[SANS ISC] Microsoft September 2021 Patch Tuesday, (Tue, Sep 14th)

This month we got patches for <> vulnerabilities. Of these, <> are critical, <> were previously disclosed and <> is being exploited according to Microsoft.

As expected, Microsoft released the patch for the zero-day affecting MSHTML that could allow an attacker to execute remote code on an affected system. According to the advisory, an attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. The CVSS for this vulnerability is 8.80 (out of 10).

See my dashboard for a more detailed breakout: https://patchtuesdaydashboard.com/

September Early Security Releases

Description

CVE
Disclosed
Exploited
Exploitability (old versions)
current version
Severity
CVSS Base (AVG)
CVSS Temporal (AVG)

Chromium: CVE-2021-30606 Use after free in Blink

%%cve:2021-30606%%
No
No



 
 

Chromium: CVE-2021-30607 Use after free in Permissions

%%cve:2021-30607%%
No
No



 
 

Chromium: CVE-2021-30608 Use after free in Web Share

%%cve:2021-30608%%
No
No



 
 

Chromium: CVE-2021-30609 Use after free in Sign-In

%%cve:2021-30609%%
No
No



 
 

Chromium: CVE-2021-30610 Use after free in Extensions API

%%cve:2021-30610%%
No
No



 
 

Chromium: CVE-2021-30611 Use after free in WebRTC

%%cve:2021-30611%%
No
No



 
 

Chromium: CVE-2021-30612 Use after free in WebRTC

%%cve:2021-30612%%
No
No



 
 

Chromium: CVE-2021-30613 Use after free in Base internals

%%cve:2021-30613%%
No
No



 
 

Chromium: CVE-2021-30614 Heap buffer overflow in TabStrip

%%cve:2021-30614%%
No
No



 
 

Chromium: CVE-2021-30615 Cross-origin data leak in Navigation

%%cve:2021-30615%%
No
No



 
 

Chromium: CVE-2021-30616 Use after free in Media

%%cve:2021-30616%%
No
No



 
 

Chromium: CVE-2021-30617 Policy bypass in Blink

%%cve:2021-30617%%
No
No



 
 

Chromium: CVE-2021-30618 Inappropriate implementation in DevTools

%%cve:2021-30618%%
No
No



 
 

Chromium: CVE-2021-30619 UI Spoofing in Autofill

%%cve:2021-30619%%
No
No



 
 

Chromium: CVE-2021-30620 Insufficient policy enforcement in Blink

%%cve:2021-30620%%
No
No



 
 

Chromium: CVE-2021-30621 UI Spoofing in Autofill

%%cve:2021-30621%%
No
No



 
 

Chromium: CVE-2021-30622 Use after free in WebApp Installs

%%cve:2021-30622%%
No
No



 
 

Chromium: CVE-2021-30623 Use after free in Bookmarks

%%cve:2021-30623%%
No
No



 
 

Chromium: CVE-2021-30624 Use after free in Autofill

%%cve:2021-30624%%
No
No



 
 

Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability

%%cve:2021-26436%%
No
No
Less Likely
Less Likely
Important
6.1
5.3

%%cve:2021-36930%%
No
No
Less Likely
Less Likely
Important
5.3
4.6

Microsoft Edge (Chromium-based) Tampering Vulnerability

%%cve:2021-38669%%
No
No
Less Likely
Less Likely
Important
6.4
5.6

Microsoft Edge for Android Information Disclosure Vulnerability

%%cve:2021-26439%%
No
No


Moderate
4.6
4.0

Microsoft Edge for Android Spoofing Vulnerability

%%cve:2021-38641%%
No
No
Less Likely
Less Likely
Important
6.1
5.3

Microsoft Edge for iOS Spoofing Vulnerability

%%cve:2021-38642%%
No
No
Less Likely
Less Likely
Important
6.1
5.3

Microsoft MSHTML Remote Code Execution Vulnerability

%%cve:2021-40444%%
Yes
Yes
Detected
Detected
Important
8.8
7.9


Renato Marinho
Morphus Labs| LinkedIn|Twitter

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Source: Read More (SANS Internet Storm Center, InfoCON: green)

You might be interested in …

[TheRecord] NSA, CISA publish guide for securing VPN servers

The National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) have published today technical guidance on properly securing VPN servers used by organizations to allow employees remote access to internal networks. The NSA said it put together the nine-page guide [PDF] after “multiple nation-state advanced persistent threat (APT) actors” weaponized vulnerabilities in […]

Read More

Daily NCSC-FI news followup 2019-06-04

Headhunting Firm Leaks Millions of Resumes, Client Private Data www.bleepingcomputer.com/news/security/headhunting-firm-leaks-millions-of-resumes-client-private-data/ A misconfigured and publicly accessible ElasticSearch cluster owned by FMC Consulting, a Chinese headhunting company, leaked millions of resumes and company records, as well as customers and employees PII data.. The database containing hundreds of thousands of customer records, internal emails, as well as employees […]

Read More

[ZDNet] RSA Security spins out its Fraud & Risk Intelligence business into standalone company called Outseer

All posts, ZDNet

Outseer said it will continue to build out RSA’s anti-fraud and payments security portfolio. Source: Read More (Latest topics for ZDNet in Security)

Read More

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.