Microsoft patched 84 vulnerabilities as part of its Patch Tuesday on Tuesday, including one that was exploited and another that was publicly disclosed. Released patches address common vulnerabilities and exposures (CVEs) in Microsoft Windows and its components; Azure, Azure Arc, and Azure DevOps; Microsoft Edge (Chromium-based); Office and its components; Visual Studio Code; Active Directory Domain Services and Active Directory Certificate Services; Nude Get Client; Hyper-V; and Windows Resilient File System (ReFS).
This release is in addition to the 12 fixes for Microsoft Edge (Chromium-based) CVEs released earlier this month. The vulnerability that was exploited is a Windows COM+ Event System Service elevation of privilege vulnerability. An attacker who successfully exploited this vulnerability could gain system privileges. The publicly disclosed vulnerability is a Microsoft Office Information Disclosure Vulnerability. This vulnerability, discovered by Cody Thomas of SpecterOps, puts user tokens and other potentially sensitive information at risk.
“Perhaps more interesting is what’s not included in this month’s release,” writes Dustin Childs for Zero Day Initiative. “There is no update for Exchange Server, while two Exchange vulnerabilities have been actively exploited for at least two weeks. These flaws were purchased by ZDI in early September and reported to Microsoft at that time. Since no update is available to fully fix these bugs, the best admins can do is ensure that the September 2021 Cumulative Update (CU) is installed. »
Source: ZDNet.com