Microsoft’s September 2021 Patch Tuesday Addresses 60 CVEs (CVE-2021-40444)

CVE-2021-40444 is a critical zero-day RCE vulnerability in Microsoft’s MSHTML (Trident) engine that was exploited in the wild in limited, targeted attacks. It was assigned a CVSSv3 score of 8.8. To exploit this vulnerability, an attacker would need to create a specially crafted Microsoft Office document containing a malicious ActiveX control. From there, the attacker would need to use social engineering techniques to convince their target to open the document. Microsoft says the impact of this vulnerability would be more significant in cases where the recipient has administrative privileges.

At the time this blog post was published, there were at least 21 repositories on GitHub containing proof-of-concept code for this flaw.

We strongly recommend organizations apply this month’s patches to ensure this vulnerability is addressed, as it won’t be long before other threat actors, including those affiliated with ransomware groups, begin leveraging this flaw as part of their attacks.

CVE-2021-36968 is an EoP vulnerability found in Windows DNS. The vulnerability was assigned a CVSS score of 7.8. While no additional information from Microsoft has been provided, the security advisory makes note that this vulnerability has been publicly disclosed. Exploitation requires local access and a low privileged user account and is less likely to be exploited according to Microsoft’s Exploitability Index.

CVE-2021-38667, CVE-2021-38671 and CVE-2021-40447 are EoP vulnerabilities in Windows Print Spooler. All three vulnerabilities were assigned a CVSSv3 score of 7.8 and are rated Important. Of the three vulnerabilities, CVE-2021-38671 is the only flaw rated as Exploitation More Likely. There has been a flurry of activity surrounding Windows Print Spooler related vulnerabilities, beginning with CVE-2021-1675 in June and CVE-2021-34527, also known as PrintNightmare in July. We published a blog post in August about the seven Print Spooler related vulnerabilities Microsoft published advisories for which included CVE-2021-36958, a zero-day RCE that was patched today. Because of its ubiquity, Print Spooler is a valuable target for attackers, so the fact that we continue to see research in this space shows that there are an untold number of vulnerabilities within Print Spooler.

CVE-2021-36955, CVE-2021-36963 and CVE-2021-38633 are EoP vulnerabilities found in the Windows Common Log File System (CLFS) Driver which would allow a low privileged local attacker to elevate their user account privileges. While Microsoft has not observed exploitation in the wild, they rate these flaws as “Exploitation More Likely.” EoP vulnerabilities are commonly used in malware/ransomware attacks as we’ve observed with CVE-2020-1472, aka Zerologon, one of the Top Five Vulnerabilities of 2020. As such, we strongly recommend prioritizing the installation of these patches.

CVE-2021-36975 and CVE-2021-38639 | Win32k Elevation of Privilege Vulnerability

CVE-2021-36975 and CVE-2021-38639 are EoP vulnerabilities found in Win32k, the kernel-mode subsystem that provides graphical (GUI) content functionality in Windows. With an assigned CVSS score of 7.8 and exploitability rating of “Exploitation More Likely,” attackers are expected to leverage this flaw to elevate account privileges of low privileged local user accounts. As Win32k is a core component of Windows, applying the necessary cumulative patches for your version of Windows is strongly recommended.