The September 2021 Security Update Review

September 14, 2021 | Dustin Childs

It’s the second Tuesday of the month, and that means the latest security updates from Adobe and Microsoft have been released. Apple and Google Chrome also released updates yesterday to fix bugs under active attack. Take a break from your regularly scheduled activities and join us as we review the details for their latest security offerings.

Adobe Patches for September 2021

For September, Adobe released 15 patches covering 59 CVEs in Adobe Acrobat Reader, XMP Toolkit SDK, Photoshop, Experience Manager, Genuine Service, Digital Editions, Premiere Elements, Photoshop Elements, Creative Cloud Desktop, ColdFusion, Framemaker, InDesign, SVG-Native-Viewer, InCopy, and Premiere Pro. A total of 17 of these bugs came through the ZDI program.

The update for Adobe Acrobat fixes 26 bugs in total. Of these 26 bugs, 13 are rated Critical, 9 are rated Important, and four are rated Moderate in severity. The most severe of these bugs could allow remote code execution through either a type confusion, heap-based buffer overflow, or a use after free vulnerability. The single bug fixed by the Photoshop patch could also lead to code execution when opening a specially crafted file. The update for Framemaker includes five bugs found by ZDI researcher Mat Powell. The most severe of these issues result from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. If you’re still using ColdFusion, you’ll definitely want to patch the two Critical rated security feature bypass bugs being fixed today.

You can check out all of Adobe’s patches on their PSIRT page. None of the bugs fixed this month by Adobe are listed as publicly known or under active attack at the time of release.

Apple Patches for September 2021

Although Apple does not follow the second Tuesday patch release cycle, they did release patches yesterday fixing a couple of significant bugs. CVE-2021-30860 fixes an input validation bug in CoreGraphics that could allow remote code execution. Apple notes they are aware of a report this bug is being actively exploited. This was reported by the Citizen Lab, and public accounts indicate this bug was used to target a Saudi activist’s iPhone. While the likelihood of widespread attack using this bug is low, it should still be taken seriously. Apple also notes CVE-2021-30858 – a Use-After-Free (UAF) bug in Webkit – has also been detected in the wild. These bugs impact several different Apple products, including iOS, iPad OS, watchOS, Safari, Catalina, and Big Sur. Definitely take some time to review all of the patches and apply the applicable updates once tested.

Google Chrome Patches for September 2021

Not to be outdone by Apple, Google also released a new version of Chrome yesterday to address a total of nine CVEs – two of which are listed as under active attack. CVE-2021-30632 fixes an Out-of-Bounds (OOB) Write, while CVE-2021-30633 fixes a UAF bug. Both were reported by an anonymous researcher, and both could lead to code execution at the level of the logged-on user. All of the bugs fixed in this release receive a “High” severity rating from Google. If you are running Chrome, definitely update to ensure you are on the latest stable version.

Side note: As of today, not all these fixes have not been absorbed by Microsoft Edge (Chromium) and are unrelated to the Edge (Chromium) fixes discussed below. Microsoft did list CVE-2021-30632 on September 11 but appears to have jumped the gun a bit on this release as it currently shows a September 14 release date.

Microsoft Patches for September 2021

For September, Microsoft released patches today for 66 CVEs in Microsoft Windows and Windows components, Microsoft Edge (Chromium, iOS, and Android), Azure, Office and Office Components, SharePoint Server, Microsoft Windows DNS, and the Windows Subsystem for Linux. This is in addition to the 20 CVEs patched by Microsoft Edge (Chromium-based) earlier this month, which brings the September total to 86 CVEs. A total of 11 of these bugs were submitted through the ZDI program.

Of the 66 new CVEs patched today, three are rated Critical, 62 are rated Important, and one is rated Moderate in severity. This volume is slightly higher than the average for 2021, which is below the 2020 volume while still above what was seen in 2019. As with last month, Microsoft spent significant resources responding to bugs under active attack, most notably CVE-2021-40444. One other bug is listed as publicly known but not being exploited (for now).

Let’s take a closer look at some of the more interesting updates for this month, starting with the MSHTML bug that’s listed as under active attack:

-       CVE-2021-40444 - Microsoft MSHTML Remote Code Execution Vulnerability
This patch fixes a bug currently being exploited via Office documents. A specially crafted ActiveX control is embedded in an Office doc then sent to a target. If opened on an affected system, code executes at the level of the logged-on user. Microsoft lists disabling ActiveX as a workaround, but other reports state this may be ineffective. As of now, the most effective defense is to apply the patch and avoid Office docs you aren’t expecting to receive. There are multiple updates for specific platforms, so be sure to carefully review and install all needed patches to ensure you are covered.  

-       CVE-2021-36965 - Windows WLAN AutoConfig Service Remote Code Execution Vulnerability
This patch fixes a vulnerability that could allow network adjacent attackers to run their code on affected systems at SYSTEM level. This means an attacker could completely take over the target – provided they are on an adjacent network. This would be highly useful in a coffee shop scenario where multiple people are using an unsecured WiFi network. Still, this requires no privileges or user interaction, so don’t let the adjacent aspect of this bug diminish the severity. Definitely test and deploy this patch quickly.

