September 14, 2021

Microsoft today pushed software updates to plug dozens of security holes in Windows and related products, including a vulnerability that is already being exploited in active attacks. Also, Apple has issued an emergency update to fix a flaw that’s reportedly been abused to install spyware on iOS products, and Google‘s got a new version of Chrome that tackles two zero-day flaws. Finally, Adobe has released critical security updates for Acrobat, Reader and a slew of other software.

Four of the flaws fixed in this patch batch earned Microsoft’s most-dire “critical” rating, meaning they could be exploited by miscreants or malware to remotely compromise a Windows PC with little or no help from the user.

Top of the critical heap is CVE-2021-40444, which affects the “MSHTML” component of Internet Explorer (IE) on Windows 10 and many Windows Server versions. In a security advisory last week, Microsoft warned attackers already are exploiting the flaw through Microsoft Office applications as well as IE.

The critical bug CVE-2021-36965 is interesting, as it involves a remote code execution flaw in “WLAN AutoConfig,” the component in Windows 10 and many Server versions that handles auto-connections to Wi-Fi networks. One mitigating factor here is that the attacker and target would have to be on the same network, although many systems are configured to auto-connect to Wi-Fi network names with which they have previously connected.

Allan Liska, senior security architect at Recorded Future, said a similar vulnerability — CVE-2021-28316 — was announced in April.

“CVE-2021-28316 was a security bypass vulnerability, not remote code execution, and it has never been reported as publicly exploited,” Liska said. “That being said, the ubiquity of systems deployed with WLAN AutoConfig enabled could make it an attractive target for exploitation.”

Another critical weakness that enterprises using Azure should prioritize is CVE-2021-38647, which is a remote code execution bug in Azure Open Management Infrastructure (OMI) that has a CVSS Score of 9.8 (10 is the worst). It was reported and detailed by researchers at Wiz.io, who said CVE-2021-38647 was one of four bugs in Azure OMI they found that Microsoft patched this week.

“We conservatively estimate that thousands of Azure customers and millions of endpoints are affected,” Wiz.io’s Nir Ohfeld wrote. “In a small sample of Azure tenants we analyzed, over 65% were unknowingly at risk.”

Kevin Breen of Immersive Labs calls attention to several “privilege escalation” flaws fixed by Microsoft this month, noting that while these bugs carry lesser severity ratings, Microsoft considers them more likely to be exploited by bad guys and malware.

CVE-2021-38639 and CVE-2021-36975 have also been listed as ‘exploitation more likely’ and together cover the full range of supported Windows versions,” Breem wrote. “I am starting to feel like a broken record when talking about privilege escalation vulnerabilities. They typically have a lower CVSS score than something like Remote Code Execution, but these local exploits can be the linchpin in the post-exploitation phases of an experienced attacker. If you can block them here you have the potential to significantly limit their damage. If we assume a determined attacker will be able to infect a victim’s device through social engineering or other techniques, I would argue that patching these is even more important than patching some other Remote Code execution vulnerabilities.”

Apple on Monday pushed out an urgent security update to fix a “zero-click” iOS vulnerability (CVE-2021-30860) reported by researchers at Citizen Lab that allows commands to be run when files are opened on certain Apple devices. Citizen Lab found that an exploit for CVE-2021-30860 was being used by the NSO Group, an Israeli tech company whose spyware enables the remote surveillance of smartphones.

Google also released a new version of its Chrome browser on Monday to fix nine vulnerabilities, including two that are under active attack. If you’re running Chrome, keep a lookout for when you see an “Update” tab appear to the right of the address bar. If it’s been a while since you closed the browser, you might see the Update button turn from green to orange and then red. Green means an update has been available for two days; orange means four days have elapsed, and red means your browser is a week or more behind on important updates. Completely close and restart the browser to install any pending updates.

As it usually does on Patch Tuesday, Adobe also released new versions of Reader, Acrobat and a large number of other products. Adobe says it is not aware of any exploits in the wild for any of the issues addressed in its updates today.

For a complete rundown of all patches released today and indexed by severity, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com usually has the lowdown on any patches that are causing problems for Windows users.

On that note, before you update please make sure you have backed up your system and/or important files. It’s not uncommon for a Windows update package to hose one’s system or prevent it from booting properly, and some updates have been known to erase or corrupt files.

So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

If you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a decent chance other readers have experienced the same and may chime in here with useful tips.


19 thoughts on “Microsoft Patch Tuesday, September 2021 Edition

  1. GSG

    On my Dell laptop the update twice failed to complete.
    The message:
    “There were some problems installing updates, but we’ll try again later. If you keep seeing this and want to search the web or contact support for information, this may help: (0x800f081f)”

    My other two systems, one laptop (also a Dell, but a newer one) and one desktop, had no problems.

