October 12, 2021

Microsoft today issued updates to plug more than 70 security holes in its Windows operating systems and other software, including one vulnerability that is already being exploited. This month’s Patch Tuesday also includes security fixes for the newly released Windows 11 operating system. Separately, Apple has released updates for iOS and iPadOS to address a flaw that is being actively attacked.

Firstly, Apple has released iOS 15.0.2 and iPadOS 15.0.2 to fix a zero-day vulnerability (CVE-2021-30883) that is being leveraged in active attacks targeting iPhone and iPad users. Lawrence Abrams of Bleeping Computer writes that the flaw could be used to steal data or install malware, and that soon after Apple patched the bug security researcher Saar Amar published a technical writeup and proof-of-concept exploit derived from reverse engineering Apple’s patch.

Abrams said the list of impacted Apple devices is quite extensive, affecting older and newer models. If you own an iPad or iPhone — or any other Apple device — please make sure it’s up to date with the latest security patches.

Three of the weaknesses Microsoft addressed today tackle vulnerabilities rated “critical,” meaning that malware or miscreants could exploit them to gain complete, remote control over vulnerable systems — with little or no help from targets.

One of the critical bugs concerns Microsoft Word, and two others are remote code execution flaws in Windows Hyper-V, the virtualization component built into Windows. CVE-2021-38672 affects Windows 11 and Windows Server 2022; CVE-2021-40461 impacts both Windows 11 and Windows 10 systems, as well as Server versions.

But as usual, some of the more concerning security weaknesses addressed this month earned Microsoft’s slightly less dire “important” designation, which applies to a vulnerability “whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources.”

The flaw that’s under active assault — CVE-2021-40449 — is an important “elevation of privilege” vulnerability, meaning it can be leveraged in combination with another vulnerability to let attackers run code of their choice as administrator on a vulnerable system.

CVE-2021-36970 is an important spoofing vulnerability in Microsoft’s Windows Print Spooler. The flaw was discovered by the same researchers credited with the discovery of one of two vulnerabilities that became known as PrintNightmare — the widespread exploitation of a critical Print Spooler flaw that forced Microsoft to issue an emergency security update back in July. Microsoft assesses CVE-2021-36970 as “exploitation more likely.”

“While no details have been shared publicly about the flaw, this is definitely one to watch for, as we saw a constant stream of Print Spooler-related vulnerabilities patched over the summer while ransomware groups began incorporating PrintNightmare into their affiliate playbook,” said Satnam Narang, staff research engineer at Tenable. “We strongly encourage organizations to apply these patches as soon as possible.”

CVE-2021-26427 is another important bug in Microsoft Exchange Server, which has been under siege lately from attackers. In March, threat actors pounced on four separate zero-day flaws in Exchange that allowed them to siphon email from and install backdoors at hundreds of thousands of organizations.

This month’s Exchange bug earned a CVSS score of 9.0 (10 is the most dangerous). Kevin Breen of Immersive Labs points out that Microsoft has marked this flaw as less likely to be exploited, probably because an attacker would already need access to your network before using the vulnerability.

“Email servers will always be prime targets, simply due to the amount of data contained in emails and the range of possible ways attackers could use them for malicious purposes. While it’s not right at the top of my list of priorities to patch, it’s certainly one to be wary of.”

Also today, Adobe issued security updates for a range of products, including Adobe Reader and Acrobat, Adobe Commerce, and Adobe Connect.

For a complete rundown of all patches released today and indexed by severity, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center, and the Patch Tuesday data put together by Morphus Labs. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com frequently has the lowdown on any patches that are causing problems for Windows users.

On that note, before you update please make sure you have backed up your system and/or important files. It’s not uncommon for a Windows update package to hose one’s system or prevent it from booting properly, and some updates have been known to erase or corrupt files.

So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

If you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a decent chance other readers have experienced the same and may chime in here with useful tips.


16 thoughts on “Patch Tuesday, October 2021 Edition

  1. The Sunshine State

    I have a old Windows 8 Pro laptop , fighting me with installing security updates. That Net Framework crap permanently needs to go away.

    1. gary2271

      i thought this for years but sadly it will be around forever to many things rely on .net framework

  2. DaveM

    Updates downloaded and installed on my Win10 system with no issues. However, I am now being treated to a nag to update to Windows 11 – titled “Great News”. I’m going to pass on this.

  3. David Thompson

    Acrobat was easy, but the Win10 updates took more than 90 minutes, plus a restart. So far no issues, but that is a lot of time out of my day, what with backing up and closing operations before updating.

  4. Catwhisperer

    One wonders if things will ever change. I’ve been working with Windows since it came on floppies decades ago, and updates haven’t really improved from back in the day, and neither has the plethora of bugs. Every month the mid-two figures of bugs being fixed, sometimes three figures. When I wrote code, I used tools like valgrind, gcov and full compiler warnings enabled to caught a lot of the stuff that leads to bugs. However, you can’t drop the next OS update or new app in a month if you properly vet your code.

