management Infrastructure Elevation of Privilege VulnerabilityNoNo7.8Yes
CVE-2021-38648Open Management Infrastructure Elevation of Privilege VulnerabilityNoNo7.8Yes
CVE-2021-38649Open Management Infrastructure Elevation of Privilege VulnerabilityNoNo7Yes
CVE-2021-40448Microsoft Accessibility Insights for Android Information Disclosure VulnerabilityNoNo6.3Yes
CVE-2021-36956Azure Sphere Information Disclosure VulnerabilityNoNo4.4Yes

Browser Vulnerabilities

CVETitleExploitedDisclosedCVSS3FAQ
CVE-2021-38642Microsoft Edge for iOS Spoofing VulnerabilityNoNo6.1No
CVE-2021-38641Microsoft Edge for Android Spoofing VulnerabilityNoNo6.1No
CVE-2021-26439Microsoft Edge for Android Information Disclosure VulnerabilityNoNo4.6No
CVE-2021-38669Microsoft Edge (Chromium-based) Tampering VulnerabilityNoNo6.4Yes
CVE-2021-26436Microsoft Edge (Chromium-based) Elevation of Privilege VulnerabilityNoNo6.1No
CVE-2021-36930Microsoft Edge (Chromium-based) Elevation of Privilege VulnerabilityNoNo5.3No
CVE-2021-30632Chromium: CVE-2021-30632 Out of bounds write in V8NoNoYes
CVE-2021-30624Chromium: CVE-2021-30624 Use after free in AutofillNoNoYes
CVE-2021-30623Chromium: CVE-2021-30623 Use after free in BookmarksNoNoYes
CVE-2021-30622Chromium: CVE-2021-30622 Use after free in WebApp InstallsNoNoYes
CVE-2021-30621Chromium: CVE-2021-30621 UI Spoofing in AutofillNoNoYes
CVE-2021-30620Chromium: CVE-2021-30620 Insufficient policy enforcement in BlinkNoNoYes
CVE-2021-30619Chromium: CVE-2021-30619 UI Spoofing in AutofillNoNoYes
CVE-2021-30618Chromium: CVE-2021-30618 Inappropriate implementation in DevToolsNoNoYes
CVE-2021-30617Chromium: CVE-2021-30617 Policy bypass in BlinkNoNoYes
CVE-2021-30616Chromium: CVE-2021-30616 Use after free in MediaNoNoYes
CVE-2021-30615Chromium: CVE-2021-30615 Cross-origin data leak in NavigationNoNoYes
CVE-2021-30614Chromium: CVE-2021-30614 Heap buffer overflow in TabStripNoNoYes
CVE-2021-30613Chromium: CVE-2021-30613 Use after free in Base internalsNoNoYes
CVE-2021-30612Chromium: CVE-2021-30612 Use after free in WebRTCNoNoYes
CVE-2021-30611Chromium: CVE-2021-30611 Use after free in WebRTCNoNoYes
CVE-2021-30610Chromium: CVE-2021-30610 Use after free in Extensions APINoNoYes
CVE-2021-30609Chromium: CVE-2021-30609 Use after free in Sign-InNoNoYes
CVE-2021-30608Chromium: CVE-2021-30608 Use after free in Web ShareNoNoYes
CVE-2021-30607Chromium: CVE-2021-30607 Use after free in PermissionsNoNoYes
CVE-2021-30606Chromium: CVE-2021-30606 Use after free in BlinkNoNoYes

Developer Tools Vulnerabilities

CVETitleExploitedDisclosedCVSS3FAQ
CVE-2021-36952Visual Studio Remote Code Execution VulnerabilityNoNo7.8No
CVE-2021-26434Visual Studio Elevation of Privilege VulnerabilityNoNo7.8No
CVE-2021-26437Visual Studio Code Spoofing VulnerabilityNoNo5.5No

ESU Vulnerabilities

CVETitleExploitedDisclosedCVSS3FAQ
CVE-2021-38625Windows Kernel Elevation of Privilege VulnerabilityNoNo7.8No
CVE-2021-38626Windows Kernel Elevation of Privilege VulnerabilityNoNo7.8No
CVE-2021-36968Windows DNS Elevation of Privilege VulnerabilityNoYes7.8No

Microsoft Dynamics Vulnerabilities

CVETitleExploitedDisclosedCVSS3FAQ
CVE-2021-40440Microsoft Dynamics Business Central Cross-site Scripting VulnerabilityNoNo5.4No

