Microsoft October 2021 Patch Tuesday: 71 vulnerabilities, four zero-days squashed – ZDNet

This month’s round of security fixes includes patches for zero-days, one of which is being actively exploited.
By Charlie Osborne | October 12, 2021 | Topic: Security
Microsoft has released 71 security fixes for software including an actively-exploited zero-day bug in Win32k. 
The Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, includes fixes for a total of four zero-day flaws, three of which are public.
Products impacted by October’s security update include Microsoft Office, Exchange Server, MSHTML, Visual Studio, and the Edge browser. 
The zero-day bugs are tracked as CVE-2021-40449, CVE-2021-41338, CVE-2021-40469, and CVE-2021-41335.   
CVE-2021-40449 is being actively exploited. Issued a CVSS severity score of 7.8, this vulnerability impacts the Win32K kernel driver. Boris Larin (oct0xor) with Kaspersky reported the flaw to Microsoft, and in a blog post published today, the cybersecurity firm said a clutter of activity, dubbed MysterySnail, is utilizing the use-after-free flaw.
“Besides finding the zero-day in the wild, we analyzed the malware payload used along with the zero-day exploit, and found that variants of the malware were detected in widespread espionage campaigns against IT companies, military/defense contractors, and diplomatic entities,” Kaspersky says.
Immersive Labs’ Kevin Breen, Director of Cyber Threat Research, said that this issue “should definitely be a priority to patch.” 
“It’s noted as ‘exploitation detected’, meaning attackers are already using it against organizations to gain admin rights,” Breen commented. “Gaining this level of access on a compromised host is the first step towards becoming a domain admin — and securing full access to a network.”
Read on:
The three other zero-day vulnerabilities resolved in this round of patches are CVE-2021-41338 (CVSS 5.5), a Windows AppContainer Firewall bug that permits attackers to bypass security features; CVE-2021-40469 (CVSS 7.2), an RCE in Windows DNS Server; and CVE-2021-41335 (CVSS 7.8), an elevation of privilege bug in the Windows Kernel. 
Three critical bugs, CVE-2021-40486, CVE-2021-38672, and CVE-2021-40461, are also of note. The first security flaw impacts Microsoft Word whereas the other two affect Hyper-V. If exploited, all of them can lead to remote code execution.
According to the Zero Day Initiative (ZDI), 11 of the security flaws patched this month were submitted through the ZDI program, including bugs resolved earlier in the month by the Edge browser team.
Last month, Microsoft resolved over 60 bugs in the September batch of security fixes including an RCE flaw in MSHTML and a Windows DNS privilege escalation zero-day vulnerability. 
A month prior, the tech giant tackled 45 security flaws — seven of which were deemed critical — during the August Patch Tuesday.
In other Microsoft news, the tech giant is readying a new Feedback Portal, expected to be ready in preview mode, by the end of 2021. The portal will be opened first for Microsoft 365 and Microsoft Edge products. The Redmond giant has also recently warned of password spraying attacks being launched against Office 365 customers. 
Alongside Microsoft’s Patch Tuesday round, other vendors, too, have published security updates which can be accessed below.
Get all of the training you need to become a cybersecurity analyst for just $26
Senators add CISA cyberattack/ransomware reporting amendment to defense bill
CIS partners with CrowdStrike on cybersecurity platform protecting local governments
Cloudflare report highlights devastating DDoS attacks on VoIP services and several ‘record-setting HTTP attacks’
BlackBerry report highlights initial access broker providing entry to StrongPity APT, MountLocker and Phobos ransomware gangs
Online safety and end-to-end encryption can co-exist, says data protection watchdog. But how?
Microsoft just expanded its malware protection for Linux servers
Get patching: Cisco warns of these critical product vulnerabilities
The IoT is getting a lot bigger, but security is still getting left behind
Please review our terms of service to complete your newsletter subscription.
You agree to receive updates, promotions, and alerts from You may unsubscribe at any time. By joining ZDNet, you agree to our Terms of Use and Privacy Policy.
You agree to receive updates, promotions, and alerts from You may unsubscribe at any time. By signing up, you agree to receive the selected newsletter(s) which you may unsubscribe from at any time. You also agree to the Terms of Use and acknowledge the data collection and usage practices outlined in our Privacy Policy.
© 2021 ZDNET, A RED VENTURES COMPANY. ALL RIGHTS RESERVED. Privacy Policy | Cookie Settings | Advertise | Terms of Use