Patch Roundup – November 2021

Welcome to the November Patch Roundup blog, where we cover the latest in patch releases and vulnerability information from Microsoft, Adobe, VMware and the other major vendors.

This month’s releases are mercifully brief, with nothing new from VMware and a handful of updates from Cisco.

Let’s dig into the more interesting stuff!

Microsoft Patch Tuesday

November’s update release from Microsoft is mercifully light, with just 55 total vulnerabilities addressed. Of these, 6 are classed as Critical and two of these have been seen actively targeted in the wild. The remaining 49 are classed as Important.

Exchange server is once again the target of one of these Critical bugs, with CVE-2021-42321 representing a Remote Code Execution flaw in on-premises 2013, 2016 and 2019 servers, including those operating in hybrid mode. However, the flaw is post-authentication, meaning an attacker must have valid credentials to make a connection to initiate the attack, removing the risk of indiscriminate “spray and pray” attacks. Further details are currently scant, however Microsoft’s advice is to patch promptly. Anyone operating Exchange Online do not need to patch and are already protected.

CVE-2021-26443 has the highest CVSS rating this month, scoring 9.0 for the ability of an attacker to escape the hypervisor and execute arbitrary code from a guest machine on the underlying host server via a VMBus channel. While serious, exploiting this type of vulnerability requires access to the guest machine itself, and so is typically used in the later stages of an attack rather than as a primary attack vector.

Finally, one of the zero-day bugs affects Excel and bypasses the built-in security features of the programme. Office apps have a number of built-in features and capabilities to prevent malicious code being executed from macros, and in this case the bug allows an attacker to sidestep these controls. While only rated at Important, the fact that this is being exploited in the wild already makes it important to update.

Adobe

Adobe’s release on Patch Tuesday itself was sparse, with only 3 updates for apps including the Creative Cloud, however they also released a larger number of updates several weeks ago covering Acrobat, After Effects, Illustrator and other tools.