Qualys : Microsoft & Adobe Patch Tuesday (October 2021) – Microsoft 74 Vulnerabilities with 3 Critical, 4 Zero-Days. Adobe 10 Vulnerabilities

Published: 2021-10-13 10:32:29 ET QLYS

Microsoft patched 74 vulnerabilities in their October 2021 Patch Tuesday release, of which four are zero-days and three are rated as critical severity.

CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability

This a zero-day vulnerability impacting the Win32K kernel driver. This is being actively exploited by IronHusky and Chinese APT groups. Microsoft has assigned a CVSSv3 base score of 7.8 to this vulnerability and it should be prioritized for patching.

CVE-2021- 40486 - Microsoft Word Remote Code Execution Vulnerability

This vulnerability is due to improper input validation in Microsoft Word. Adversaries can exploit this vulnerability by tricking target users to open a specially crafted file and perform arbitrary code execution. Microsoft has assigned a CVSSv3 base score of 7.8 to this vulnerability.

CVE-2021-40461, CVE-2021-38672- Windows Hyper-V Remote Code Execution Vulnerabilities

These vulnerabilities are due to a set of flaws in the Network Virtualization Service Provider. They could allow an attacker to execute remote code on the target machine. These CVEs are assigned a CVSSv3 base score of 8.0 by the vendor.

CVE-2021-26427: Microsoft Exchange Server Remote Code Execution Vulnerability

This is an RCE vulnerability targeting Microsoft Exchange Server. Adversaries can only exploit this vulnerability on target machines from an adjacent network. Microsoft assigned a base score of 9.0 for this vulnerability.

CVE-2021-41338: Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability

CVE-2021-40469: Windows DNS Server Remote Code Execution Vulnerability

CVE-2021-41335: Windows Kernel Elevation of Privilege Vulnerability

Adobe addressed 10 CVEs this Patch Tuesday, and 6 of them are rated as critical severity impacting Acrobat and Reader, Adobe Connect, Opd-cli, Commerce, and Campaign products.

Patch Tuesday QIDs are published at Security Alerts, typically late in the evening of Patch Tuesday, followed shortly after by PT dashboards.

Disclaimer

Qualys Inc. published this content on 13 October 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 13 October 2021 14:31:05 UTC.