Microsoft unveils mega security update, so update now

Microsoft addresses actively exploited MSHTML vulnerability in latest Patch Tuesday

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

The monthly edition of bug fixes fromMicrosoftaddresses over 60 vulnerabilities in products from Microsoft’s stable, and another 20 Chromium security bugs inMicrosoft Edge.

Microsoft’sSeptember Patch Tuesdayimpacts over a dozen products includingAzureOpen Management Infrastructure, Azure Sphere,Microsoft Office, Microsoft Windows DNS,Visual Studio, BitLocker, Windows Subsystem for Linux (WSL), and more.

Importantly however, the release also patches the recently disclosedzero-day vulnerabilityinInternet Explorer’s browsing engine MSHTML/Trident that was being exploited in the wild.

We’re looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won’t take more than 60 seconds of your time, and we’d hugely appreciate if you’d share your experiences with us.

Click here to start the survey in a new window«

“The Zero Day vulnerability in MSHTML (CVE-2021-40444) has been resolved this month. Microsoft’soriginal mitigationguidance released on September 7  can be disabled once you have updated all Windows OSs this month,” Chris Goettl, Vice President of Product Management for Security at Ivanti shared withTechRadar Pro.

Patch without delay

Analyzing all the patched vulnerabilities, 27 are privilege escalation vulnerabilities, 16 could enable remote code execution, 11 are information disclosure vulnerabilities, eight are spoofing vulnerabilities, two could help bypass security features, and one could cause denial of service.

Goettl adds that in addition to the MSHTML vulnerability, the update includes a couple more that are of note.

One of them, tracked as CVE-2021-36958, is a Print Spooler vulnerability that was initially addressed last month, but has been updated this month to address some additional concerns that were identified by researchers beyond the original fix.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“The vulnerability has been publicly disclosed and functional exploit code is available, so this puts further urgency on this month’s Windows OS updates,” stresses Goettl.

The third vulnerability that Goettl points out is the elevation of privilege vulnerability in Windows DNS. Tracked as CVE-2021-36968, the vulnerability applies to the legacy Windows OSs, which is what makes it particularly attractive to threat actors.

“Public disclosure gives threat actors a bit of a jump start on developing a working exploit. In this case, they could find the fact that this only affects legacy OSs as attractive, banking on the fact that companies are still running on the legacy OSs but not continuing with ESU support from Microsoft,” he shares, urging businesses still using legacy Windows releases to either migrate off these platforms or at least subscribe to Microsoft’s extended security update (ESU) program.

ViaBleepingComputer

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

New fanless cooling technology enhances energy efficiency for AI workloads by achieving a 90% reduction in cooling power consumption

Samsung plans record-breaking 400-layer NAND chip that could be key to breaking 200TB barrier for ultra large capacity AI hyperscaler SSDs

NYT Strands today — hints, answers and spangram for Sunday, November 10 (game #252)