October 2021 Patch Tuesday: More Print Spooler and Exchange vulnerabilities lurk

The number of vulnerabilities addressed by Microsoft this month continues to trend down, a reprieve from earlier in the year. Security patches are available for 74 vulnerabilities with a smattering of Zero-Days, Critical, and Exploitation More Likely. This month also has a set of noteworthy updates for Apple and Apache.

Though we only have 74 vulnerabilities being addressed, there are 1,608 permutations of specific patches for specific builds of Windows OS. Some vulnerabilities might receive the same patch for four different builds, while another may need a different one for each.

This is why managing patches without a centralized solution can be untenable for MSPs. The ability to audit updates and patches is a must, and the tools commonly used by MSPs and system admins to accomplish this can make it seem fairly trivial. But don’t let a good tool detract from the complexity and importance of the underlying task when positioning patch management within a managed services contract.

Microsoft vulnerabilities

Including Microsoft Edge vulnerabilities (which are typically patched prior to Patch Tuesdays), we have a total of 81 for October. Four of them are zero-days—flaws that were publicly disclosed or are under active exploit prior to fixes being available. There are nine vulnerabilities listed as Exploitation More Likely that should also be on everyone’s prioritization.   

CVE-2021-40449 is of note since it is under active exploitation by APT groups and has been leveraged to deliver the MysterySnail RAT. Further attacks leveraging this elevation of privilege vulnerability would not be surprising.

CVE-2021-26427 (an Exchange vulnerability) and CVE-2021-36970 (a Windows Print Spooler vulnerability) also get called out because they may bring headaches similar to those experienced earlier this year with PrintNightmare and ProxyLogon. Make sure these are included in your earliest possible patch windows.

Related Product

N‑central

Manage large networks or scale IT operations with RMM made for growing service providers.

Find out more

Vulnerability prioritization

The table below lists Critical, Exploitation More Likely, or Exploitation Detected vulnerabilities. This is to highlight how some might have their patching deferred due to a false sense of importance based on a severity rating. Vulnerabilities marked Exploitation More Likely are just as important to address, and quickly, due to their increased likelihood to cause impacts to an environment.

Cumulative updates

KB5006670 and KB5006667 cumulative updates were released with typical previous security fixes included for Windows 10 versions 21H1, 20H2, 2004, and 1909. There were also some notable bug fixes included, such as resolving intermittent Outlook freezing and an issue where some apps would not allow keyboard input if the taskbar was not positioned along the bottom of the screen.

Related Product

N‑sight RMM

Inizia a utilizzare rapidamente la soluzione RMM progettata per MSP e reparti IT di piccole dimensioni.

Find out more

End of Service for Windows 10 2004

Joining previous Windows builds that hit EoS this year, Windows 10 2004 will no longer receive security updates after December 14, 2021. That’s only three months to plan for transition to newer builds. If you don’t already have plans in motion, then today is the day to start.

Apple

Apple released security updates for iOS to fix zero-day vulnerability CVE-201-30883 that can be used to exfiltrate data or install malware. There is a freely available POC leveraging this vulnerability. If you manage iPads or iPhones, getting the new Apple update applied should be a priority item.

Apache

While not as prevalent as other solutions that fall under the purview of most MSPs, the sheer deployment base of Apache Web Servers means it is on everyone’s radar when vulnerabilities affect it. The Apache Software Foundation released Apache HTTP 2.4.51 to address an incomplete fix for CVE-2021-42013 that is under active exploit. Attackers are actively scanning the internet for Apache HTTP Servers vulnerable to CVE-2021-41773 and CVE-2021-42013 an is likely to increase. Ensure any HTTP Web Server 2.4.50 are updated ASAP.

Summary

As always, make sure you have established patching processes for evaluation, testing, and pushing into production. If you have traditionally only dealt with patches by applying them based on their severity, then now is the time to start including prioritization of patches for Zero-Days, Exploitation Detected and Exploitation More Likely vulnerabilities in your patch management routines.

Lewis Pope is the Head Security Nerd at N‑able. You can follow him on:

Twitter: @cybersec_nerd

LinkedIn: thesecuritypope

Twitch: cybersec_nerd