Microsoft has released the November 2021 Security Updates that includes patches for 55 vulnerabilities, 6 of those rated Critical. The updates also address 2 zero-day bugs being actively exploited in the wild.
A remote attacker could exploit some of these vulnerabilities to take control of unpatched systems.
In all, the Microsoft security updates address vulnerabilities in the following products:
- 3D Viewer
- Azure RTOS
- Azure Sphere
- Microsoft Dynamics
- Microsoft Edge (Chromium-based)
- Microsoft Edge (Chromium-based) in IE Mode
- Microsoft Exchange Server
- Microsoft Office
- Microsoft Office Access
- Microsoft Office Excel
- Microsoft Office SharePoint
- Microsoft Office Word
- Microsoft Windows
- Microsoft Windows Codecs Library
- Power BI
- Role: Windows Hyper-V
- Visual Studio
- Visual Studio Code
- Windows Active Directory
- Windows COM
- Windows Core Shell
- Windows Cred SSProvider Protocol
- Windows Defender
- Windows Desktop Bridge
- Windows Diagnostic Hub
- Windows Fastfat Driver
- Windows Feedback Hub
- Windows Hello
- Windows Installer
- Windows Kernel
- Windows NTFS
- Windows RDP
- Windows Scripting
- Windows Virtual Machine Bus.
On Tuesday, Microsoft warned of active exploits in the wild for a Microsoft Exchange remote code execution (RCE) vulnerability (CVE-2021-42321) that affects Exchange Server versions 2016 and 2019 (on-premise).
Moreover, the software giant also patched a Microsoft Excel security feature bypass vulnerability (CVE-2021-42292) also under active attack in the wild. However, the company did confirm that the preview pane is not an attack vector.
Also, patches for Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021 are not yet available.
Critical RCE vulnerabilities
Moreover, Microsoft also addressed 6 separate Critical RCE vulnerabilities in multiple versions of Windows 10, Windows 11, Windows Server, Microsoft Malware Protection Engine, Microsoft Dynamics 365, and Visual Studio products.
The Critical RCE patches are summarized below:
- CVE-2021-26443: Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability.
- CVE-2021-3711: OpenSSL: CVE-2021-3711 SM2 Decryption Buffer Overflow.
- CVE-2021-38666: Remote Desktop Client Remote Code Execution Vulnerability.
- CVE-2021-42279: Chakra Scripting Engine Memory Corruption Vulnerability.
- CVE-2021-42298: Microsoft Defender Remote Code Execution Vulnerability.
- CVE-2021-42316: Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability.
Microsoft also warned that the remote desktop client RCE vulnerability (CVE-2021-38666) and Microsoft Defender RCE vulnerability (CVE-2021-38666) are more likely of being exploited.
Other security updates
In addition to the Critical RCEs and zero-day fixes, Microsoft also patched an additional 47 other vulnerabilities across multiple products.
- Microsoft: Nobelium cybergang deploys FoggyWeb backdoor to target AD FS servers
- Microsoft issues new guidance on OMI vulnerabilities within Azure VM Management extensions
- Microsoft warns of active exploits in the wild for an MSHTML RCE Vulnerability (CVE-2021-40444) — Updated
- Microsoft issues guidance on mitigating PetitPotam NTLM relay attacks
- Microsoft issues workaround for zero-day ‘SeriousSAM’ vulnerability
- Zloader trojan bypasses Microsoft Office malware-protection defenses
- Microsoft patches PrintNightmare vulnerability
- Microsoft uncovers NOBELIUM ‘sophisticated email-based attack’