Microsoft Patch Tuesday Patch Roundup for November

Autumn is here in the northern hemisphere, and along with cooler temperatures come the hustle and bustle of the upcoming holiday season. IT professionals are doing some hustling and bustling of their own as they scramble to keep systems secure at a time when attackers ramp up their efforts to take advantage of users who are distracted by the seasonal activities and perhaps less diligent than usual.

As Microsoft rolls out Windows 11, companies are facing a common dilemma: to upgrade or not to upgrade; that is the question. These days, security is always a big factor in making such decisions. Windows 11’s requirement for a Trusted Platform Module (TPM) is just one of the extra security measures built into the new operating system. You can read more about 10 key security updates in Windows 11.

A key element of Microsoft’s current security strategy is zero trust. This is an integrated, multi-layered approach to security aimed at verifying every identity and transaction, enforcing the principle of least privilege, and validating the health of every device. An important aspect of device health is ensuring that software is up to date, and that’s where Microsoft’s monthly (and occasional out-of-band) security patches come in.

Some companies forego installing updates in December, particularly those in the retail sector, who are dealing with their busiest time of the year and don’t want to worry about a disruption caused by an update incompatibility that could result in lost business. That makes it even more important than usual to get this month’s patches installed before the end of the month.

Let’s take a look at the security updates released yesterday.

Overview

• As usual, you can download the Excel spreadsheet from the Microsoft Security Update Guide website for a full list of the October releases. This month’s updates apply to a broad range of Microsoft products, features, and roles, including 3D Viewer, Azure Azure RTOS, Azure Sphere, Microsoft Dynamics, Microsoft Edge (Chromium-based), Microsoft Edge (Chromium-based) in IE Mode, Microsoft Exchange Server, Microsoft Office, Microsoft Office Access, Microsoft Office Excel, Microsoft Office SharePoint, Microsoft Office Word, Microsoft Windows, Microsoft Windows Codecs Library, Power BI, Role: Windows Hyper-V, Visual Studio, Visual Studio Code, Windows Active Directory, Windows COM, Windows Core Shell, Windows Cred SSProvider Protocol, Windows Defender, Windows Desktop Bridge, Windows Diagnostic Hub, Windows Fastfat Driver, Windows Feedback Hub, Windows Hello, Windows Installer, Windows Kernel, Windows NTFS, Windows RDP, Windows Scripting, and Windows Virtual Machine Bus.

Many of the CVEs that are addressed include mitigations, workarounds, or FAQs that may be relevant to specific cases, so be sure to check those out if you are unable to install the updates due to compatibility or other reasons. Known issues are addressed in the Release Notes.

This month’s updates include fixes for a total of 55 vulnerabilities across the above products. As usual in our monthly Microsoft Patch Tuesday articles, we’ll focus on the zero-day and critical issues since they pose the greatest threat.

Critical and exploited vulnerabilities

Zero-day vulnerabilities are exploitable security flaws in software that are disclosed to the public or to attackers before they’re known to and patched by the software vendors. This year has seen an increase in zero-day disclosures and attacks, so we will look first at this month’s zero-day vulnerabilities that have been fixed. This includes six vulnerabilities, two of which have been reported as having been actively exploited.

Vulnerabilities being exploited in the wild

The following vulnerabilities have been detected as having already been exploited in the wild:

• CVE-2021-42292– Microsoft Excel Security Feature Bypass Vulnerability. This is an SFB issue that can be exploited by accessing the targeted system locally or remotely, or the attacker can rely on a user performing certain actions to cause the vulnerability to be exploited. Attack complexity is low, and no privileges are required; however, user interaction is needed. It affects currently supported versions of Microsoft Excel, Microsoft Office, Office LTSC, and Microsoft 365 apps. The exploit can result in a total loss of confidentiality, integrity, and availability.
• CVE-2021-42321– Microsoft Exchange Server Remote Code Execution Vulnerability. This is an RCE issue that is remotely exploitable. Attack complexity and privileges required are low, and no user interaction is required. It affects Microsoft Exchange Server 2016 and 2019. The exploit can result in a total loss of confidentiality, integrity, and availability.

