Third Microsoft patch: 84 new vulnerabilities
Microsoft on Tuesday revealed 84 vulnerabilitiesincluding one that has been mined and one that has been publicly disclosed.
Released patches address common vulnerabilities and exposures (CVEs) in: Microsoft Windows and Windows Components; Azure, Azure Arc and Azure DevOps; Microsoft Edge (Chromium-based); Office and Office Composition; Visual Studio Code; Active Directory Domain Services and Active Directory Certificate Services; Nu Get Customers; Hyper-V; and Windows Resilient File System (ReFS).
This release includes 12 patches for the CVE in Microsoft Edge (Chromium-based) released earlier this month.
The security holes have been exploited is a Privilege Vulnerability Enhancement + Windows COM Event System Service. An attacker who successfully exploits this vulnerability can gain system privileges.
The publicly disclosed vulnerability is a Microsoft Office Information Disclosure Vulnerability. This vulnerability, discovered by Cody Thomas with SpectreOps, poses a risk to user tokens and other sensitive information.
“What could be more exciting is what’s not in this month’s release,” Dustin Childs Wrote No Day Initiative. “There are no updates available for Exchange Server, although two Exchange bugs are being actively exploited for at least two weeks. These bugs were purchased by ZDI in early September and reported to Microsoft at the time. There are no updates available to fully address these errors, the best admin can do is ensure that the September 2021 Cumulative Update (CU) is installed.”