QLYS
Microsoft patched 74 vulnerabilities in their October 2021 Patch Tuesday release, of which four are zero-days and three are rated as critical severity.
CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability
This a zero-day vulnerability impacting the Win32K kernel driver. This is being actively exploited by IronHusky and Chinese APT groups. Microsoft has assigned a CVSSv3 base score of 7.8 to this vulnerability and it should be prioritized for patching.
CVE-2021- 40486 - Microsoft Word Remote Code Execution Vulnerability
This vulnerability is due to improper input validation in Microsoft Word. Adversaries can exploit this vulnerability by tricking target users to open a specially crafted file and perform arbitrary code execution. Microsoft has assigned a CVSSv3 base score of 7.8 to this vulnerability.
CVE-2021-40461, CVE-2021-38672- Windows Hyper-V Remote Code Execution Vulnerabilities
These vulnerabilities are due to a set of flaws in the Network Virtualization Service Provider. They could allow an attacker to execute remote code on the target machine. These CVEs are assigned a CVSSv3 base score of 8.0 by the vendor.
CVE-2021-26427: Microsoft Exchange Server Remote Code Execution Vulnerability
This is an RCE vulnerability targeting Microsoft Exchange Server. Adversaries can only exploit this vulnerability on target machines from an adjacent network. Microsoft assigned a base score of 9.0 for this vulnerability.
CVE-2021-41338: Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability
CVE-2021-40469: Windows DNS Server Remote Code Execution Vulnerability
CVE-2021-41335: Windows Kernel Elevation of Privilege Vulnerability
Adobe addressed 10 CVEs this Patch Tuesday, and 6 of them are rated as critical severity impacting Acrobat and Reader, Adobe Connect, Opd-cli, Commerce, and Campaign products.
Patch Tuesday QIDs are published at Security Alerts, typically late in the evening of Patch Tuesday, followed shortly after by PT dashboards.
Disclaimer
Qualys Inc. published this content on 13 October 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 13 October 2021 14:31:05 UTC.