October is all about European Cyber Security Month, according to the Ivanti analysis of Patch Tuesday. This is a good time for companies to review their own security strategy: To what extent are the IT and IT security teams able to concentrate on the most important aspects of general cyber hygiene.
The weak point management always plays a special role. For 18 years now, Microsoft has been bundling the release of new patches on Patch Tuesday and helping companies to consolidate tests and maintenance windows and to fix security gaps in common software in a more predictable manner.
Patching: Different requirements for IT teams
Patch Tuesday in October: there are again some important weaknesses (Image: Ivanti).
However, the requirements for the IT teams in terms of patching have changed in recent years: They are increasingly struggling to secure an IT environment that is filled with software products outside of Microsoft & Co. and which at the same time have very different versions. and release cycles are working. Not least because of this, 71 percent of all security specialists complain that vulnerability management is too time-consuming and too complex - according to a current study by Ivanti. The result: Patching is increasingly taking a back seat to other tasks, as 62% of the study participants stated. Further results of the study are available for download.
Assessment of Patch Tuesday in October
This month Microsoft released updates that fix a total of 74 new security vulnerabilities (CVEs) and two re-released CVEs. These include four publicly disclosed vulnerabilities and one zero-day (CVE-2021-40449). Microsoft rates three of the 76 CVEs this month as critical. This month's updates affect Windows operating systems, Office 365, Exchange Server, Intune, System Center, .Net Core & Visual Studio as well as a number of roles in AD, ADFS, Hyper-V and DNS.
CVE-2021-40449 is a Win32k (Elevation of Privilege) vulnerability in the Windows operating system, from Windows 7 and Server 2008 to Windows 11 and Server 2022. In terms of its severity system, Microsoft only classifies this vulnerability as important one. This is a good example of why organizations should focus on risk when addressing vulnerabilities. A risk-based approach to vulnerability management takes into account more realistic indicators such as known vulnerabilities, disclosures, and trends in the exploitation of vulnerabilities by threat actors. The goal of this approach is to better understand which vulnerabilities teams should focus on first and quickly.
Microsoft closes further vulnerabilities
Microsoft has also fixed the CVE-2021-41338 vulnerability in the Windows AppContainer Firewall, which can be used to bypass security functions. The vulnerability was disclosed to the public, including proof of concept code. This enables threat actors to develop an exploit. The vulnerability exists in Windows 10, Server 2016 and later versions.
CVE-2021-41335, on the other hand, is a vulnerability in the Windows kernel that allows elevation of privileges. The vulnerability exists in versions Windows 7 through Windows 10 and Server 2008 through Server 2019. The CVE has been made public, including a proof-of-concept code. Microsoft has also fixed CVE-2021-40469, a remote code execution vulnerability in Windows DNS. The vulnerability only affects servers that are configured as DNS servers and applies to Server 2008 through Server 2022. The vulnerability was made public - also including a proof-of-concept code.
Repairs in October
With CVE-2021-33781, Microsoft has fixed a vulnerability that allows security functions in Azure AD to be bypassed. This loophole was originally fixed with Patch Tuesday in July. With the update, further affected versions of Windows 10 (1607) Server 2016 and Windows 11 have now been added.
Adobe has again released six updates, including one for Acrobat and Reader, Connect, Reader Mobile, Commerce, Campaign Standard and ops-cli. The updates for Adobe Connect (APSB21-91) and ops-cli (APSB21-88) contain critical CVEs with a CVSS Base Score of 9,8 out of 10. APSB21-104 for Adobe Acrobat and Reader fixes most CVEs in sequence. A total of four vulnerabilities have been fixed in this update, two of which were classified as critical with a CVSS score of 7,8.
Adobe, FoxIT, Google and more
FoxIt PDF has released updates for its Windows and MacOS editions that address many vulnerabilities. Seven CVEs and a number of IDs have been identified and fixed. These are gaps identified by the Trend Zero Day Initiative and in the China National Vulnerability Database. Companies can visit the Foxit PDF Editor Updates page for more details.
There have been a total of four releases for Google Chrome since Patch Tuesday in September, which solved a total of 25 CVEs. Oracle, on the other hand, does not release its quarterly CPU until October 19th. IT teams should take a closer look at the updates for Java, Oracle DB, middleware and other Oracle products at this time.