Microsoft November 2021 Patch Tuesday fixes 6 zero-days, 55 flaws

LASER_oneXM

Level 37
Thread author
Verified
Top poster
Well-known
Feb 4, 2016
2,534
Today is Microsoft's November 2021 Patch Tuesday, and with it comes fixes for six zero-day vulnerabilities and a total of 55 flaws. The actively exploited vulnerabilities are for Microsoft Exchange and Excel, with the Exchange zero-day used as part of the Tianfu hacking contest.

Microsoft has fixed 55 vulnerabilities with today's update, with six classified as Critical and 49 as Important. The number of each type of vulnerability is listed below:

  • 20 Elevation of Privilege vulnerabilities
  • 2 Security Feature Bypass vulnerabilities
  • 15 Remote Code Execution vulnerabilities
  • 10 Information Disclosure vulnerabilities
  • 3 Denial of Service vulnerabilities
  • 4 Spoofing vulnerabilities
For information about the non-security Windows updates, you can read about today's Windows 10 KB5007186 & KB5007189 cumulative updates and the Windows 11 KB5007215 cumulative update.

Six zero-days fixed, with two actively exploited​

November's Patch Tuesday includes fixes for six zero-day vulnerabilities, two actively exploited against Microsoft Exchange and Microsoft Excel.

Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available.

The actively exploited vulnerabilities fixed this month are:
 

Gandalf_The_Grey

Level 61
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,024
The November 2021 Security Update Review:
The second Tuesday of the month is upon us, and with it comes the latest security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for their latest security offerings.

Adobe Patches for November 2021

For November, Adobe released only three patches correcting four CVEs in Creative Cloud Desktop, InCopy, and RoboHelp. The patch for Creative Cloud fixes a single Important-rated denial-of-service (DoS) bug. The InCopy patch fixes two bugs, including a Critical-rated code execution. The release for RoboHelp Server is listed as a security hotfix rather than a security patch, but it’s not clear why there’s a difference in the nomenclature. Either way, a Critical-rated arbitrary code execution bug is being fixed, so if you still use RoboHelp, apply this hotfix.

If this seems especially light, Adobe did release fixes for more than 80 CVEs in late October for critical code execution flaws, privilege escalation, denial-of-service, and memory leaks across multiple products. None of these fixes were listed as under active attack, so it’s unclear why Adobe released so many patches out of band.

None of the patches released today by Adobe are listed as being publicly known or under active attack at the time of release.

Microsoft Patches for November 2021

For November, Microsoft released patches today for 55 new CVEs in Microsoft Windows and Windows Components, Azure, Azure RTOS, Azure Sphere, Microsoft Dynamics, Microsoft Edge (Chromium-based), Exchange Server, Microsoft Office and Office Components, Windows Hyper-V, Windows Defender, and Visual Studio.

Historically speaking, 55 patches in November is a relatively low number. Last year, there were more than double this number of CVEs fixed. Even going back to 2018 when there were only 691 CVEs fixed all year, there were more November CVEs fixed than in this month. Given that December is typically a slower month patch-wise, it causes one to wonder if there is a backlog of patches awaiting deployment due to various factors. It seems odd that Microsoft would be releasing fewer patches after seeing nothing but increases across the industry for years.

Of the CVEs patched today, six are rated Critical and 49 are rated as Important in severity. Four of these bugs came through the ZDI program. Four of these bugs are listed as publicly known two are listed as under active exploit at the time of release.
 

Gandalf_The_Grey

Level 61
Verified
Helper
Top poster
Content Creator
Well-known
Apr 24, 2016
5,024
Microsoft Windows Security Updates November 2021 overview
This guide offers an overview of the security updates and non-security updates that Microsoft released for its products on the November 2021 Patch Day. Microsoft released updates for all supported client and server versions of Windows, including Windows 11, and for other company products such as Microsoft Office.

Most Windows updates are cumulative, and the most recent updates for Windows includes the patches of the optional updates that Microsoft released after the October 2021 Patch Day.

The overview begins with an executive summary that summarizes the most important information. Then you find the operating system distribution, information about all updates for client versions of Windows, including known issues confirmed by Microsoft, lists of other security and non security updates, and download information.
 

silversurfer

Level 84
Verified
Helper
Top poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
7,527

Microsoft patches Excel zero-day used in attacks, asks Mac users to wait​

During this month's Patch Tuesday, Microsoft has patched an Excel zero-day vulnerability exploited in the wild by threat actors.

Zero-days, as defined by Microsoft, are publicly disclosed bugs with no official security updates.

The vulnerability, tracked as CVE-2021-42292, is a high severity security feature bypass that unauthenticated attackers can exploit locally in low complexity attacks that don't require user interaction.

Microsoft also patched a second Excel security flaw used during the Tianfu Cup hacking contest last month, a remote code execution bug tracked as CVE-2021-40442 and exploitable by unauthenticated attackers.

Luckily, Microsoft says that the Windows Explorer preview pane is not an attack vector for the two bugs.

This means that successful exploitation requires fully opening maliciously crafted Excel files instead of just clicking to select them.