October is traditionally the time for tricks and treats, and earlier this month, Microsoft delivered what may be considered a treat by some and a trick by others. After declaring back in 2015 that Windows would be “the last version of Windows,” the company apparently had a change of heart and on October 5 released Windows 11. The new OS started to roll out on that date, but not everyone running Windows 10 has been offered the upgrade via Windows Update. The first machines to get the offer are new devices that meet the hardware requirements (which include a Trusted Platform Module version 2.0 as well as minimum processor, memory, and storage specifications). Then it will roll out to the rest on a phased schedule, from now until the middle of 2022.
The upgrade is free, and if you’re the impatient sort and don’t want to wait, you can use Microsoft’s PC Health Check tool to test your computer’s compatibility. If it passes, you can download the Windows 11 installation assistant and do the upgrade now. That’s what I did with my Surface Pro 7, and you can read about that experience and my first impressions of the new operating system on my personal blog.
Meanwhile, whether you’re running the brand new OS or an older version, keeping your operating systems and applications up to date is a never-ending effort. Toward that end, Microsoft released the following slate of Patch Tuesday security fixes on October 12 — which include fixes for Windows 11. Let’s take a look at this month’s critical and important updates.
Overview
As usual, you can download the Excel spreadsheet from the Microsoft Security Update Guide website for a full list of the October releases. This month’s updates apply to a broad range of Microsoft products, features, and roles, including .NET Core & Visual Studio, Active Directory Federation Services, Console Window Host, HTTP.sys, Microsoft DWM Core Library, Microsoft Dynamics, Microsoft Dynamics 365 Sales, Microsoft Edge (Chromium-based), Microsoft Exchange Server, Microsoft Graphics Component, Microsoft Intune, Microsoft Office Excel, Microsoft Office SharePoint, Microsoft Office Visio, Microsoft Office Word, Microsoft Windows Codecs Library, Rich Text Edit Control, Role: DNS Server, Role: Windows Active Directory Server, Role: Windows AD FS Server, Role: Windows Hyper-V, System Center, Visual Studio, Windows AppContainer, Windows AppX Deployment Service, Windows Bind Filter Driver, Windows Cloud Files Mini Filter Driver, Windows Common Log File System Driver, Windows Desktop Bridge, Windows DirectX, Windows Event Tracing, Windows exFAT File System, Windows Fastfat Driver, Windows Installer, Windows Kernel, Windows MSHTML Platform, Windows Nearby Sharing, Windows Network Address Translation (NAT), Windows Print Spooler Components, Windows Remote Procedure Call Runtime, Windows Storage Spaces Controller, Windows TCP/IP, Windows Text Shaping, and Windows Win32K.
Many of the CVEs that are addressed include mitigations, workarounds, or FAQs that may be relevant to specific cases, so be sure to check those out if you are unable to install the updates due to compatibility or other reasons.
This month’s updates include fixes for more than 70 vulnerabilities across the above products. As usual, in this article, we’ll focus on the critical issues since they pose the greatest threat.
Critical and exploited vulnerabilities
This year has seen an increase in zero-day disclosures and attacks, so we will look first at this month’s zero-day vulnerabilities that have been fixed. This includes four vulnerabilities, the first of which is reported to have been widely exploited in attacks on IT companies, military and defense contractors, and diplomatic entities.
Vulnerability being exploited in the wild
The following vulnerability has been detected as having already been exploited in the wild:
CVE-2021-40449 – Win32k Elevation of Privilege Vulnerability. This is an EoP issue that can be exploited by accessing the target system locally or remotely, or the attacker can rely on user interaction. Exploit in the wild has been detected. It affects currently supported versions of Windows client and server operating systems, including Windows 11. Attack complexity and privileges required are low, and exploit can result in a total loss of confidentiality, integrity, and availability. The attack is being called MysterySnail and attributed to Iron Husky and Chinese Advanced Persistent Threat (APT) activity.
Other zero-day vulnerabilities patched
The following three vulnerabilities were publicly exposed before the release of a fix but have not been detected as exploited in the wild:
- CVE-2021-40469 – Windows DNS Server Remote Code Execution Vulnerability. This is an RCE issue that is remotely exploitable. Attack complexity is low. Attacker requires administrative privileges. No user interaction is needed. It affects currently supported versions of Windows Server, including the server core installation (not Windows client operating systems). The exploit can result in a total loss of confidentiality, integrity, and availability.
- CVE-2021-41335 – Windows Kernel Elevation of Privilege Vulnerability. This is an EoP issue that can be exploited by accessing the target system locally or remotely, or the attacker can rely on user interaction. It affects currently supported versions of Windows Server and client, but Windows 11 is not listed. Attack complexity and privileges required are low, and exploit can result in a total loss of confidentiality, integrity, and availability.
