Cadastre-se agora para um orçamento mais personalizado!

Microsoft November 2021 Patch Tuesday: 55 bugs squashed, two under active exploit

09 de novembro de 2021 Hi-network.com

Microsoft has released 55 security fixes for software including patches that resolve zero-day vulnerabilities actively exploited in the wild.

The Redmond giant's latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, includes fixes for six critical vulnerabilities, 15 remote code execution (RCE) bugs, information leaks, and elevation of privilege security flaws, as well as issues that could lead to spoofing and tampering. 

Security

  • 8 habits of highly secure remote workers
  • How to find and remove spyware from your phone
  • The best VPN services:How do the top 5 compare?
  • How to find out if you are involved in a data breach -- and what to do next

Products impacted by November's security update include Microsoft Azure, the Chromium-based Edge browser, Microsoft Office -- as well as associated products such as Excel, Word, and SharePoint -- Visual Studio, Exchange Server, Windows Kernel, and Windows Defender.   

Read on:

  • Microsoft to release 'Defender for Business' platform
  • Microsoft will now snitch on you at work like never before
  • Expired certificate downs Windows 11 snipping tool, S mode start menu and settings page

Some of the most interesting vulnerabilities resolved in this update, all deemed as important, are: 

  • CVE-2021-42321: (CVSS:3.1 8.8 / 7.7). Under active exploit, this vulnerability impacts Microsoft Exchange Server and due to improper validation of cmdlet arguments, can lead to RCE. However, attackers must be authenticated.
  • CVE-2021-42292: (CVSS:3.1 7.8 / 7.0). Also detected as exploited in the wild, this vulnerability was found in Microsoft Excel and can be used to circumvent security controls. Microsoft says that the Preview Pane is not an attack vector. No patch is currently available for Microsoft Office 2019 for Mac or Microsoft Office LTSC for Mac 2021.
  • CVE-2021-43209: (CVSS:3.1 7.8 / 6.8). A 3D Viewer vulnerability made public, this bug can be exploited locally to trigger RCE. 
  • CVE-2021-43208: (CVSS:3.1 7.8 / 6.8). Another known issue, this 3D Viewer security flaw can also be weaponized by a local attacker for code execution purposes. 
  • CVE-2021-38631: (CVSS:3.0 4.4 / 3.9). Also made public, this security flaw, found in the Windows Remote Desktop Protocol (RDP), can be used for information disclosure.
  • CVE-2021-41371: (CVSS:3.1 4.4 / 3.9). Finally, this RDP vulnerability, known before patching was available, can also be exploited locally to force an information leak.

According to the Zero Day Initiative (ZDI), historically, this is a relatively low number of vulnerabilities resolved during the month of November.

"Last year, there were more than double this number of CVEs fixed," the organization says. "Even going back to 2018 when there were only 691 CVEs fixed all year, there were more November CVEs fixed than in this month. Given that December is typically a slower month patch-wise, it causes one to wonder if there is a backlog of patches awaiting deployment due to various factors."

Last month, Microsoft resolved 71 bugs in the October batch of security fixes. Of particular note are patches for a total of four zero-day flaws, one of which was being actively exploited in the wild, whereas three were made public. 

A month prior, the tech giant tackled over 60 vulnerabilities during the September Patch Tuesday. Among the patches was a fix for an RCE in MSHTML.

In recent Microsoft news, Visual Studio 2022 and .NET 6 were made generally available on November 8. Visual Studio 2022 includes a refresh of some features as well as debug improvements for developers. .NET 6 includes performance enhancements and is the first version able to support both Windows Arm64 and Apple Arm64 Silicon.


Alongside Microsoft's Patch Tuesday round, other vendors, too, have published security updates which can be accessed below.

  • Adobe security updates
  • SAP security updates
  • VMWare security advisories
  • Intel security updates 

Featured

We're not ready for the impact of generative AI on electionsThis is the$300 Android phone to beat in 2023 - and it even has a stylus5 things I learned while building my smart homeThe best laptops under$1,000: MacBook, Surface Pro, HP models compared
  • We're not ready for the impact of generative AI on elections
  • This is the$300 Android phone to beat in 2023 - and it even has a stylus
  • 5 things I learned while building my smart home
  • The best laptops under$1,000: MacBook, Surface Pro, HP models compared

tag-icon Tags quentes : Tecnologia Segurança

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.