    Reply
  2. NadB

    Yesterday evening, a few hours after the NYTimes issued its report on the alert, I updated OS to 11.6 — on 2020 13in MacBook Pro w M1 chip. Had been running BigSur, which was up to date immediately prior to release of upgrade. Total chaos ensued – the update required a restart. Upon the restart, message appeared notifying me that the files on the desktop had been moved to the cloud — which was not exactly accurate– they actually were in long, slow and totally undesired process of being uploaded to the cloud. I don’t use cloud except for contacts, calendar and mail. I don’t want my files on the cloud. That’s one reason I sprung for MBP with 2T storage (I back up to 2 external drives). I could not reverse the process until it was completed- which took a too-long time, and then as it was on “Finishing …” the computer froze. I closed out, came back to it this morning. Found the upload was complete; now I had to reverse it, removing files from the cloud, and then finding all my stuff in a folder named iCloud archive. It took several hours to put all my folders in the right places; I had to reset my scanner destination folder setting- bec. the folder couldn’t be found; I had to log in to adobe to open a pdf. Couldnt use my old adobe log-in credentials– Adobe’s log- in menu gave the options only of tying one’s adobe account to an apple or google login, or else checking off that one is new and has no Adobe account, and setting a new account. Not that I mind linking the accounts, but all of this because I upgraded the OS… No telling what else is going to pop up as I continue working on various apps and processes.

    Reply
    1. BaliRob

      NadB

      You have my sympathy and understanding. Because of the chaos 2018 August and 2019 September (dates sic) which totally prevnted me from accessing my computer in ANY POSSIBLE manner (Aug) and totally destroyed my hard drive (Sept) I have been unable through lack of commonsense (courage) to update anything on my W.81

      Reply
  3. Paul S

    Apple, not unlike Microsoft, has decided that those of us who are still using older but still serviceable iPhones or iPads are not entitled to corrections for their faulty system software. We have an iPhone 5 running iOS 10.3.4 which is deemed to be “up to date” in Settings>General>Software Update. Same for our iPad Air running iOS 12.5.4. Apparently one must have iOS 13.X.X or above to have a “fix” delivered.

    Reply
    1. Eddie

      This is what I hate about tablet devices. Android is even worse, I believe, than Apple. I hate that in 3 years you no longer dare connect a perfectly good device because they dropped it from updates.

      That said, the subject is Windows patch Tuesday.

      Reply
    2. Nunya Bidness

      My AT&T 5s will brick at the end of October when ATT ceases G3 service, at which time it will become a remote control for my Mediaportal DVR & Sony AV system, and eventually my HomeAssistant security and lighting. Trying to decide between 12 Mini and 13 Mini because I hate large phones.

      Reply
  4. chuck kasper

    My older Ipad could not get any update. Apparently Apple has written off those customers as not worth it.

    Reply
    1. de la mar

      Expected support life of a particular hw in modern security times is lower.
      This is not really demonstrated to be avoidable by any company AFAIK. (?)
      The support life is something like 4-5 years give or take, less for android.
      A modular/legacy hw setup would open more holes than it would close.
      What they “ought” to do is open up to homebrew as much as possible at EOL,
      or be forced to take it back and discount the replacement significantly.
      Then they keep the customers, cut some % of recycling, eat the rest,
      and aren’t wasting time-oney trying to support outmoded hw platforms,
      while not declaring war on grandma or 3rd world burn pit attendants.

      Reply
  5. will

    Among the many reasons I have migrated to a Linux daily driver (Manjaro specifically). Consumers are losing control over the systems they’ve bought and paid for faster than ever. Everything requires an account, everything’s “in the cloud,” and everything adheres to either Redmond’s, Cupertino’s, or Mountain View’s investment in prioritizing these patches and updates.

    Reply
  6. Ebrecio

    Kb5005633 in my W7 caused stuck only when shutdown. Fixed with run shutdown -f -r 0

    Reply
    1. anom

      70 minutes! I had an old Satellite 4gb platter disk box go for like 12 HOURS on the H2 rollup.
      No functional status indication whatsoever. I wonder how many installs get boofed up because
      they take forever and a reasonable person assumes updates “can’t possibly” take 12 hours, kills it.
      A neighbor had a similar POS laptop that kept trying to install, then uninstall, the same update.
      No visible status indication either. Forever. Fortunately for him, he had zero backups! “Easy fix!”

      Reply
  7. david

    Before the hard disk stopped working altogether, replacing it with the new one might allow you to save your precious data and restore it later.how to install hard drive If you have decided to replace your old hard disk with a new one or plan to replace the HDD with SSD, this post will guide you step by step on how to proceed and complete the hard drive replacement and reinstall the operating system in the new drive. It usually involves following steps in how to install hard drive.

    Reply
  8. vijay

    But after this patch install on my system, My system is not starting and stucking on boot. I have to format it and reinstall windows. Before this in my eyes No one can defeat windows os, Even IOS but now windows is making products and not maintaining os.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *