Microsoft September 2021 Security Updates includes fix for an RCE bug in MSHTML under active attack

Microsoft September 2021 Security Updates includes fix for an RCE bug in MSHTML under active attack

Microsoft has released the September 2021 Security updates that includes patches for 66 vulnerabilities, 3 of those rated Critical. The updates also include a fix for one zero-day bug in MSHTML exploited in the wild.

A remote attacker could exploit some of these vulnerabilities to take control of unpatched systems.

In all, the Microsoft security updates address vulnerabilities in the following products:

  • Azure Open Management Infrastructure
  • Azure Sphere
  • Dynamics Business Central Control
  • Microsoft Accessibility Insights for Android
  • Microsoft Edge (Chromium-based)
  • Microsoft Edge for Android
  • Microsoft MPEG-2 Video Extension
  • Microsoft Office
  • Microsoft Office Access
  • Microsoft Office Excel
  • Microsoft Office SharePoint
  • Microsoft Office Visio
  • Microsoft Office Word
  • Microsoft Windows Codecs Library
  • Microsoft Windows DNS
  • Visual Studio
  • Windows Ancillary Function Driver for WinSock
  • Windows Authenticode
  • Windows Bind Filter Driver
  • Windows BitLocker
  • Windows Common Log File System Driver
  • Windows Event Tracing
  • Windows Installer
  • Windows Kernel
  • Windows Key Storage Provider
  • Windows MSHTML Platform
  • Windows Print Spooler Components
  • Windows Redirected Drive Buffering
  • Windows Scripting
  • Windows SMB
  • Windows Storage
  • Windows Subsystem for Linux
  • Windows TDX.sys
  • Windows Update
  • Windows Win32K
  • Windows WLAN Auto Config Service
  • Windows WLAN Service

MSHTML Zero-day vulnerability

Last week, Microsoft warned of active exploits in the wild for an MSHTML remote code execution (RCE) vulnerability (CVE-2021-40444) and issued a workaround at that time.

As of September 14, Microsoft has provided security updates for all affected versions of Windows to address the vulnerability.

“Microsoft is investigating reports of a remote code execution vulnerability in MSHTML that affects Microsoft Windows. Microsoft is aware of targeted attacks that attempt to exploit this vulnerability by using specially-crafted Microsoft Office documents,” Microsoft warned in the advisory.

“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.”

The vulnerability has a CVSS base score of 8.8, so should be high priority to patch given reports of active exploits.

Critical RCE vulnerabilities

In addition, Microsoft addressed 3 Critical RCE vulnerabilities, on Windows 10, Windows Server, older Windows desktop versions and Azure Open Management Infrastructure.

One of the Critical patches address an Open Management Infrastructure (OMI) RCE Vulnerability CVE-2021-38647 in Azure.

“Some Azure products, such as Configuration Management, expose an HTTP/S port listening to OMI (typically port 5986 ). This configuration where the HTTP/S listener is enabled could allow remote code execution. It is important to mention that most Azure services that use OMI deploy it without exposing the HTTP/S port,” Microsoft explained in the advisory.

Fixes to OMI open-sourced code were published on GitHub on August 11, 2021 with new updates released just last week. OMI is an open source project to further the development of a production quality implementation of the DMTF CIM/WBEM standards.

Moreover, the other 2 Windows RCE vulnerability fixes include:

  • CVE-2021-26435: Windows Scripting Engine Memory Corruption Vulnerability (CVSS base score of 8.1).
  • CVE-2021-36965: Windows WLAN AutoConfig Service Remote Code Execution Vulnerability (CVSS base score of 8.8).

Other security updates

In addition to the Critical RCEs and zero-day fixes, Microsoft also patched an additional 62 Important and 1 Moderate rated vulnerabilities across multiple products to include: Denial of Service, Elevation of Privilege, Information Disclosure, Remote Code Execution, Security Feature Bypass, Spoofing, and Tampering vulnerabilities.

Finally, readers can review the September 2021 Security Updates Release Notes and also download more vulnerability and patch details via Microsoft’s Security Update Guide. On related note, also check out the latest Adobe security updates for multiple other Adobe products.

Related Articles