The October 2021 Patch Tuesday continues the quiet streak observed for the months of August and September. Out of 71 bulletins, only three were rated Critical this month. The list also included a fix for four publicly known vulnerabilities. Of the fixed vulnerabilities, 11 were disclosed via the Zero Day Initiative.
Three Critical patches and other notable vulnerabilities
Only three patches were rated Critical this month. Two of them were remote code execution (RCE) vulnerabilities (CVE-2021-38672 and CVE-2021-40461) found in Hyper-V, a hardware virtualization tool. The other Critical fix was for an RCE found in Microsoft Word (CVE-2021-40486).
Meanwhile, CVE-2021-40449, a Win32k Elevation of Privilege Vulnerability, was discovered being actively exploited in what was likely a targeted campaign. Microsoft also fixed three other publicly known vulnerabilities, CVE-2021-40469, CVE-2021-41338, and CVE-2021-41335, with no reported exploits.
Among the 71 bulletins addressed issues found in Microsoft Storage Spaces, Microsoft Excel, and SharePoint. Most of the RCE vulnerabilities were found within the Office family. Exploits to these vulnerabilities would require a specially crafted file that a user would have to open. An exception is CVE-2021-40469, a DNS vulnerability mentioned earlier, but this still requires high privilege to use in an attack.
Two bulletins were also included for print spooler and one for MSHTML. In July, Microsoft released an out-of-band
Read the article