By Jon Munshaw, with contributions from Asheer Malhotra.
Microsoft released its monthly security update Tuesday, disclosing 78 vulnerabilities in the company’s various software, hardware and firmware offerings.
This month’s release is particularly notable because there are only two critical vulnerabilities included, with the rest being important. This is the fewest number of critical vulnerabilities disclosed as part of a Patch Tuesday in at least a year.
CVE-2021-40461 is one of the critical vulnerabilities — a flaw in the Network Virtualization Service Provider that could allow an attacker to execute remote code on the target machine. This vulnerability has a severity rating of 9.9 out of a possible 10, virtually the highest severity rating seen in Patch Tuesdays.
The other critical vulnerability, CVE-2021-38672, exists in Windows Hyper-V. This vulnerability could also lead to remote code execution and has the same severity score as CVE-2021-40461. One of the issues disclosed this month has been exploited in the wild: CVE-2021-40449. This vulnerability in the Win32k process requires no user interaction and could allow an attacker to obtain elevated privileges on the targeted machine. There are two other Win32k vulnerabilities in this month’s Patch Tuesday, though neither has been exploited in the wild as of yet: CVE-2021-40450 and CVE-2021-41357.
And on the heels of PrintNightmare, Microsoft is closing two new vulnerabilities in its print spooler service: CVE-2021-36970 and CVE-2021-41332. CVE-2021-36970 is the most serious of the group, with a severity rating of 8.8. An attacker could exploit this vulnerability to carry out a spoofing attack. Although there is currently no additional information available on this vulnerability, a spoofing attack usually allows an adversary to identify as another legitimate user or program by falsifying data.
Talos researchers discovered one of the important vulnerabilities: TALOS-2021-1259 (CVE-2021-40474), a remote code execution vulnerability in Microsoft Excel. You can read more about this issue in our full Vulnerability Spotlight post.
Lastly, since other high-profile attacks on Microsoft Exchange Servers have been in the headlines recently, we also wanted to highlight CVE-2021-26427. This vulnerability is considered “less likely” to be exploited by Microsoft, but could still allow an attacker to execute remote code on the targeted server. Exchange Server was recently the target of a high-profile attack from the previously unknown Hafnium threat actor.
A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.
In response to these vulnerability disclosures, Talos is releasing a new SNORTⓇ rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Cisco Secure Firewall customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
The rules included in this release that protect against the exploitation of many of these vulnerabilities are 58286 - 58289, 58294, 58295 and 58303 - 58319.