High Threat Security Alert (A21-09-12): Multiple Vulnerabilities in Microsoft Products (September 2021)


 

Published on: 15 September 2021

  
  

Description:

Microsoft has released security updates addressing multiple vulnerabilities which affect several Microsoft products or components. The list of security updates can be found at:

https://msrc.microsoft.com/update-guide/en-us/releaseNote/2021-Sep

Further to our Security Alert (A21-09-04a) issued on 13.9.2021, Microsoft has released security updates to address the vulnerability (CVE-2021-40444) that is being actively exploited in the wild.  A successful attack could lead to remote code execution on an affected system.

Please note that systems running Windows 8.1, Windows Server 2012 R2, or Windows Server 2012 can apply either the Monthly Rollup or both the Security Only and the IE Cumulative updates.  For detailed information, please refer to the following vendor's URL:

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444

Reports indicated that the technical details of an elevation of privilege vulnerability in Microsoft Windows 7 and Windows Server 2008 (CVE-2021-36968) was publicly disclosed and hence the vulnerability is at a high risk of exploitation.  System administrators are advised to take immediate action to patch your affected systems to mitigate the elevated risk of cyber attacks.

Please note that the extended support for Windows 7 and Windows Server 2008 was ceased on 14 January 2020 and security updates will only be provided after the Extended Security Update is purchased.  Users should arrange upgrading the Windows or migrating to other supported technology.

 

Affected Systems:

  • Microsoft Edge (Chromium-based)
  • Microsoft Windows 7, 8.1, RT 8.1, 10
  • Microsoft Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 2022
  • Microsoft Windows Server, version 2004, version 20H2
  • Microsoft Office 2013, 2013 RT, 2016, 2019, 2019 for Mac
  • Microsoft Office Online Server
  • Microsoft Office Web Apps Server 2013
  • Microsoft Excel 2013, 2013 RT, 2016
  • Microsoft 365 Apps for Enterprise
  • Microsoft SharePoint Foundation 2013
  • Microsoft SharePoint Enterprise Server 2016
  • Microsoft SharePoint Server 2019
  • Microsoft Visual Studio 2017, 2019
  • Microsoft Azure Open Management Infrastructure
  • Microsoft Azure Sphere
  • Microsoft Dynamics 365 Business Central 2020, 2021
  • Accessibility Insights for Android
  • HEVC Video Extensions
  • MPEG-2 Video Extension
  • Visual Studio Code

 

Impact:

Depending on the vulnerability exploited, a successful attack could lead to remote code execution, elevation of privilege, information disclosure, denial of service, security feature bypass and spoofing.

 

Recommendation:

Patches for affected products are available from the Windows Update / Microsoft Update Catalog. Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

 

More Information:

  • https://msrc.microsoft.com/update-guide/en-us/releaseNote/2021-Sep
  • https://us-cert.cisa.gov/ncas/current-activity/2021/09/14/microsoft-releases-september-2021-security-updates
  • https://www.hkcert.org/security-bulletin/microsoft-monthly-security-update-september-2021
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26434
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26435
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-26437
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30632
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36952
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36954 (to CVE-2021-36956)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36959 (to CVE-2021-36969)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36972 (to CVE-2021-36975)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38624 (to CVE-2021-38626)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38628 (to CVE-2021-38630)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38632 (to CVE-2021-38639)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38644 (to CVE-2021-38661)
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38667
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38671
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40440
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40444
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40447
  • https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40448


Tag: Microsoft , Edge , Windows , Windows Server , Microsoft Office , Office Online Server , Microsoft Office Web Apps , Excel , Microsoft 365 Apps , SharePoint , Visual Studio , Azure Open Management Infrastructure , Azure Sphere , Dynamics 365 , Accessibility Insights , HEVC Video Extensions , MPEG-2 Video Extension , Visual Studio Code
Tags