- Redmond officials addressed a lot of problems with this month's rollout, more than expected.
- The vulnerability that impacts the Microsoft Exchange Server was treated as a critical one.
- Also considered critical was a major vulnerability that was actually found in Microsoft Excel.
- This article contains the complete list of security updates that were issued in November 2021.
Yes, it’s that time of the month again, and Microsoft has released 55 security fixes, including patches that tackle zero-day vulnerabilities actively exploited in the wild.
The tech giant’s latest round of patches has fixes for six critical vulnerabilities, 15 remote code execution (RCE) bugs, information leaks, and elevation of privilege security flaws, as well as issues that could lead to spoofing and tampering.
Microsoft Azure, the Chromium-based Edge browser, Microsoft Office, and its associated products, Visual Studio, Exchange Server, Windows Kernel, and Windows Defender are some of the products targetted by the patches.
Fifteen remote code execution bugs were fixed
Another busy month for Redmond programmers and developers, as they keep fighting old and constantly emerging issues.
While some matters only needed minor tweaks, others were of paramount importance and were treated as such by the tech company
Some of the most interesting vulnerabilities resolved in this update, all deemed as important, are:
- CVE-2021-42321: (CVSS:3.1 8.8 / 7.7). Under active exploit, this vulnerability impacts Microsoft Exchange Server and due to improper validation of cmdlet arguments, can lead to RCE. However, attackers must be authenticated.
- CVE-2021-42292: (CVSS:3.1 7.8 / 7.0). Also detected as exploited in the wild, this vulnerability was found in Microsoft Excel and can be used to circumvent security controls. Microsoft says that the Preview Pane is not an attack vector. No patch is currently available for Microsoft Office 2019 for Mac or Microsoft Office LTSC for Mac 2021.
- CVE-2021-43209: (CVSS:3.1 7.8 / 6.8). A 3D Viewer vulnerability made public, this bug can be exploited locally to trigger RCE.
- CVE-2021-43208: (CVSS:3.1 7.8 / 6.8). Another known issue, this 3D Viewer security flaw can also be weaponized by a local attacker for code execution purposes.
- CVE-2021-38631: (CVSS:3.0 4.4 / 3.9). Also made public, this security flaw, found in the Windows Remote Desktop Protocol (RDP), can be used for information disclosure.
- CVE-2021-41371: (CVSS:3.1 4.4 / 3.9). Finally, this RDP vulnerability, known before patching was available, can also be exploited locally to force an information leak.
This is a relatively low number of vulnerabilities resolved during the month of November, comparing this release with those of previous years.
Last month, Microsoft resolved 71 bugs, so we can consider this quite a quiet period. Of particular note are patches for a total of four zero-day flaws, one of which was being actively exploited in the wild, whereas three were made public.
If we go back in time a bit more, Microsoft tackled over 60 vulnerabilities during the September Patch Tuesday. Among the patches was a fix for an RCE in MSHTML.
And let’s not forget that alongside Microsoft’s Patch Tuesday software release, there are other companies that have published security updates too, such as:
Have you been struggling with any of the errors and bugs listed in this article? Let us know in the comments section below.