- CVE-2021-41338 – Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability. This is an SFB issue that can be exploited by accessing the target system locally or remotely, or the attacker can rely on user interaction. It affects currently supported versions of Windows Server and client, including Windows 11. Attack complexity and privileges required are low, and exploit can result in a total loss of confidentiality. Integrity and availability are not impacted.
Other critical vulnerabilities patched
The following vulnerabilities this month were also classified as critical but had not been disclosed or exploited prior to patch release:
- CVE-2021-38672 – Windows Hyper-V Remote Code Execution Vulnerability. This is a critical RCE issue in which the vulnerable component is bound to the network stack, but the attack is limited at the protocol level to a logically adjacent topology. Attack complexity is high, with a successful attack dependent on conditions beyond the attacker’s control, but the attacker requires only low privileges. No user interaction is required. It affects Windows 11 and Windows Server 2022. The exploit can result in a total loss of confidentiality, integrity, and availability.
- CVE-2021-40461 – Windows Hyper-V Remote Code Execution Vulnerability. This is another critical RCE issue similar to the one above in that the vulnerable component is bound to the network stack, but the attack is limited at the protocol level to a logically adjacent topology. Attack complexity is high, with a successful attack dependent on conditions beyond the attacker’s control, but the attacker requires only low privileges. No user interaction is required. It affects Windows 11 and Windows 10 versions 1809, 1909, 21H1, and 20H2, as well as Windows Server 2022, 2019, and version 2004. The exploit can result in a total loss of confidentiality, integrity, and availability.
- CVE-2021-40486 – Microsoft Word Remote Code Execution Vulnerability. This is an RCE issue in Word in which the attacker exploits the vulnerability by accessing the target system locally (e.g., keyboard, console), or remotely (e.g., SSH); or the attacker relies on User Interaction by another person to perform actions required to exploit the vulnerability. Attack complexity is low, and no privileges are required. However, user interaction is required. It affects Word 2013/2013 RT, 2016, 2019, Office Web Apps Server 2013, SharePoint Enterprise Server 2013, and 2016. The exploit can result in a total loss of confidentiality, integrity, and availability.
Important and moderate updates
In addition to the critical and zero-day updates listed above, this month’s patches address seventy vulnerabilities that are rated important. These include elevation of privilege, information disclosure, spoofing, and remote code execution issues. You can find the full list in the Security Updates Guide. The following are a few of note:
- CVE-2021-26427 – Microsoft Exchange Server Remote Code Execution Vulnerability. This is an RCE vulnerability in Microsoft Exchange Server. Attack complexity and required privileges are both low and no user interaction is required. It affects Microsoft Exchange Server 2013, 2016, and 2019. The exploit can result in a total loss of confidentiality, integrity, and availability.
- CVE-2021-36970 – Windows Print Spooler Spoofing Vulnerability. This is a spoofing vulnerability in the print spooler component of the operating system. Attack complexity is low and no privileges are required. However, user interaction is required. It affects supported versions of both the Windows client and server operating systems. The exploit can result in a total loss of confidentiality, integrity, and availability.
Other updates
KB5006671 – Cumulative security update for Internet Explorer.
KB5006743 – Monthly rollup for Windows 7 and Windows Server 2008 R2
KB5006714 – Monthly rollup for Windows 8.1 and Windows Server 2012 R2
KB5006667 – Update for Windows 10 version 1909.
KB5006670 – Update for Windows 10, version 2004, 20H2, and 21H1.
KB5006674 – Update for Windows 11.
KB5006736 – Monthly rollup for Windows Server 2008.
KB5006739 – Monthly rollup for Windows Server 2012.
KB5006699 – Update for Windows Server 2022.
Applying the updates
Most organizations will deploy Microsoft and third-party software updates automatically to their servers and managed client systems using a patch management system of their choice, such as GFI’s LanGuard. Automated patch management saves time and reduces the risk of botched installations.
Most home users will receive the updates via the Windows Update service that’s built into the operating system.
Microsoft provides direct downloads for those who need to install the updates manually. You can download these from the Microsoft Update Catalog.
Known issues
Before installing updates, you should always research whether there are known issues that could affect your particular machines and configurations before rolling out an update to your production systems. There are a large number of such known issues that impact this month’s updates. A full list of links to the KB articles detailing these issues can be found here in the release notes.
Malicious Software Removal Tool (MSRT) update
The MSRT is used to find and remove malicious software from Windows systems, and its definitions are updated regularly. The updates are normally installed via Windows Update, but if you need to download and install them manually, you’ll find the links for the 32- and 64-bit versions in Remove specific prevalent malware with Windows Malicious Software Removal Tool (KB890830) (microsoft.com)
Third-party releases
In addition to Microsoft’s security updates, October Patch Tuesday brought six security advisories and updates from Adobe, which will be discussed in more detail in this month’s Third Party Patch Roundup at the end of this month.
