Microsoft Patches MSHTML VulnerabilityFlaws in Windows Scripting Engine and DNS Fixed
Microsoft's September Patch Tuesday security update covers 61 vulnerabilities, with four rated critical.
This number is up from August when the company patched 44 vulnerabilities, but overall Microsoft has issued fewer patches in 2021 than in the previous year.
"So far in 2021, Microsoft patched less than 100 CVEs seven out of the last nine months, which is in stark contrast to 2020, which featured eight months of over 100 CVEs patched," says Satnam Narang, staff research engineer at Tenable.
MSHTML Vulnerability Patched
Microsoft patched CVE-2021-40444, a zero-day remote execution vulnerability that exists in MSHTML. Attackers have attempted to exploit this vulnerability by using specially crafted Microsoft Office documents, Microsoft said on Sept. 7.
"A malicious ActiveX control embedded in an Office document could be used to exploit this vulnerability. Attacks have been seen in the wild and Microsoft has included signatures in Microsoft Defender to detect and protect against the known attacks," says Tyler Reguly, manager of software development at Tripwire.
MSHTML, aka Trident, is the HTML engine that has been built into Windows since Internet Explorer debuted more than 20 years ago. It allows Windows to read and display HTML files. While Microsoft has been progressively retiring IE in favor of its newer Edge browser, the MSHTML component continues to be "also used by Microsoft Office," Broadcom's Symantec notes in its security alert about the flaw.
Microsoft says the attack complexity for this vulnerability is low and requires no privileges to carry out an attack.
"There have been warnings that this vulnerability will be incorporated into malware payloads and used to distribute ransomware," Narang says. "There are no indications that this has happened yet, but with the patch now available, organizations should prioritize updating their systems as soon as possible."
Windows Scripting Engine Flaw
Microsoft patched CVE-2021-26435, a memory corruption vulnerability that if exploited can allow remote code execution. Microsoft rates the attack complexity as low, but the security firm Automox considers an attack somewhat tricky to accomplish as the attacker would have to entice the victim to click on a specific link and then open a file.
"This can be accomplished either through baiting users to open a malicious file attached in an email or through a web-based attack scenario in which the specially crafted file is hosted on a compromised website," Automox says.
Windows DNS Patched
CVE-2021-36968 is a publicly disclosed vulnerability in Windows DNS that could lead to privilege escalation on Windows 7 and Server 2008/2008 R2, says Reguly.
"This vulnerability has a CVSS score of 7.8, putting it in the high classification, but there are absolutely no details to help admins understand what they are dealing with or where the risk is," he says.
Chris Goettl, vice president of Security at Ivanti, points out that this vulnerability may be of particular interest to attackers as it only affects legacy operating systems that are likely unpatched. "If you fall into this group, there is yet more reason to either subscribe to Microsoft’s ESU for Windows 7 and Server 20082008 R2 or migrate off of these platforms as the risk of running these EoL systems continues to grow," he says.
Windows WLAN AutoConfig Service Fix
CVE-2021-36965, another remote code execution vulnerability, has a combination of a critical severity rating, lack of privilege escalation/user interaction and affected Windows versions. That is especially alarming, says Danny Kim, principle architect at Virsec Systems.
"Although the exploit code maturity is currently unproven, this vulnerability has been confirmed to exist, which leaves an opening for attackers," Kim says. "It specifically relies on the attacker being located in the same network, so it would not be surprising to see this vulnerability used in combination with another CVE/attack to achieve an attacker's end goal."
Automox notes that this vulnerability leverages the mechanism that enables Windows devices to auto-connect to a Wi-Fi network. When exploited, attackers gain complete access to your device. Luckily, on its own, this flaw cannot be weaponized over the internet; it requires a shared physical network, the company says, to Information Security Media Group in an email.
"However, when leveraged along with other vulnerabilities, an attacker that already has a foothold in your network can extend their reach to additional devices. As weaponization has likely already begun, we recommend patching within 72 hours," Automox suggests.
Ivanti's Goettl points out that CVE-2021-36958, which was issued in August as part of the PrintNightmare vulnerability, has been updated with the September patch rollout.
"The update has removed the previously defined mitigation as it no longer applies and addresses the additional concerns that were identified by researchers beyond the original fix," Goettl says. "The vulnerability has been publicly disclosed and functional exploit code is available, so this puts further urgency on this month’s Windows OS updates."