Other zero-day vulnerabilities patched

The following four vulnerabilities were publicly exposed before the release of a fix but have not, at the time of this writing, been detected as exploited in the wild:

• CVE-2021-38631 – Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability. This is an ID issue that can be exploited by accessing the targeted system locally or remotely, or the attacker can rely on a user performing certain actions to cause the vulnerability to be exploited. Attack complexity is low, but required privileges are high. No user interaction is required. It affects currently supported versions of Windows client and server operating systems, including the server core installations. The exploit can result in a total loss of confidentiality, but integrity and availability are not affected.

• CVE-2021-41371– Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability. This is an ID issue that can be exploited by accessing the targeted system locally or remotely, or the attacker can rely on a user performing certain actions to cause the vulnerability to be exploited. Attack complexity is low, but required privileges are high. No user interaction is required. It affects currently supported versions of Windows client and server operating systems, including the server core installations. The exploit can result in a total loss of confidentiality, but integrity and availability are not affected.
• CVE-2021-43208– 3D Viewer Remote Code Execution Vulnerability. This is an RCE issue that can be exploited by accessing the targeted system locally or remotely, or the attacker can rely on a user performing certain actions to cause the vulnerability to be exploited. Attack complexity is low, and no privileges are required. User interaction, however, is required. It affects Microsoft’s 3D Viewer object viewer and augmented reality application. The exploit can result in a total loss of confidentiality, integrity, and availability.
• CVE-2021-43209– 3D Viewer Remote Code Execution Vulnerability. This is another RCE issue that can be exploited by accessing the targeted system locally or remotely, or the attacker can rely on a user performing certain actions to cause the vulnerability to be exploited. Attack complexity is low, and no privileges are required. User interaction, however, is required. It affects Microsoft’s 3D Viewer object viewer and augmented reality application. The exploit can result in a total loss of confidentiality, integrity, and availability.

Other critical vulnerabilities patched

The following six vulnerabilities this month were classified as critical but had not been disclosed or exploited before patch release:

• CVE-2021-26443 – Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability. This is an RCE issue for which an attack must be launched from the same shared physical (e.g., Bluetooth or IEEE 802.11) or logical (e.g., local IP subnet) network, or from within a secure or otherwise limited administrative domain. Attack complexity and required privileges are low but no user interaction is required. It affects Windows 10, Windows 11, and Windows Server 2019, 2022, 21H1, 20H2, and v2004 (including the server core installation). The exploit can result in a total loss of confidentiality, integrity, and availability.
• CVE-2021-3711 – OpenSSL: CVE-2021-3711 SM2 Decryption Buffer Overflow. This is a decryption buffer overflow issue in OpenSSL software consumed by Visual Studio. A malicious attacker who is able to present specially crafted SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behavior or causing the application to crash. It affects Visual Studio versions 15.9, 16.7, 16.9, and 16.11.
• CVE-2021-38666 – Remote Desktop Client Remote Code Execution Vulnerability. This is another RCE issue in the RDP client that is remotely exploitable. Attack complexity if low and no privileges are required but user interaction is required. It affects currently supported versions of Windows client and server operating systems, including the server core installation. The exploit can result in a total loss of confidentiality, integrity, and availability.
• CVE-2021-42279 – Chakra Scripting Engine Memory Corruption Vulnerability. This is a memory corruption issue that is remotely exploitable. Attack complexity is high but no privileges are required; however, user interaction is required. It affects Windows 10, Windows 11, and Windows Server versions 2022 and 20H2. The exploit can result in some loss of confidentiality and integrity. There is no effect on availability.
• CVE-2021-42298 – Microsoft Defender Remote Code Execution Vulnerability. This is an RCE issue that can be exploited by accessing the targeted system locally or remotely or the attacker can rely on a user performing certain actions to cause the vulnerability to be exploited. Attack complexity is low, and no privileges are required. User interaction, however, is required. It affects The Microsoft Defender Malware Protection Engine. The exploit can result in a total loss of confidentiality, integrity, and availability.
• CVE-2021-42316 – Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability. This is an RCE issue that is remotely exploitable. Attack complexity and required privileges are low but user interaction is required. It affects Microsoft Dynamics 365 versions 9.0 and 9.1, on-premises only. The exploit can result in a complete loss of confidentiality and integrity, but availability is not affected.