-       CVE-2021-38647 - Open Management Infrastructure Remote Code Execution Vulnerability
This patch rates the highest CVSS (9.8) for this month and fixes an RCE bug in the Open Management Infrastructure (OMI). If you aren’t familiar with OMI, it’s an open-source project to further the development of a production-quality implementation of the DMTF CIM/WBEM standards. You can read all about it here. This vulnerability requires no user interaction or privileges, so an attacker can run their code on an affected system just by sending a specially crafted message to an affected system. OMI users should test and deploy this one quickly.

Here’s the full list of CVEs released by Microsoft for September 2021:

CVE Title Severity CVSS Public Exploited Type
CVE-2021-40444 Microsoft MSHTML Remote Code Execution Vulnerability Important 8.8 Yes Yes RCE
CVE-2021-36968 Windows DNS Elevation of Privilege Vulnerability Important 7.8 Yes No EoP
CVE-2021-38647 Open Management Infrastructure Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2021-26435 Windows Scripting Engine Memory Corruption Vulnerability Critical 8.1 No No RCE
CVE-2021-36965 Windows WLAN AutoConfig Service Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-36956 Azure Sphere Information Disclosure Vulnerability Important 4.4 No No Info
CVE-2021-38632 BitLocker Security Feature Bypass Vulnerability Important 5.7 No No SFB
CVE-2021-38661 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-40448 Microsoft Accessibility Insights for Android Information Disclosure Vulnerability Important 6.3 No No Info
CVE-2021-40440 Microsoft Dynamics Business Central Cross-site Scripting Vulnerability Important 5.4 No No XSS
CVE-2021-26436 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 6.1 No No EoP
CVE-2021-36930 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 5.3 No No EoP
CVE-2021-38669 Microsoft Edge (Chromium-based) Tampering Vulnerability Important 6.4 No No Tampering
CVE-2021-38641 Microsoft Edge for Android Spoofing Vulnerability Important 6.1 No No Spoofing
CVE-2021-38642 Microsoft Edge for iOS Spoofing Vulnerability Important 6.1 No No Spoofing
CVE-2021-38655 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-38644 Microsoft MPEG-2 Video Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-38646 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-38657 Microsoft Office Graphics Component Information Disclosure Vulnerability Important 6.1 No No Info
CVE-2021-38658 Microsoft Office Graphics Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-38660 Microsoft Office Graphics Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-38659 Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-38650 Microsoft Office Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2021-38653 Microsoft Office Visio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-38654 Microsoft Office Visio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-38651 Microsoft SharePoint Server Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2021-38652 Microsoft SharePoint Server Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2021-38634 Microsoft Windows Update Client Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2021-38656 Microsoft Word Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-38645 Open Management Infrastructure Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38648 Open Management Infrastructure Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38649 Open Management Infrastructure Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-26437 Visual Studio Code Spoofing Vulnerability Important 5.5 No No Spoofing
CVE-2021-26434 Visual Studio Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36952 Visual Studio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-36975 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38639 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38628 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38638 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38629 Windows Ancillary Function Driver for WinSock Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2021-36959 Windows Authenticode Spoofing Vulnerability Important 5.5 No No Spoofing
CVE-2021-36954 Windows Bind Filter Driver Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2021-36963 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36955 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38633 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36964 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38630 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36961 Windows Installer Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2021-36962 Windows Installer Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-38625 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38626 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38624 Windows Key Storage Provider Security Feature Bypass Vulnerability Important 6.5 No No SFB
CVE-2021-38667 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38671 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-40447 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36969 Windows Redirected Drive Buffering SubSystem Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-38635 Windows Redirected Drive Buffering SubSystem Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-38636 Windows Redirected Drive Buffering SubSystem Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-36973 Windows Redirected Drive Buffering System Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36974 Windows SMB Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36960 Windows SMB Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2021-36972 Windows SMB Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-38637 Windows Storage Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-36966 Windows Subsystem for Linux Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36967 Windows WLAN AutoConfig Service Elevation of Privilege Vulnerability Important 8 No No EoP
CVE-2021-26439 Microsoft Edge for Android Information Disclosure Vulnerability Moderate 4.6 No No Info
CVE-2021-30606 Chromium: CVE-2021-30606 Use after free in Blink High N/A No No RCE
CVE-2021-30607 Chromium: CVE-2021-30607 Use after free in Permissions High N/A No No RCE
CVE-2021-30608 Chromium: CVE-2021-30608 Use after free in Web Share High N/A No No RCE
CVE-2021-30609 Chromium: CVE-2021-30609 Use after free in Sign-In High N/A No No RCE
CVE-2021-30610 Chromium: CVE-2021-30610 Use after free in Extensions API High N/A No No RCE
CVE-2021-30632 Chromium: CVE-2021-30632 Out of bounds write in V8 High N/A No Yes RCE
CVE-2021-30623 Chromium: CVE-2021-30623 Use after free in Bookmarks Low N/A No No RCE
CVE-2021-30624 Chromium: CVE-2021-30624 Use after free in Autofill Low N/A No No RCE
CVE-2021-30611 Chromium: CVE-2021-30611 Use after free in WebRTC Medium N/A No No RCE
CVE-2021-30612 Chromium: CVE-2021-30612 Use after free in WebRTC Medium N/A No No RCE
CVE-2021-30613 Chromium: CVE-2021-30613 Use after free in Base internals Medium N/A No No RCE
CVE-2021-30614 Chromium: CVE-2021-30614 Heap buffer overflow in TabStrip Medium N/A No No RCE
CVE-2021-30615 Chromium: CVE-2021-30615 Cross-origin data leak in Navigation Medium N/A No No Info
CVE-2021-30616 Chromium: CVE-2021-30616 Use after free in Media Medium N/A No No RCE
CVE-2021-30617 Chromium: CVE-2021-30617 Policy bypass in Blink Medium N/A No No SFB
CVE-2021-30618 Chromium: CVE-2021-30618 Inappropriate implementation in DevTools Medium N/A No No RCE
CVE-2021-30619 Chromium: CVE-2021-30619 UI Spoofing in Autofill Medium N/A No No Spoofing
CVE-2021-30620 Chromium: CVE-2021-30620 Insufficient policy enforcement in Blink Medium N/A No No SFB
CVE-2021-30621 Chromium: CVE-2021-30621 UI Spoofing in Autofill Medium N/A No No Spoofing
CVE-2021-30622 Chromium: CVE-2021-30622 Use after free in WebApp Installs Medium N/A No No RCE

