October 2021 Patch Tuesday: More Print Spooler and Exchange vulnerabilities lurk

The number of vulnerabilities addressed by Microsoft this month continues to trend down, a reprieve from earlier in the year. Security patches are available for 74 vulnerabilities with a smattering of Zero-Days, Critical, and Exploitation More Likely. This month also has a set of noteworthy updates for Apple and Apache.
Though we only have 74 vulnerabilities being addressed, there are 1,608 permutations of specific patches for specific builds of Windows OS. Some vulnerabilities might receive the same patch for four different builds, while another may need a different one for each.
This is why managing patches without a centralized solution can be untenable for MSPs. The ability to audit updates and patches is a must, and the tools commonly used by MSPs and system admins to accomplish this can make it seem fairly trivial. But don’t let a good tool detract from the complexity and importance of the underlying task when positioning patch management within a managed services contract.
Microsoft vulnerabilities
Including Microsoft Edge vulnerabilities (which are typically patched prior to Patch Tuesdays), we have a total of 81 for October. Four of them are zero-days—flaws that were publicly disclosed or are under active exploit prior to fixes being available. There are nine vulnerabilities listed as Exploitation More Likely that should also be on everyone’s prioritization.
CVE-2021-40449 is of note since it is under active exploitation by APT groups and has been leveraged to deliver the MysterySnail RAT. Further attacks leveraging this elevation of privilege vulnerability would not be surprising.
CVE-2021-26427 (an Exchange vulnerability) and CVE-2021-36970 (a Windows Print Spooler vulnerability) also get called out because they may bring headaches similar to those experienced earlier this year with PrintNightmare and ProxyLogon. Make sure these are included in your earliest possible patch windows.
Vulnerability prioritization
The table below lists Critical, Exploitation More Likely, or Exploitation Detected vulnerabilities. This is to highlight how some might have their patching deferred due to a false sense of importance based on a severity rating. Vulnerabilities marked Exploitation More Likely are just as important to address, and quickly, due to their increased likelihood to cause impacts to an environment.
CVE |
Description |
Exploitability |
Severity |
Microsoft Word Remote Code Execution Vulnerability |
Exploitation Less Likely |
Critical |
|
Windows Hyper-V Remote Code Execution Vulnerability |
Exploitation Less Likely |
Critical |
|
Windows Hyper-V Remote Code Execution Vulnerability |
Exploitation Less Likely |
Critical |
|
Win32k Elevation of Privilege Vulnerability |
Exploitation Detected |
Important |
|
Win32k Elevation of Privilege Vulnerability |
Exploitation More Likely |
Important |
|
Microsoft SharePoint Server Remote Code Execution Vulnerability |
Exploitation More Likely |
Important |
|
Microsoft SharePoint Server Remote Code Execution Vulnerability |
Exploitation More Likely |
Important |
|
DirectX Graphics Kernel Elevation of Privilege Vulnerability |
Exploitation More Likely |
Important |
|
Windows Common Log File System Driver Elevation of Privilege Vulnerability |
Exploitation More Likely |
Important |
|
Windows Common Log File System Driver Elevation of Privilege Vulnerability |
Exploitation More Likely |
Important |
|
Win32k Elevation of Privilege Vulnerability |
Exploitation More Likely |
Important |
|
Windows Common Log File System Driver Elevation of Privilege Vulnerability |
Exploitation More Likely |
Important |
|
Windows Print Spooler Spoofing Vulnerability |
Exploitation More Likely |
Important |
Cumulative updates
KB5006670 and KB5006667 cumulative updates were released with typical previous security fixes included for Windows 10 versions 21H1, 20H2, 2004, and 1909. There were also some notable bug fixes included, such as resolving intermittent Outlook freezing and an issue where some apps would not allow keyboard input if the taskbar was not positioned along the bottom of the screen.
End of Service for Windows 10 2004
Joining previous Windows builds that hit EoS this year, Windows 10 2004 will no longer receive security updates after December 14, 2021. That’s only three months to plan for transition to newer builds. If you don’t already have plans in motion, then today is the day to start.
Apple
Apple released security updates for iOS to fix zero-day vulnerability CVE-201-30883 that can be used to exfiltrate data or install malware. There is a freely available POC leveraging this vulnerability. If you manage iPads or iPhones, getting the new Apple update applied should be a priority item.
Apache
While not as prevalent as other solutions that fall under the purview of most MSPs, the sheer deployment base of Apache Web Servers means it is on everyone’s radar when vulnerabilities affect it. The Apache Software Foundation released Apache HTTP 2.4.51 to address an incomplete fix for CVE-2021-42013 that is under active exploit. Attackers are actively scanning the internet for Apache HTTP Servers vulnerable to CVE-2021-41773 and CVE-2021-42013 an is likely to increase. Ensure any HTTP Web Server 2.4.50 are updated ASAP.
Summary
As always, make sure you have established patching processes for evaluation, testing, and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity, then now is the time to start including prioritization of patches for Zero-Days, Exploitation Detected and Exploitation More Likely vulnerabilities in your patch management routines.
Lewis Pope is the Head Security Nerd at N‑able. You can follow him on:
Twitter: @cybersec_nerd
LinkedIn: thesecuritypope
Twitch: cybersec_nerd
© N‑able Solutions ULC e N‑able Technologies Ltd. Tutti i diritti riservati.
Il presente documento viene fornito per puro scopo informativo e i suoi contenuti non vanno considerati come una consulenza legale. N‑able non rilascia alcuna garanzia, esplicita o implicita, né si assume alcuna responsabilità legale per quanto riguarda l’accuratezza, la completezza o l’utilità delle informazioni qui contenute.
N-ABLE, N-CENTRAL e gli altri marchi e loghi di N‑able sono di esclusiva proprietà di N‑able Solutions ULC e N‑able Technologies Ltd. e potrebbero essere marchi di common law, marchi registrati o in attesa di registrazione presso l’Ufficio marchi e brevetti degli Stati Uniti e di altri paesi. Tutti gli altri marchi menzionati qui sono utilizzati esclusivamente a scopi identificativi e sono marchi (o potrebbero essere marchi registrati) delle rispettive aziende.