Microsoft fixed a total of 66 security vulnerabilities with the Tuesday update in September. These include three vulnerabilities that Microsoft classifies as critical and two zero-day vulnerabilities.

66 vulnerabilities were fixed on September 14, with three classified as critical, all other apart from one are classified as high risk. The critical vulnerabilities affect Windows and the open source project Open Management Infrastructure. Two vulnerabilities were publicly known in advance, one of these vulnerabilities (CVE-2021-40444) is already being exploited. Microsoft provides no details on the vulnerabilities in the guidelines for security updates.

Browser

The zero-day vulnerability CVE-2021-40444 is in the MSHTML module and can therefore be considered an IE component. It is consequently closed in older Windows versions by a cumulative update for Internet Explorer (KB5005563). All Windows versions including the server editions are affected.

The latest security update for Edge (Chromium) is version 93.0.961.47, which has been available since September 11. It is still based on Chromium 93.0.4577.63, but according to Microsoft already contains a patch against the 0-day vulnerability CVE-2021-30632. Google closed this on September 13 with the update to Chrome 93.0.4577.82. Several other weaknesses that Google has fixed with the Chrome update are likely to be in the current Edge version.

Office

Microsoft fixed 12 vulnerabilities in its Office family this month. Microsoft identifies all vulnerabilities as high risk. Nine vulnerabilities are suitable for injecting and executing code with prepared Office documents. One of these vulnerabilities affects Word (CVE-2021-38656) and Excel (CVE-2021-38655), two are in Visio (CVE-2021-38653, -38654). The zero-day gap CVE-2021-40444 in MSHTML is used for attacks by mail using prepared Office documents. A harmful ActiveX element is embedded in it. Switching off ActiveX is likely to be insufficient as protection, as this protective measure can be bypassed.

Windows

The majority of the vulnerabilities (34) are distributed across the various Windows versions (8.1 and newer), for which Microsoft still offers security updates for everyone. Windows 7 and Server 2008 R2 are mentioned in the security reports, but updates are only received by organizations participating in the paid ESU program.

One of the two vulnerabilities in Windows that have been identified as critical is CVE-2021-36965 in the WLAN AutoConfig service. An attacker who is within WLAN range could smuggle in arbitrary code without user interaction and execute it with system rights. This allows him to take complete control of the attacked system. This can happen in a café or in another public place where several people are using an unsecured WLAN. All Windows versions including the server are affected. Actual attacks of this kind are not yet known.

The second critical Windows vulnerability (CVE-2021-26435) is in the Windows script engine. An attacker could email a potential victim with a prepared file or lure them to a specially prepared web page. If successful, the attacker could inject arbitrary code that would be executed with user rights. All Windows versions including the server are susceptible.

The easiest way to get the updates is via the settings and the item Update and Security. Go to the entry Windows Update and click on Check for updates. Cumulative updates have the convenient property that they combine all fixes for a Windows version, regardless of their exact status. If you missed one or more Patches, you do not have to install the updates, you can update your system in one go.