Welcome to the September patch roundup blog, where we cover the latest in patch releases and vulnerability information from Microsoft, Adobe, VMware and the other major vendors.  It’s been a busy few weeks with several of these hitting mainstream news outlets again, so let’s get started:

Microsoft  

This month’s edition addressed a total of 66 vulnerabilities in addition to the 20 Chromium-based CVEs patched by Microsoft Edge earlier this month. Only three vulnerabilities from this month’s round have been rated critical. Let’s drill down into those three critical vulnerabilities specifically:

1. CVE-2021-40444: This critical zero-day vulnerability in MSHTML exploited through Microsoft Office applications as well as other Microsoft products and cloud services, allows the attacker to create a maliciously crafted ActiveX control and embed the code into an Office document that calls the ActiveX control when the document gets opened or previewed. It is worth bearing in mind that code to exploit the flaw has been discovered in active attacks by ‘Expmon’ and ‘Mandiant’, so install the update as soon as possible.  

2. CVE-2021-36965, another interesting critical flaw that allows remote code execution in WLAN AutoConfig, the component in Windows 10 and many Server versions that handles auto connections to Wi-Fi networks. A thing to note is that this vulnerability requires no privileges or user interactions, only that the victim and the attacker are on the same network. In other words, users are vulnerable if they use unsecured networks such as those used in coffee shops or similar public locations where multiple people connect to the same network. It is a good idea to patch this vulnerability as soon as possible and to take preventative steps in the future by only connecting to secure Wi-Fi networks.  

3.  CVE-2021-38647: the last but not least of the critical vulnerabilities for this month is an Open Management Infrastructure Remote Code Execution Vulnerability. Open Management Infrastructure is an open-source project that furthers the development of the DMTF CIM/WBEM standards. Again, this vulnerability requires no user interaction or privileges, so an attacker can run their code on an affected system just by sending a specially crafted message to an affected system. OMI users should test and deploy this one quickly. 

Finally, it is worth mentioning CVE-2021-38639 and CVE-2021-36975, two privilege escalation vulnerabilities that have a lesser severity rating, but Microsoft considers them likely to be exploited.  

Apple 

After a busy year of patching zero-day vulnerabilities that seem to be unending, Apple has released updates to fix two more zero-day vulnerabilities that exploited in the wild.  

CVE-2021-30858  - A critical vulnerability found in Apple iOS and iPadOS up to 14.7.1. affects WebKit by allowing hackers to create malicious websites and execute arbitrary code when users visit them.  

CVE-2021-30860  - Earlier this week, Apple issued an emergency software update after the discovery of a critical vulnerability known as ‘zero-click remote exploit’ that allows highly invasive spyware Pegasus from Israel’s NSO group to infect Apple products worldwide. Citizen Lab researchers who discovered this vulnerability on the phone of a Saudi activist named it ‘Forcedentry’. This spyware uses the zero-click infection method to turn on a user’s camera, microphone, record messages, emails or calls. Apple security states that attacks like this one are highly sophisticated, cost millions of dollars to develop and are used to target specific individuals.  

The discovery of CVE-2021-30860 means that more than 1.65 billion Apple products in use worldwide have been vulnerable to Pegasus spyware.

Devices affected by CVE-2021-30860 per Apple: 

All iPhones with iOS versions prior to 14.8, All Mac computers with operating system versions prior to OSX Big Sur 11.6, Security Update 2021-005 Catalina, and all Apple Watches prior to watchOS 7.6.2. 

Google 

Google released a new version of its Chrome browser and fixed a total of 11 vulnerabilities, all of them rated high severity. They also addressed two zero-day security bugs actively exploited in the wild: CVE-2021-30632 and CVE-2021-30633.  

CVE-2021-30632 out of bounds write flaw in V8 JavaScript Engine can lead to code execution or data corruption, whereas CVE-2021-30633 is a use after free flaw in the IndexedDB API that can result in attacks ranging from corruption of valid data to execution of arbitrary code.  

Adobe 

Adobe addressed 59 CVEs and published 15 security advisories. Acrobat Reader alone has 26 bugs, 13 of which are rated critical.