Four zero-day exploits add urgency to October Patch Tuesday

October brings four zero-day exploits and 74 updates to the Windows ecosystem, including a hard-to-test kernel update (CVE-2021-40449) that requires immediate attention and an Exchange Server update that requires technical skills and due diligence (and a restart). The October Patch Tuesday test profile covers handling Windows, AppX, Hyper-V, and Microsoft Word errors. We recommend immediate fix planning for Windows and then implementing the remaining fix packs based on your normal release model.

You can find more information about the risk of deploying these Patch Tuesday this infographic.

Key test cases

No high risk changes have been reported on the Windows platform. However, a functional change has been reported and additional functionality has been added:

  • As always, verify that printing works as expected with both physical printers and virtual printers. Check that there are no problems with the printer drivers. We suggest you evaluate which printer driver software still uses 32-bit code for application management.
  • Test your non-English websites, looking for broken or spotty characters in Thai, Lao, Korean, and Arabic.
  • The Active Directory BanndIP functionality has been updated. We suggest validating AD authorization for active and passive network traffic. You can find out more here.
  • Microsoft has updated the multimedia codec, so testing large image and video files should be part of the test plan.
  • The STORPORT.SYS component was updated this month, so check the applications that depend on this Windows feature.

I think it is now safe to say that the Microsoft AppX format has not been adopted as widely in the business as expected. Despite this, significant upgrades to Microsoft AppX containers and deployment tools have been included in this October update. If you have a corporate Microsoft “store” for your applications, we recommend that you install / uninstall both your AppX applications and their associated runtimes.

When it comes to less used Windows features, the Microsoft NTFS the filesystem has been updated to include a fix for symbolic links (useful with UNIX migrations). If you are in the middle of a large UNIX migration, you might want to put things on hold and test large (and parallel) file transfers before you deploy this update.

Known issues

Each month, Microsoft includes a list of known operating system and platform issues included in the update cycle. I have referenced a few key issues related to the latest versions of Microsoft, including:

  • Devices with Windows installations created from custom offline media or custom ISO images may have Microsoft Edge Legacy removed by this update, but not automatically replaced by the new Microsoft Edge. This issue only occurs when custom offline media or ISO images are created by embedding this update in the image without first installing the Standalone Servicing Stack (SSU) update released on March 29. 2021 or later.

Major revisions

As of this writing for this July update cycle, there were two major updates over previous updates:

  • CVE-2021-38624: Windows Key Storage Provider Security Feature Bypass Vulnerability. This is Microsoft’s third attempt to patch this Windows key storage component and unfortunately a major upgrade was required. Systems affected this month include Windows 11; Microsoft strongly recommended that immediate action be taken to update the systems.
  • CVE-2021-33781: Azure AD security feature bypass vulnerability. Again, another third party is trying to fix this problem. However, for this Azure AD issue, these latest changes are more informative (fix titles and CVE documentation) and include a list of affected systems updated to include Windows 11. No further action is required here.

Mitigations and workarounds

  • CVE-2021-40444: Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Windows. The company is aware of targeted attacks that attempt to exploit this vulnerability by using specially crafted Microsoft Office documents. An attacker could create a malicious ActiveX control for use by a Microsoft Office document that hosts the browser rendering engine.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

  • Browsers (Microsoft IE and Edge);
  • Microsoft Windows (both desktop and server);
  • Microsoft Office;
  • Microsoft Exchange;
  • Microsoft Development Platforms ( ASP.NET Core, .NET Core and Chakra Core);
  • Adobe (retired ???, not yet).


Microsoft has released 33 updates to the Chromium-based Edge browser this cycle. Since Chromium does not integrate deeply into the desktop or server operating system, potential crashes or dependency issues are unlikely. You can read more about the Chromium project update cycle andrelease notes here.

However, one of the key components (IEFRAME.DLL) of Internet Explorer (IE) was updated this month. Third-party applications and software developed in-house may depend on this keystore. For this particular update, it looks like Microsoft has changed the way browser tabs are handled, specifically the way they are created. If you receive “Invalid Pointer Bad Ref Count” (or similar) errors during your testing, it may very well be related to this basic Internet Explorer System Libraries (DLL) update. Add these two groups of browser updates to your regular update schedule.

the Windows

This month, Microsoft released four critical updates for the Windows ecosystem and 45 other fixes deemed important. Unfortunately, update CVE-2021-40449 for the Windows kernel was reported as exploited. This combines a hard-to-test low-level update to main Windows systems with an emergency that needs to be mitigated or fixed. We’ve included testing tips in a section above that covers a lot of this month’s Windows changes. However, testing kernel updates is very difficult. Thoroughly test your core apps, post your updates in rings or in stages, and add this update to your Patch Now schedule.

Microsoft Office

Microsoft has released 16 updates for Microsoft Office and Microsoft SharePoint, one of which is classified as Critical (CVE-2021-40486) affecting Microsoft Word and the remaining fixes affecting Excel and SharePoint. Word’s security issue, while serious, has not been publicly disclosed and there are no reports of exploits in nature. Note: SharePoint will require a restart after updating. We recommend that you add them to your regular patch release schedule.

Microsoft Exchange Server

Unfortunately, Microsoft Exchange Server updates are back for October. There are four fixes for Exchange Server (2016 and 219), all of which are considered important. However, CVE-2021-36970 has a base rating of 9.0, according to the vulnerability rating system CVSS. This is really high (meaning serious) and would generally warrant a critical rating from Microsoft. However, due to the limitation of the “scope” of the vulnerability, the potential damage is greatly reduced.

Microsoft has released updated documentation detailing a number of known issues with this month’s Exchange Server fixes where a manual application of MSP files does not correctly install all of the necessary files. Additionally, incorrectly applying this update may leave your Exchange server in a disabled state. This issue applies to the following October updates:

This installation issue is of particular concern when applying updates using User Account Control (UAC) and does not occur when using Microsoft Update. Otherwise, note that this Exchange update will require a server restart; we recommend that you add this update to your regular update schedule.

Microsoft Development Platforms

Microsoft released three updates to Visual Studio and a hotfix for .NET 5.0 this month. All of them were deemed important by Microsoft and, at worst, could result in information disclosure or “denial of service” (application specific and localized). Updates to Visual Studio are very straightforward and should be included in your standard development cycle.

Adobe (really just Reader)

Adobe has released four updates to its core Reader product group with a security bulletin APSB1221-104. Two of these updates (CWE-416 and CWE-787) are classified as critical by Adobe. While both have CVSS scores of 7.8 (which is quite high for a PDF reader), they don’t need an urgent update. Add them to your regular update schedule.

Copyright © 2021 IDG Communications, Inc.

Source link

Previous Marshall Seniors Housing Project Goes Forward | Local News
Next Is China Forcing People To Work 12 Hours A Day? Tencent, Alibaba, and employees of other tech giants complain

No Comment

Leave a reply

Your email address will not be published. Required fields are marked *