Microsoft’s September 2021 Patch Tuesday Addresses 60 CVEs

Satnam Narang_Staff Research Engineer_Tenable
Satnam Narang_Staff Research Engineer_Tenable

Microsoft addressed 60 CVEs in its September 2021 Patch Tuesday release, along with patches for a critical vulnerability in its MSHTML (Trident) engine that was first disclosed in an out-of-band advisory on September 7. Please find below comment from Satnam Narang, staff research engineer at Tenable and further analysis here.

“This month’s Patch Tuesday release includes fixes for 60 CVEs, four of which are rated critical. So far in 2021, Microsoft patched less than 100 CVEs seven out of the last nine months, which is in stark contrast to 2020, which featured eight months of over 100 CVEs patched.

“This month’s release includes a fix for CVE-2021-40444, a critical vulnerability in Microsoft’s MSHTML (Trident) engine. This vulnerability was disclosed on September 7 and researchers developed a number of proof-of-concept exploits showing the ease and reliability of exploitation. An attacker would need to convince a user to open a specially crafted Microsoft Office document containing the exploit code.

“There have been warnings that this vulnerability will be incorporated into malware payloads and used to distribute ransomware. There are no indications that this has happened yet, but with the patch now available, organisations should prioritise updating their systems as soon as possible.

“Microsoft also patched three elevation of privilege vulnerabilities in Windows Print Spooler (CVE-2021-38667, CVE-2021-38671 and CVE-2021-40447). For the last few months, we have seen a steady stream of patches for flaws in Windows Print Spooler following the disclosure of PrintNightmare in July. Researchers continue to discover ways to exploit Print Spooler, and we expect continued research in this area. Only one (CVE-2021-38671) of the three vulnerabilities is rated as exploitation more likely. Organisations should also prioritise patching these flaws as they are extremely valuable to attackers in post-exploitation scenarios.” – Satnam Narang, staff research engineer, Tenable