The September 2021 Security Update Review


Level 50
Content Creator
Apr 24, 2016
It’s the second Tuesday of the month, and that means the latest security updates from Adobe and Microsoft have been released. Apple and Google Chrome also released updates yesterday to fix bugs under active attack. Take a break from your regularly scheduled activities and join us as we review the details for their latest security offerings.

Adobe Patches for September 2021

For September, Adobe released 15 patches covering 59 CVEs in Adobe Acrobat Reader, XMP Toolkit SDK, Photoshop, Experience Manager, Genuine Service, Digital Editions, Premiere Elements, Photoshop Elements, Creative Cloud Desktop, ColdFusion, Framemaker, InDesign, SVG-Native-Viewer, InCopy, and Premiere Pro. A total of 17 of these bugs came through the ZDI program.

The update for Adobe Acrobat fixes 26 bugs in total. Of these 26 bugs, 13 are rated Critical, 9 are rated Important, and four are rated Moderate in severity. The most severe of these bugs could allow remote code execution through either a type confusion, heap-based buffer overflow, or a use after free vulnerability. The single bug fixed by the Photoshop patch could also lead to code execution when opening a specially crafted file. The update for Framemaker includes five bugs found by ZDI researcher Mat Powell. The most severe of these issues result from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. If you’re still using ColdFusion, you’ll definitely want to patch the two Critical rated security feature bypass bugs being fixed today.

You can check out all of Adobe’s patches on their PSIRT page. None of the bugs fixed this month by Adobe are listed as publicly known or under active attack at the time of release.

Apple Patches for September 2021

Although Apple does not follow the second Tuesday patch release cycle, they did release patches yesterday fixing a couple of significant bugs. CVE-2021-30860 fixes an input validation bug in CoreGraphics that could allow remote code execution. Apple notes they are aware of a report this bug is being actively exploited. This was reported by the Citizen Lab, and public accounts indicate this bug was used to target a Saudi activist’s iPhone. While the likelihood of widespread attack using this bug is low, it should still be taken seriously. Apple also notes CVE-2021-30858 – a Use-After-Free (UAF) bug in Webkit – has also been detected in the wild. These bugs impact several different Apple products, including iOS, iPad OS, watchOS, Safari, Catalina, and Big Sur. Definitely take some time to review all of the patches and apply the applicable updates once tested.

Google Chrome Patches for September 2021

Not to be outdone by Apple, Google also released a new version of Chrome yesterday to address a total of nine CVEs – two of which are listed as under active attack. CVE-2021-30632 fixes an Out-of-Bounds (OOB) Write, while CVE-2021-30633 fixes a UAF bug. Both were reported by an anonymous researcher, and both could lead to code execution at the level of the logged-on user. All of the bugs fixed in this release receive a “High” severity rating from Google. If you are running Chrome, definitely update to ensure you are on the latest stable version.

Side note: As of today, not all these fixes have not been absorbed by Microsoft Edge (Chromium) and are unrelated to the Edge (Chromium) fixes discussed below. Microsoft did list CVE-2021-30632 on September 11 but appears to have jumped the gun a bit on this release as it currently shows a September 14 release date.

Microsoft Patches for September 2021

For September, Microsoft released patches today for 66 CVEs in Microsoft Windows and Windows components, Microsoft Edge (Chromium, iOS, and Android), Azure, Office and Office Components, SharePoint Server, Microsoft Windows DNS, and the Windows Subsystem for Linux. This is in addition to the 20 CVEs patched by Microsoft Edge (Chromium-based) earlier this month, which brings the September total to 86 CVEs. A total of 11 of these bugs were submitted through the ZDI program.

Of the 66 new CVEs patched today, three are rated Critical, 62 are rated Important, and one is rated Moderate in severity. This volume is slightly higher than the average for 2021, which is below the 2020 volume while still above what was seen in 2019. As with last month, Microsoft spent significant resources responding to bugs under active attack, most notably CVE-2021-40444. One other bug is listed as publicly known but not being exploited (for now).


Level 37
Feb 4, 2016

Today is Microsoft's September 2021 Patch Tuesday, and with it comes fixes for two zero-day vulnerabilities and a total of 60 flaws.
Microsoft has fixed 60 vulnerabilities (86 including Microsoft Edge) with today's update, with three classified as Critical, one as Moderate, and 56 as Important.

Of the total 86 vulnerabilities (including Microsoft Edge):

  • 27 Elevation of Privilege Vulnerabilities
  • 2 Security Feature Bypass Vulnerabilities
  • 16 Remote Code Execution Vulnerabilities
  • 11 Information Disclosure Vulnerabilities
  • 1 Denial of Service Vulnerabilities
  • 8 Spoofing Vulnerabilities
For information about the non-security Windows updates, you can read about today's Windows 10 KB5005565 & KB5005566 cumulative updates.


Level 50
Content Creator
Apr 24, 2016
Ghacks Microsoft Windows Security Updates September 2021 overview:
Today is Patch Day over at Microsoft and the company has released security updates and non-security updates for Windows and other company products. Security updates have been released for all client and server versions of the Windows operating system that Microsoft supports. Other company products, such as Microsoft Office, have received updates as well.

Our Windows security updates overview for September 2021 provides system administrators, IT workers, and home users with information about the released updates.

You find the list of critical updates for each supported Windows operating system as well as the distribution of updates for each at the top. What follows are information about the released patches, links to support pages, information about known issues, and download details.


Level 75
Content Creator
Malware Hunter
Aug 17, 2014
In today's September 2021 Patch Tuesday security updates, Microsoft has released a new security update for CVE-2021-36958 that fixes the remaining PrintNightmare vulnerability.

Delpy, who tested his exploit against the new security update, confirmed to BleepingComputer that the bug is now fixed.
#printnightmare patch tuesday looks like promising
— Benjamin Delpy (@gentilkiwi) September 14, 2021