As we did last month, this month’s table also lists the Chromium updates for Edge. These vulnerabilities are listed with the severity as assigned by Google, which is different from the standard Microsoft nomenclature. Google does not assign CVSS scores, so none are listed in the table. Again, these bugs are different than the ones fixed by Google Chrome in yesterday’s release. Those bugs should be incorporated into a future version of Edge (Chromium).

The remaining Critical-rated bug fixes a code execution vulnerability in the Scripting Engine. An attacker would need to convince a user to browse to a specially crafted website or open a file to get code execution. Looking at the other RCE bugs addressed in this release, many impact Office or an Office component. Visio receives some rare updates to go along with the more common fixes for Word, Access, and Excel.

This month’s release brings a total of 27 Elevation of Privilege (EoP) patches with it. The most notable is one listed as publicly known impacting DNS. Microsoft provides no details about the nature of the bug other than to say local privileges are required to successfully exploit it. This is not to be confused with the patch for an EoP in the Bind Filter Driver, which is completely different from the ISC BIND DNS system. Other notable EoP bugs include updates for Edge (Chromium) that seem unique to Edge – meaning the bugs weren’t from the port of Chromium and patched by Google. Visual Studio receives a patch to fix an EoP reported by ZDI researcher Michael DePlante. The issue results from incorrect permissions set on a resource used by the installer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. There are some patches for the Print Spooler, but these don’t appear to have the impact or urgency as the PrintNightmare series of bugs. The other EoP fixes address various Windows components. In almost all cases, an attacker would need to log on to an affected system and run specially crafted code.

There are only two patches for security feature bypasses (SFBs) in this month’s release, but one seems awfully familiar. CVE-2021-38632 fixes a bug that could allow an attacker with physical access to a powered-off system to gain access to encrypted data. This sounds vaguely like the “cold boot” attacks widely discussed back in 2008. The other SFB bug being fixed this month could allow an attacker to bypass the Windows Key Storage Provider that issues key certificates for trust in attestation scenarios. This one’s a bit more vague, but surprisingly, Microsoft lists the attack complexity as Low for this bug. Definitely something to look out for.

Looking at the 12 information disclosure bugs in this month’s release, more simply result in leaks consisting of unspecified memory contents. A notable exception is a bug in the Windows Installer that could allow an attacker to read from the file system. The Windows Storage component has a bug with a similar impact. It’s not clear if any file can be read by an attacker or just specifical files and locations. The info disclosure being fixed in the Microsoft Accessibility Insights for Android is even more vague. According to Microsoft, the type of info disclosed is “sensitive information.” Well then. Plan accordingly.

The September release includes fixes for seven spoofing bugs and one for a cross-site scripting (XSS) bug. Microsoft provides no details on what may be spoofed for any of these vulnerabilities, but some have intriguing titles. There are fixes for Microsoft Edge for iOS and Android, so for those of you who use Edge on your phone, hit up the appropriate store to update your apps. There is a fix for a spoofing bug in Windows Authenticode, but the attacker vector is listed as local with privileges required. It’s possible this could allow an attacker access to something otherwise prohibited, but without further details, we can only speculate.

This month’s release is rounded out by a fix for a Denial-of-Service (DoS) bug in the Windows Installer and by a fix for Microsoft Edge (Chromium) in the mercurial Tampering category. Again, no information on what sort of tampering this vulnerability would allow. However, tampering bugs in the browser usually means an attacker could view and/or alter data within the browser. Interestingly, Microsoft appears to have released this update on September 9, but it does not appear to map to any bug fix released by the Chrome team.

No new advisories were released this month. The latest servicing stack updates can be found in the revised ADV990001.

Looking Ahead

The next Patch Tuesday falls on October 12, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!