Important and moderate updates

In addition to the critical and zero-day updates listed above, this month’s patches address a number of vulnerabilities that are rated important. These include elevation of privilege, information disclosure, spoofing, and remote code execution issues. You can find the full list in the Security Updates Guide. The following are a few of note:

• CVE-2021-41351 – Microsoft Edge (Chrome-based) Spoofing on IE Mode. This is a spoofing issue in the Edge web browser and is remotely exploitable. Proof-of-concept exploit code is available for this one, but it results only in some loss of confidentiality, while integrity and availability are not affected. It affects the Chromium-based version of Edge running on Windows 10 and Windows 11.
• CVE-2021-42296 – Microsoft Word Remote Code Execution Vulnerability. This is an RCE issue in Microsoft Word that can be exploited by accessing the targeted system locally or remotely, or the attacker can rely on a user performing certain actions to cause the vulnerability to be exploited. Attack complexity is low, and no privileges are required, but user interaction is required. It affects Microsoft Office LTSC 2021 and Microsoft 365 Apps for Enterprise. The exploit can result in a total loss of confidentiality, integrity, and availability.
• CVE-2021-42285 – Windows Kernel Elevation of Privilege Vulnerability. This is an EoP issue that can be exploited by accessing the targeted system locally or remotely, or the attacker can rely on a user performing certain actions to cause the vulnerability to be exploited. Attack complexity and privileges required are low, and no user interaction is required. It affects current versions of Windows client and server operating systems, including the server core installation. The exploit can result in a total loss of confidentiality, integrity, and availability.

Other/cumulative updates

KB5007215 – Windows 11. Includes security updates and quality improvements, and addresses an issue in which certain apps might have unexpected results when rendering some user interface elements or drawing within the app. You might encounter this issue with apps that use GDI+ and set a zero (0) width pen object on displays with high dots per inch (DPI) or resolution, or if the app is using scaling.

KB5007186 – Windows 10 (versions 2004, 20H2 and 21H1).

KB5007189 – Windows 10 (version 1909).

KB5007247 – Windows 8.1 and Server 2012 R2. Includes improvements and fixes that were a part of update KB5006714 and addresses issues related to printer driver installation, Internet print servers, and unexpected results in apps when rendering some UI elements.

KB5007236 – Windows 7 and Server 2008 R2. Includes improvements and fixes that were a part of update KB5006743 and addresses issues related to printer driver installation, Internet print servers, and unexpected results in apps when rendering some UI elements.

NOTES: As of October 2021, there are no longer optional, non-security releases for Windows 10, version 1909. Only cumulative monthly security updates will continue for Windows 10, version 1909. Windows 10, version 2004 will reach end of servicing on Dec. 14, 2021. To continue receiving security and quality updates, Microsoft recommends that you update to the latest version of Windows 10.

Because of minimal operations during the holidays and the upcoming Western new year, there won’t be a preview release (known as a “C” release) for the month of December 2021. There will be a monthly security release (known as a “B” release) for December 2021. Normal monthly servicing for both B and C releases will resume in January 2022.

Applying the updates

Most organizations will deploy Microsoft and third-party software updates automatically to their servers and managed-client systems using a patch management system of their choice, such as GFI’s LanGuard. Automated patch management saves time and reduces the risk of botched installations.

Most home users will receive the updates via the Windows Update service built into the operating system.

Microsoft provides direct downloads for those who need to install the updates manually. You can download these from the Microsoft Update Catalog.

Known issues

Before installing updates, you should always research known issues that could affect your particular machines and configurations before rolling out an update to your production systems. There are a large number of such known issues that impact this month’s updates. A full list of links to the KB articles detailing these issues can be found here in the release notes.

Malicious Software Removal Tool (MSRT) update

The MSRT is used to find and remove malicious software from Windows systems, and its definitions are updated regularly. The updates are normally installed via Windows Update, but if you need to download and install them manually, you’ll find the links for the 32- and 64-bit versions in Remove specific prevalent malware with Windows Malicious Software Removal Tool (KB890830) (microsoft.com)

Third-party releases

In addition to Microsoft’s security updates, this month’s Patch Tuesday brought three update bulletins from Adobe, which will be discussed in more detail in this month’s Third-Party Patch Roundup at the end of this month.