November 9, 2021

Microsoft Corp. today released updates to quash at least 55 security bugs in its Windows operating systems and other software. Two of the patches address vulnerabilities that are already being used in active attacks online, and four of the flaws were disclosed publicly before today — potentially giving adversaries a head start in figuring out how to exploit them.

Among the zero-day bugs is CVE-2021-42292, a “security feature bypass” problem with Microsoft Excel versions 2013-2021 that could allow attackers to install malicious code just by convincing someone to open a booby-trapped Excel file (Microsoft says Mac versions of Office are also affected, but several places are reporting that Office for Mac security updates aren’t available yet).

Microsoft’s revised, more sparse security advisories don’t offer much detail on what exactly is being bypassed in Excel with this flaw. But Dustin Childs over at Trend Micro’s Zero Day Initiative says the vulnerability is likely due to loading code that should be limited by a user prompt — such as a warning about external content or scripts — but for whatever reason that prompt does not appear, thus bypassing the security feature.

The other critical flaw patched today that’s already being exploited in the wild is CVE-2021-42321, yet another zero-day in Microsoft Exchange Server. You may recall that earlier this year a majority of the world’s organizations running Microsoft Exchange Servers were hit with four zero-day attacks that let thieves install backdoors and siphon email.

As Exchange zero-days go, CVE-2021-42321 appears somewhat mild by comparison. Unlike the four zero-days involved in the mass compromise of Exchange Server systems earlier this year, CVE-2021-42321 requires the attacker to be already authenticated to the target’s system. Microsoft has published a blog post/FAQ about the Exchange zero-day here.

Two of the vulnerabilities that were disclosed prior to today’s patches are CVE-2021-38631 and CVE-2021-41371. Both involve weaknesses in Microsoft’s Remote Desktop Protocol (RDP, Windows’ built-in remote administration tool) running on Windows 7 through Windows 11 systems, and on Windows Server 2008-2019 systems. The flaws let an attacker view the RDP password for the vulnerable system.

“Given the interest that cybercriminals — especially ransomware initial access brokers — have in RDP, it is likely that it will be exploited at some point,” said Allan Liska, senior security architect at Recorded Future.

Liska notes this month’s patch batch also brings us CVE-2021-38666, which is a Remote Code Execution vulnerability in the Windows RDP Client.

“This is a serious vulnerability, labeled critical by Microsoft,” Liska added. “In its Exploitability Assessment section Microsoft has labelled this vulnerability ‘Exploitation More Likely.’ This vulnerability affects Windows 7 – 11 and Windows Server 2008 – 2019 and should be a high priority for patching.”

For most Windows home users, applying security updates is not a big deal. By default, Windows checks for available updates and is fairly persistent in asking you to install them and reboot, etc. It’s a good idea to get in the habit of patching on a monthly basis, ideally within a few days of patches being released.

But please do not neglect to backup your important files — before patching if possible. Windows 10 has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once. There are also a number of excellent third-party products that make it easy to duplicate your entire hard drive on a regular basis, so that a recent, working image of the system is always available for restore.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

If you experience any glitches or problems installing patches this month, please consider leaving a comment about it below; there’s a better-than-even  chance other readers have experienced the same and may offer useful tips or suggestions.

Further reading:

SANS Internet Storm Center has a rundown on each of the 55 patches released today, indexed by exploitability and severity, with links to each advisory.


21 thoughts on “Microsoft Patch Tuesday, November 2021 Edition

  1. Dave Horsfall

    Surely a company with their resources ought to know how to write secure software? Of course, as long as they prioritise eye candy over security then there will always be defects.

    Reply
    1. Bushman

      There will always be defects because humans are involved. It’s not about how many resources anyone has.

      Reply
    1. Mike

      My Firefox says it is 94.0.1 and there is no updates. Is there something else?

      Reply
    2. Mike

      My Firefox says it is 94.0.1 and there is no updates. Is there something else?

      Reply
  2. Catwhisperer

    It will be a truly miraculous 2nd Tuesday of the Month when Microsoft has no security updates to perform. I’ve been in the industry since WIN386 came on floppies, it has never happened, and the world will probably end the day that it does…

    Reply
    1. Stratocaster

      If you have been in the industry that long, you no doubt recall that before Black Tuesday was formalized, Microsoft (and others) would announce and post fixes whenever something popped up. (Now those would be called “out of band” releases.) There was always the danger of missing some critical notice because you didn’t happen to receive it or pay attention to it.

      I was not an IT department worker — I would be described as a “power user” — but I subscribed to Microsoft security notices for my own enlightenment. So when I received the Microsoft notice about the Sasser worm, I downloaded the patch and installed it on my PC at the office. I notified our IT department by phone about the worm and the availability of the patch, but they informed me that they didn’t think the Sasser worm was that big a deal because our corporate desktop/network security products should protect us.

      About an hour after that conversation, Sasser started spreading throughout the building, shutting down all of the PCs — except mine. I spent the rest of the afternoon making bootable diskettes for the IT department to use to restore all the other PCs. I also patched all of the PCs in our department computer lab, which forced us to cancel a training class being held there that day.

      Murphy’s Law.

      Reply
  3. nick cannon is hilarious and so is windows updates

    If anyone gets “Windows can’t install this update” or basically the update won’t install,
    you can try the following:

    Go to Control Panel\All Control Panel Items\Programs and Features
    on the left side should see – Turn Windows features on and off
    click on it
    uncheck the black box marked next to “.Net framework any version”
    click ok after
    Wait for .Net to uninstall completely.

    Run Windows updates and .Net should reinstall.

    Click on the Windows symbol button and type in “cmd” then right click on “cmd” and look for “Run as Administrator” and select that.

    In the black cmd admin box type in following and hit enter
    run sfc /scannow

    after hitting enter, wait till it finishes scanning
    then type in

    run dism /online /cleanup-image /restorehealth
    and hit enter and wait for it to complete the restore

    Once both are complete, try reinstalling Windows updates, it should install no problems.

    if nada, backup your bookmarks, docs, pics, vids, printer settings, drive mappings to external drive or share drive personal folder
    and have tech support reimage your device from a verified clean image or operating sys.

    Reply
    1. screaming kermit

      fyi.. most recent win update last three digits 186 has issues installing on win home edition
      no issues on win 10pro

      Reply
  4. Ashlie

    Cannot open Chrome, Edge or any other internet based programs on my computer after this update. No error message, just does not open. Please help.

    Reply
    1. dave chappel is dope like kanye but better lol

      please try doing a restore point in win 10, reboot
      if nada.. try a restore point further back in your timeline listed by win 10
      still nada, create a new temp profile and try browsers
      if the browsers open, its a profile issue

      log back in as your original profile, save bkmarks, pic, vids, ect
      create a new profile, reinstall prefs and check for non fail win update

      if your in a corp ask tech support if you are allowed a local or roaming profile recreation

      fyi.. most recent win update has issues installing on win home edition
      no issues on win 10pro

      Reply
  5. Heather

    After update, my desktop got stuck in a restart loop and I can’t get out of it.

    Reply
  6. James Copeland

    On my Apple devices, my encrypted Excel files will not open with the password.

    I installed the Nov. 9 Office 365 update and still my encrypted Excel files will not open with the password.

    Reply
  7. Sally

    Wow – what a mess. Just another reason why Windows isn’t ready for the desktop.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *