Home / About / Threat Intelligence / Microsoft Patch Tuesday October 2021

Overview

Microsoft’s monthly patch release includes fixes for 2 local Elevation of Privilege (EoP) vulnerabilities (CVE-2021-40449, CVE-2021-41335), a Remote Code Execution (RCE) issue in DNS Server (CVE-2021-40469) and an issue with AppContainer Firewall Rules (CVE-2021-41338). CVE-2021-40449 has been seen to be exploited in the wild.

An RCE vulnerability in Word (CVE-2021-40486) would allow code execution by opening a malicious document.

Other fixes are included for Exchange Server (CVE-2021-26427), Hyper-V (CVE-2021-38672 and CVE-2021-40461), and SharePoint Server (CVE-2021-40487 and CVE-2021-41344)

Impact

A remote attacker may be able to exploit the Windows DNS mechanism to execute code on a DNS server.

An attacker may be able to craft a malicious Word document that could execute code on a device.

A local user on a Windows machine would have the ability to upgrade their account privileges on the server to an administrator account.

Affected Products

Security updates have been released for the following products:

  • .NET Core & Visual Studio
  • Active Directory Federation Services
  • Console Window Host
  • HTTP.sys
  • Microsoft DWM Core Library
  • Microsoft Dynamics
  • Microsoft Edge (Chromium-based)
  • Microsoft Exchange Server
  • Microsoft Graphics Component
  • Microsoft Intune
  • Microsoft Office Excel
  • Microsoft Office SharePoint
  • Microsoft Office Visio
  • Microsoft Office Word
  • Microsoft Windows Codecs Library
  • Rich Text Edit Control
  • Role: DNS Server
  • Role: Windows Active Directory Server
  • Role: Windows AD FS Server
  • Role: Windows Hyper-V
  • System Center
  • Visual Studio
  • Windows AppContainer
  • Windows AppX Deployment Service
  • Windows Bind Filter Driver
  • Windows Cloud Files Mini Filter Driver
  • Windows Common Log File System Driver
  • Windows Desktop Bridge
  • Windows DirectX
  • Windows Event Tracing
  • Windows exFAT File System
  • Windows Fastfat Driver
  • Windows Installer
  • Windows Kernel
  • Windows MSHTML Platform
  • Windows Nearby Sharing
  • Windows Network Address Translation (NAT)
  • Windows Print Spooler Components
  • Windows Remote Procedure Call Runtime
  • Windows Storage Spaces Controller
  • Windows TCP/IP
  • Windows Text Shaping
  • Windows Win32K

Indicators of Compromise

Kaspersky has seen these domains in a Remote Access Trojan which makes use of CVE-2021-40449

  • www[.]disktest[.]com
  • www[.]runblerx[.]com
  • http[.]ddspadus[.]com

Mitre Methodologies

T1068 Exploitation for Privilege Escalation

Further Information

October 2021 Security Updates

MysterySnail attacks with Windows zero-day