This week, the Redmond giant has released the monthly security fixes for its products. With September Patch Tuesday bundle, Microsoft has fixed dozens of security bugs in different products, including two Windows zero-day flaws.
Microsoft Fixed Two Zero-Day Bugs
With September Patch Tuesday updates, Microsoft has addressed two serious zero-day vulnerabilities.
The first of these include CVE-2021-40444 – a remote code execution vulnerability in Windows MSHTML. An adversary could exploit the vulnerability via maliciously crafted Office documents. Convincing the victim to open the malicious Office document embedding ActiveX control would execute the attack.
Microsoft confirmed active exploitation of the flaw in the wild. Hence, it advised disabling ActiveX controls via group policy as a workaround. Nonetheless, the tech giant has now also patched the bug.
The second zero-day bug includes a privilege escalation vulnerability in Windows DNS (CVE-2021-36968). Thankfully, this bug escaped active exploitation despite public disclosure.
Microsoft has labeled both zero-days as important severity bugs receiving CVSS scores of 8.8 and 7.3, respectively.
Other September Patch Tuesday Fixes From Microsoft
Alongside the two serious security fixes, Microsoft has also patched 84 other vulnerabilities affecting different software.
These include three critical vulnerabilities affecting Microsoft Open Management Infrastructure (OMI) (CVE-2021-38647), Windows scripting engine (CVE-2021-26435), and WLAN AutoConfig Service (CVE-2021-36965). All three vulnerabilities could allow remote code execution attacks upon exploitation.
The other bugs include 60 important severity flaws, 6 high-severity, 12 medium-severity, 1 moderate severity, and 2 low-severity vulnerabilities.
From these, a noteworthy high-severity bug includes an out-of-bounds write flaw in the Chromium V8 component (CVE-2021-30632). Exploiting this vulnerability could allow remote code execution attacks. Microsoft has admitted active exploitation of this flaw despite no public disclosure.
Alongside this one, all the medium-severity and low severity bugs also affect Chromium (Microsoft Edge).
Since the Patch Tuesday update bundle is out, all users must ensure updating their systems at the earliest. Although, most of the updates would automatically reach their devices. Still, users can also perform a manual check via All Settings > Update & security > Windows Update to receive quick fixes.