Patch Tuesday, October 2021 Edition (Krebs on Security)

Microsoft today issued updates to plug more than 70 security holes in its Windows operating systems and other software, including one vulnerability that is already being exploited. This month’s Patch Tuesday also includes security fixes for the newly released Windows 11 operating system. Separately, Apple has released updates for iOS and iPadOS to address a flaw that is being actively attacked.

Firstly, Apple has released iOS 15.0.2 and iPadOS 15.0.2 to fix a zero-day vulnerability (CVE-2021-30883) that is being leveraged in active attacks targeting iPhone and iPad users. Lawrence Abrams of Bleeping Computer writes that the flaw could be used to steal data or install malware, and that soon after Apple patched the bug security researcher Saar Amar published a technical writeup and proof-of-concept exploit that was derived from reverse engineering Apple’s patch.

Abrams said the list of impacted Apple devices is quite extensive, affecting older and newer models. If you own an iPad or iPhone — or any other Apple device — please make sure it’s up to date with the latest security patches.

Three of the weaknesses Microsoft addressed today tackle vulnerabilities rated “critical,” meaning that malware or miscreants could exploit them to gain complete, remote control over vulnerable systems — with little or no help from targets.

One of the critical bugs concerns Microsoft Word, and two others are remote code execution flaws in Windows Hyper-V, the virtualization component built into Windows. CVE-2021-38672 affects Windows 11 and Windows Server 2022; CVE-2021-40461 impacts both Windows 11 and Windows 10 systems, as well as Server versions.

But as usual, some of the more concerning security weaknesses addressed this month earned Microsoft’s slightly less dire “important” designation, which applies to a vulnerability “whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources.”

The flaw that’s under active assault — CVE-2021-40449 — is an important “elevation of privilege” vulnerability, meaning it can be leveraged in combination with another vulnerability to let attackers run code of their choice as administrator on a vulnerable system.

CVE-2021-36970 is an important spoofing vulnerability in Microsoft’s Windows Print Spooler. The flaw was discovered by the same researchers credited with the discovery of one of two vulnerabilities that became known as PrintNightmare — the widespread exploitation of a critical Print Spooler flaw that forced Microsoft to issue an emergency security update back in July. Microsoft assesses CVE-2021-36970 as “exploitation more likely.”

“While no details have been shared publicly about the flaw, this is definitely one to watch for, as we saw a constant stream of Print Spooler-related vulnerabilities patched over the summer while ransomware groups began incorporating PrintNightmare into their affiliate playbook,” said Satnam Narang, staff research engineer at Tenable. “We strongly encourage organizations to apply these patches as soon as possible.”

CVE-2021-26427 is another important bug in Microsoft Exchange Server, which has been under siege lately from attackers. In March, threat actors pounced on four separate zero-day flaws in Exchange that allowed them to siphon email from and install backdoors at hundreds of thousands of organizations.

This month’s Exchange bug earned a CVSS score of 9.0 (10 is the most dangerous). Kevin Breen of Immersive Labs points out that Microsoft has marked this flaw as less likely to be exploited, probably because an attacker would already need access to your network before using the vulnerability.

“Email servers will always be prime targets, simply due to the amount of data contained in emails and the range of possible ways attackers could use them for malicious purposes. While it’s not right at the top of my list of priorities to patch, it’s certainly one to be wary of.”

Also today, Adobe issued security updates for a range of products, including Adobe Reader and Acrobat, Adobe Commerce, and Adobe Connect.

For a complete rundown of all patches released today and indexed by severity, check out the always-useful Patch Tuesday roundup from the SANS Internet Storm Center, and the Patch Tuesday data put together by Morphus Labs. And it’s not a bad idea to hold off updating for a few days until Microsoft works out any kinks in the updates: AskWoody.com frequently has the lowdown on any patches that are causing problems for Windows users.

On that note, before you update please make sure you have backed up your system and/or important files. It’s not uncommon for a Windows update package to hose one’s system or prevent it from booting properly, and some updates have been known to erase or corrupt files.

So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

If you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a decent chance other readers have experienced the same and may chime in here with useful tips.