Microsoft’s software security cleanup at the end of summer fixes more than 80 bugs • The Register
Patch Tuesday For its September patch Tuesday, Microsoft has released 20 Chromium security bugs in Microsoft Edge fixes for 66 vulnerabilities.
Affected products include: Azure, Edge (Android, Chromium and iOS), Office, SharePoint Server, Windows, Windows DNS and the Windows subsystem for Linux.
Of these CVEs, three are classified as critical, one as moderate, and the rest as important.
One of the already publicly announced CVEs fixes a critical zero-day vulnerability (CVE-2021-40444) in MSHTML, also known as Microsoft’s old Trident rendering engine. The flaw can be misused to get arbitrary code to run using a malicious ActiveX control in a Microsoft Office document that hosts the browser rendering engine. This is the vulnerability that we learned about on September 7th and was used in targeted attacks against Office users. Code to exploit the vulnerability has been shared across the internet and among security researchers, so get patches.
Another fix updates a publicly released patch dated August 11th that fixes the RCE (CVE-2021-36958) print spooler from last month.
“The update has removed the previously defined attenuation as it no longer applies and addresses the additional concerns that researchers identified beyond the original solution,” said Chris Goettl, VP of Product Management at Ivanti, an IT Asset management company, in a statement. per email to The registry. “The vulnerability has been disclosed to the public and functional exploit code is available, so this month’s Windows operating system updates are even more urgent.”
GÃ¶ttl said that the third previously disclosed vulnerability (CVE-2021-36968) fixes a bug in the elevation of privilege in Windows DNS. “This CVE applies to the older Windows operating systems. Public disclosure gives threat actors a jump-start in developing a working exploit.”
There are two other critical vulnerabilities: a remote code execution vulnerability in Windows WLAN AutoConfig Service (CVE-2021-36965) and a remote code execution vulnerability in the Open Management Infrastructure (CVE-2021-38647).
The former, said Dustin Childs of the Zero-Day Initiative in an advisory, enables an attacker in an adjacent network, such as a public WLAN in a cafÃ©, to take over a vulnerable target system.
The latter is even more serious. It is a critical severity (CVSS 9.8) bug in the Open Management Infrastructure (OMI). It can be exploited to gain administrative control of a vulnerable computer on the network without the need for authentication or other verification.
“This vulnerability does not require user interaction or permissions, so an attacker could execute their code on an affected system by simply sending a specially crafted message to an affected system,” warned Childs. “OMI users should test and deploy this quickly.”
Attention Azure subscribers … Note that CVE-2021-38647 belongs to a family of errors – the others are CVE-2021-38648, CVE-2021-38645, and CVE-2021-38649 – in OMI used in Linux virtual machines on Azure . If you set up a Linux guest in the Microsoft cloud and certain services are activated, an OMI agent is automatically and quietly deployed with root rights in the virtual machine.
This means that your Linux guest is or has been potentially vulnerable to serious attacks via these errors in the OMI agent. For more information, see the page linked above from Wiz who discovered and reported the vulnerabilities, and check that you are using OMI version 184.108.40.206 which has the necessary fixes – especially if OMI is on ports 5985, 5986 and listens for 1270. Azure should automatically provide a corrected version of the software. Wiz, who named the errors “OMIGOD”, reports that “Customers who are still using System Center with OMI-based Linux may need to manually update the OMI agent.”
Cloud services that are known to trigger the deployment of an OMI agent in a Linux virtual machine include:
- Azure automation
- Azure automatic update
- Azure Operations Management Suite (OMS)
- Azure Log Analytics
- Azure configuration management
- Azure diagnostics
“We conservatively estimate that thousands of Azure customers and millions of endpoints will be affected,” said Wiz’s Nir Ohfeld. “In a small sample of Azure tenants that we analyzed, over 65 percent were unknowingly at risk.”
Kevin Breen, director of cyber threat research, Immersive Labs, said The registry In an email that three vulnerabilities through local privilege escalation in the Windows Common Log File System Driver (CVE-2021-36955, CVE-2021-36963, CVE-2021-38633) also deserve attention, as they are listed as more likely to be exploited .
“Priv Esc local vulnerabilities are a key component of almost every successful cyberattack, especially for ransomware operators who use this type of exploit to gain the highest level of access,” said Breen. “This way they can disable antivirus programs, delete backups and ensure that their encryption programs can reach even the most sensitive files.”
However, the exploits cannot be performed remotely, which means attackers would have to use them in conjunction with a separate RCE bug such as the MSHTML bug (CVE-2021-40444).
As we discovered on Monday, Apple yesterday released patches for macOS, iOS and iPadOS that fix bugs in WebKit and CoreGraphics, one of which was implicated in attacks on human rights activists. And Google has also released fixes for nine CVEs in Chromium, two of which are under active attack.
Adobe published 15 safety notices for 59 CVEs in Adobe Acrobat Reader, ColdFusion, Creative Cloud Desktop, Digital Editions, Experience Manager, Framemaker, Genuine Service, InCopy, InDesign, Photoshop, Photoshop Elements, Premiere Elements, Premiere Pro, SVG Native Viewer, and XMP Toolkit SDK.
Acrobat Reader alone has 26 errors, 13 of which are classified as critical.
“The most serious of these bugs could allow code to be executed remotely, either through a type confusion, a heap-based buffer overflow, or use for a free vulnerability,” said Childs. “The single bug fixed by the Photoshop patch could also lead to code execution when a specially crafted file is opened.”
SAP has now published 19 security advisories, two of which update previous patches and cover 23 CVEs.
Seven of them carry the label “HotNews”, SAP’s absurd way of saying “critical”. Two got a perfect severity of 10 out of 10. One is a check for missing authorization in the SAP NetWeaver Application Server for Java (CVE-2021-37535).
“Given the integral role of the JMS Connector Service and the CVSS top score for the vulnerability, there should be no doubt that deploying the appropriate patch is highly recommended,” said Thomas Fritsch, researcher at security company Onapsis, in a blog post. “Otherwise there is a risk that restricted data will be read, updated or deleted.”
The other Severity 10 note updates an April 2018 Patch Day mitigation that was applied to a Google Chromium component in the SAP Business Client. Of the remaining five “HotNews” messages, four describe errors with severity 9.9 and one relates to an error with severity 9.6. Â®