Trend Micro -
November continues a recent pattern of relatively peaceful Patch Tuesday cycles. There were only six vulnerabilities rated as Critical this month, with 49 more rated as Important for a total of 55 for the month of November (less than half of the vulnerabilities in November last year). Of these 55, four were submitted via the Zero Day Initiative (ZDI).
Critical Vulnerabilities: Defender, Remote Desktop
Two Critical vulnerabilities are of interest. CVE-2021-42298 is a vulnerability in Microsoft Defender, while CVE-2021-38666 is a vulnerability in the Remote Desktop Client. Both of these vulnerabilities result in remote code execution (RCE). The latter vulnerability can be used to trigger RCE if the user is lured into connecting to a malicious Remote Desktop server.
A third vulnerability, CVE-2021-26443, is noteworthy as it represents an escape from a virtual machine (VM) to the host server. The vulnerability in the virtual machine bus (VMBus) allows an attacker to run code on the host server via specially crafted communication on the said bus.
The vulnerabilities rated as Important affect a wide variety of Windows components. These include Active Directory (CVE-2021-42278, CVE-2021-42282, CVE-2021-42287, and CVE-2021-42291) and Exchange Server (CVE-2021-42321, CVE-2021-41349, and CVE-2021-42305). Given the common use of