Microsoft Office Vulnerabilities

CVETitleExploitedDisclosedCVSS3FAQ
CVE-2021-38656Microsoft Word Remote Code Execution VulnerabilityNoNo7.8Yes
CVE-2021-38651Microsoft SharePoint Server Spoofing VulnerabilityNoNo7.6No
CVE-2021-38652Microsoft SharePoint Server Spoofing VulnerabilityNoNo7.6No
CVE-2021-38653Microsoft Office Visio Remote Code Execution VulnerabilityNoNo7.8No
CVE-2021-38654Microsoft Office Visio Remote Code Execution VulnerabilityNoNo7.8Yes
CVE-2021-38650Microsoft Office Spoofing VulnerabilityNoNo7.6Yes
CVE-2021-38659Microsoft Office Remote Code Execution VulnerabilityNoNo7.8Yes
CVE-2021-38658Microsoft Office Graphics Remote Code Execution VulnerabilityNoNo7.8Yes
CVE-2021-38660Microsoft Office Graphics Remote Code Execution VulnerabilityNoNo7.8Yes
CVE-2021-38657Microsoft Office Graphics Component Information Disclosure VulnerabilityNoNo6.1Yes
CVE-2021-38646Microsoft Office Access Connectivity Engine Remote Code Execution VulnerabilityNoNo7.8Yes
CVE-2021-38655Microsoft Excel Remote Code Execution VulnerabilityNoNo7.8Yes

Windows Vulnerabilities

CVETitleExploitedDisclosedCVSS3FAQ
CVE-2021-36967Windows WLAN AutoConfig Service Elevation of Privilege VulnerabilityNoNo8No
CVE-2021-36966Windows Subsystem for Linux Elevation of Privilege VulnerabilityNoNo7.8No
CVE-2021-38637Windows Storage Information Disclosure VulnerabilityNoNo5.5Yes
CVE-2021-36972Windows SMB Information Disclosure VulnerabilityNoNo5.5Yes
CVE-2021-36974Windows SMB Elevation of Privilege VulnerabilityNoNo7.8No
CVE-2021-36973Windows Redirected Drive Buffering System Elevation of Privilege VulnerabilityNoNo7.8No
CVE-2021-38624Windows Key Storage Provider Security Feature Bypass VulnerabilityNoNo6.5Yes
CVE-2021-36954Windows Bind Filter Driver Elevation of Privilege VulnerabilityNoNo8.8No
CVE-2021-36975Win32k Elevation of Privilege VulnerabilityNoNo7.8No
CVE-2021-38634Microsoft Windows Update Client Elevation of Privilege VulnerabilityNoNo7.1No
CVE-2021-38644Microsoft MPEG-2 Video Extension Remote Code Execution VulnerabilityNoNo7.8Yes
CVE-2021-38661HEVC Video Extensions Remote Code Execution VulnerabilityNoNo7.8Yes
CVE-2021-38632BitLocker Security Feature Bypass VulnerabilityNoNo5.7Yes

Windows ESU Vulnerabilities

CVETitleExploitedDisclosedCVSS3FAQ
CVE-2021-36965Windows WLAN AutoConfig Service Remote Code Execution VulnerabilityNoNo8.8No
CVE-2021-26435Windows Scripting Engine Memory Corruption VulnerabilityNoNo8.1Yes
CVE-2021-36960Windows SMB Information Disclosure VulnerabilityNoNo7.5Yes
CVE-2021-36969Windows Redirected Drive Buffering SubSystem Driver Information Disclosure VulnerabilityNoNo5.5Yes
CVE-2021-38635Windows Redirected Drive Buffering SubSystem Driver Information Disclosure VulnerabilityNoNo5.5Yes
CVE-2021-38636Windows Redirected Drive Buffering SubSystem Driver Information Disclosure VulnerabilityNoNo5.5Yes
CVE-2021-38667Windows Print Spooler Elevation of Privilege VulnerabilityNoNo7.8Yes
CVE-2021-38671Windows Print Spooler Elevation of Privilege VulnerabilityNoNo7.8No
CVE-2021-40447Windows Print Spooler Elevation of Privilege VulnerabilityNoNo7.8No
CVE-2021-36962Windows Installer Information Disclosure VulnerabilityNoNo5.5Yes
CVE-2021-36961Windows Installer Denial of Service VulnerabilityNoNo5.5No
CVE-2021-36964Windows Event Tracing Elevation of Privilege VulnerabilityNoNo7.8No
CVE-2021-38630Windows Event Tracing Elevation of Privilege VulnerabilityNoNo7.8No
CVE-2021-36955Windows Common Log File System Driver Elevation of Privilege VulnerabilityNoNo7.8No
CVE-2021-36963Windows Common Log File System Driver Elevation of Privilege VulnerabilityNoNo7.8No
CVE-2021-38633Windows Common Log File System Driver Elevation of Privilege VulnerabilityNoNo7.8No
CVE-2021-36959Windows Authenticode Spoofing VulnerabilityNoNo5.5No
CVE-2021-38629Windows Ancillary Function Driver for WinSock Information Disclosure VulnerabilityNoNo6.5Yes
CVE-2021-38628Windows Ancillary Function Driver for WinSock Elevation of Privilege VulnerabilityNoNo7.8No
CVE-2021-38638Windows Ancillary Function Driver for WinSock Elevation of Privilege VulnerabilityNoNo7.8No
CVE-2021-38639Win32k Elevation of Privilege VulnerabilityNoNo7.8No
CVE-2021-40444Microsoft MSHTML Remote Code Execution VulnerabilityYesYes8.8Yes

Article Tags

Author

Adam Bunn
Adam Bunn
Authors's Posts

Related blog posts