    Last night, at least 90 minutes spent updating. That’s not much different than the time spent 30 years ago. You’ve got to be kidding me, on an 8-core industrial HP workstation… Then to my right is a dual-core Pentium running Kali. It does a full update, 100+ applications, in five minutes. What can’t Microsoft figure out, folks?

    1. KFritz

      Thank you and Dave Thompson for your observations. Ubuntu updates on an “as-needed” basis. The first thing I do after firing up my machine each morning is click the Updates icon. This morning, it was unusually slow. It took somewhere between 3 and 5 minutes to download and install 100+ MB firmware–it usually takes 2-3 minutes for a sizeable update.

      I guess that the glacial Microsoft updates continue for 2 possible reasons–and likely a combo of the 2.

      1) Economy. It would cost them real money to have enough dedicated server capacity to have a decent speed for user updates.

      2) Back in the Stone-Age days of the AT&T/Ma Bell landline monopoly, Lily Tomlin did an operator skit about the monopoly’s bad attitude towards its customers that ended with, “We don’t care. We don’t have to. We’re the Phone Company.” Redmond’s attitude is identical.

  5. Nicholas Kulkarni

    KB5006714 for Server 2012 breaks printing for some Windows 10 Clients.
    Fix is to disable RPC Authentication
    Word of warning: this puts you back in PrintNightmare territory but what are you going to do until Microsoft ‘FINALLY’ gives us a patch that works? stop printing ?

    Right-click Start, click Run, type cmd in the Run box, and then press Ctrl+Shift+Enter.

    At the Administrator command prompt, type regedit and then press Enter.

    Locate the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print

    Right-click Print, choose New, and then click DWORD VALUE (32-bit) Value.

    Type RpcAuthnLevelPrivacyEnabled and then press Enter.

    Right-click RpcAuthnLevelPrivacyEnabled and then click Modify.

    In the Value data box, type 0 and then click Ok.

    In Services restart the windows print spooler

    This is the reverse of the instructions contained in https://support.microsoft.com/en-gb/topic/managing-deployment-of-printer-rpc-binding-changes-for-cve

    which is referenced in https://support.microsoft.com/en-us/topic/kb5005652-manage-new-point-and-print-default-driver-instal

    This is what they have to say about the registry key and the default behaviour of the patches as they have evolved.

    Note This update introduces support for the RpcAuthnLevelPrivacyEnabled registry value to increase the authorization level for printer IRemoteWinspool.

    Registry subkey

    HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print

    Value

    RpcAuthnLevelPrivacyEnabled

    Data type

    REG_DWORD

    Data

    1: Enables Enforcement mode. Before you enable Enforcement mode for server-side, make sure all client devices have installed the Windows update released on January 12, 2021 or a later Windows update. This fix increases the authorization level for printer IRemoteWinspool RPC interface and adds a new policy and registry value on the server-side to enforce the client to use the new authorization level if Enforcement mode is applied. If the client device does not have the January 12, 2021 security update or a later Windows update applied, the printing experience will be broken when the client connects to the server through the IRemoteWinspool interface.

    0: Not recommended. Disables the increase authentication level for printer IRemoteWinspool, and your devices are not protected.

    Default

    Default behavior after installing updates when registry key is not set:

    January 12, 2021 or later updates have the default behavior of 0 (zero) when not set.

    September 14, 2021 or later updates have the default behavior of 1 (one) when not set.

    Is a Restart required?

    Yes, a device restart or a restart of the spooler service is required.

  6. Johann Nutter

    Windows is no longer a practical platform for any application requiring more than one station. It is not acceptable for printing to suddenly stop working in a high-volume restaurant. Microsoft’s constant sabotage (incompetence?) needs to be brought under control. We don’t need Windows 11, we do need working printers.

    1. Linux on the nevertop

      You need a win 7 ROLLBACK and carefully managed services, endpoint security.
      No kidding, and a backup system of something else ready to go, because yeah.

  7. hugh newman

    KB5006714 for Server 2012r2 Takes on domain controllers but will not on non DC servers . backs out at startup screen. all have the SSU from earlier this year. Also noted the 10-2021 ‘patch Tuesday’ not taking on a server 2019 app server. it backs out at reboot as well

  8. Dan

    I have not been able to install KB5006714 on my Toshiba Satellite running Windows 8.1 64-bit. Windows Update downloads it and then crashes on install with a 80070026 error. I have tried turning off my antivirus/antimalware software and no joy. I’ve been trying since it issued on Tuesday.

  9. Keith

    I am not sure but, I had Server 2012 DC fail to boot assumingly after a reboot – Automatic updates is probably the cause – Had to resort to backups

  10. teledataictgh

    This post was highly informative hope to learn more about Home Internet provider in the future.

Comments are closed.