Microsoft has released its latest update to fix 55 bugs, six of which are critical while 49 are rated as important. Unfortunately, patches for Microsoft Office 2019 of Mac and Microsoft Office LTSC for Mac 2021 are not included in this update.
Microsoft Patch Tuesday November 2021: Complete Details
According to ZDNet, the first Microsoft patch Tuesday for this month has fixed six critical vulnerabilities, 15 remote code execution (RCE) bugs, information leaks, and elevation of privilege (EoP) security flaws, as well as issues that could lead to spoofing and tampering.
With regards to the percentage count by impact, Tenable stated that the EoP issues made up more than 36 percent of the vulnerabilities patched this month, while the RCE is approximately 27 percent.
Microsoft stated that EoP occurs when an attacker is granted authorized permissions beyond those originally provided. An attacker with read-only access, for instance, can elevate the set to include read and write permissions.
Additionally, RCE is a type of cyber-attack in which an attacker may remotely execute commands on another computer, per Bug Crowd. It is caused by harmful malware that the host has downloaded, and it can occur independently of the device's geographic location.
Furthermore, Tenable added that this month's Microsoft patch includes Microsoft Azure, the Chromium-based Edge browser, Microsoft Office (including associated applications such as Excel, Word, and SharePoint), Visual Studio, Exchange Server, Windows Kernel and Windows Defender.
On the other hand, ZDNet also shared in detail some of the most interesting issues fixed in this month's Microsoft Patch Tuesday, which are all considered critical.
- CVE-2021-42321: (CVSS:3.1 8.8 / 7.7): This affects Microsoft Exchange Server and can lead to RCE owing to poor validation of cmdlet inputs. The attackers, on the other hand, must be verified.
- CVE-2021-42292: (CVSS:3.1 7.8 / 7.0): This was discovered in Microsoft Excel and can be used to bypass security restrictions. Unfortunately, Microsoft Office 2019 for Mac and Microsoft Office LTSC for Mac 2021 do not have any patches available right now.
- CVE-2021-43209: (CVSS:3.1 7.8 / 6.8): This bug, which is a 3D Viewer vulnerability, can be exploited locally to trigger RCE.
- CVE-2021-43208: (CVSS:3.1 7.8 / 6.8): A local attacker can use this 3D Viewer security flaw to execute codes.
- CVE-2021-38631: (CVSS:3.0 4.4 / 3.9): Attackers can use this security flaw in the Windows Remote Desktop Protocol (RDP) to leak information.
- CVE-2021-41371: (CVSS:3.1 4.4 / 3.9): This RDP vulnerability, which was known before the fix was released, can be used locally to force a data leak.
What Is Microsoft Patch Tuesday?
For those who are not familiar with Microsoft's patch Tuesday, Tech Republic stated that the tech giant invented a security update schedule in 2003 allowing network administrators to develop compatibility testing and deployment strategies into their monthly schedules. The goal was to keep administrators from having to cope up with updates that were provided on an irregular basis.
The Tech Republic furthered that there are two important Tuesdays on Microsoft's update schedule.
The first patch Tuesday occurs every second Tuesday of every month, in which Microsoft publishes security upgrades for Windows (desktop and server editions), Office, and other Microsoft applications. Meanwhile, the second important Tuesday occurs every fourth Tuesday of each month, which is for non-security-related updates.