VERT Threat Alert: September 2021 Patch Tuesday Analysis

Today’s VERT Alert addresses Microsoft’s September 2021 Security Updates. VERT is actively working on coverage for these vulnerabilities and expects to ship ASPL-964 on Wednesday, September 15th.

In-The-Wild & Disclosed CVEs

CVE-2021-40444

This CVE describes a publicly exploited vulnerability in MSHTML that provides user level access upon successful exploitation. According to Microsoft, a malicious ActiveX control embedded in an Office document could be used to exploit this vulnerability. Attacks have been seen in the wild and Microsoft has included signatures in Microsoft Defender to detect and protect against the known attacks.

Microsoft has rated this as Exploitation Detected on the latest software release on the Exploitability Index.

Sponsorships Available

Sponsorships Available

Sponsorships Available

CVE-2021-36968

A local vulnerability in Windows DNS could allow for privilege escalation. The vulnerability only impacts Windows 7 and Server 2008 / Server 2008 R2. The vulnerability has been disclosed but it has not yet been exploited publicly. 

Microsoft has rated this as Exploitation Less Likely on the latest software release on the Exploitability Index.

CVE Breakdown by Tag

While historical Microsoft Security Bulletin groupings are gone, Microsoft vulnerabilities are tagged with an identifier. This list provides a breakdown of the CVEs on a per tag basis. Vulnerabilities are also colour coded to aid with identifying key issues.

• Traditional Software
• Mobile Software
• Cloud or Cloud Adjacent
• Vulnerabilities that are being exploited or that have been disclosed will be bold.