Trend Micro -
The October 2021 Patch Tuesday continues the quiet streak observed for the months of August and September. Out of 71 bulletins, only three were rated Critical this month. The list also included a fix for four publicly known vulnerabilities. Of the fixed vulnerabilities, 11 were disclosed via the Zero Day Initiative.
Three Critical patches and other notable vulnerabilities
Only three patches were rated Critical this month. Two of them were remote code execution (RCE) vulnerabilities (CVE-2021-38672 and CVE-2021-40461) found in Hyper-V, a hardware virtualization tool. The other Critical fix was for an RCE found in Microsoft Word (CVE-2021-40486).
Meanwhile, CVE-2021-40449, a Win32k Elevation of Privilege Vulnerability, was discovered being actively exploited in what was likely a targeted campaign. Microsoft also fixed three other publicly known vulnerabilities, CVE-2021-40469, CVE-2021-41338, and CVE-2021-41335, with no reported exploits.
Among the 71 bulletins addressed issues found in Microsoft Storage Spaces, Microsoft Excel, and SharePoint. Most of the RCE vulnerabilities were found within the Office family. Exploits to these vulnerabilities would require a specially crafted file that a user would have to open. An exception is CVE-2021-40469, a DNS vulnerability mentioned earlier, but this still requires high privilege to use in an attack.
Two bulletins were also included for print spooler and one for MSHTML. In July, Microsoft released an out-of-band (OOB) patch to quickly address print spooler flaws; the company also issued an early fix ahead of the patch Tuesday for an MSHTML vulnerability in August.
A few days after releasing the September Patch Tuesday, Microsoft also provided additional guidance and fixes for vulnerabilities in the Open Management Infrastructure (OMI) within Azure, which was found being actively exploited by attackers, including a Mirai botnet