It’s Patch Tuesday again, but not keeping with the October theme there’s nothing too scary this month. While we see an increase from the recent trend for total exploits closed with an increase to 81, only 3 of those are critical. On the negative side, the run of exploits that are publicly known or already exploited before being patched continues with 3 known and 1 actively exploited. The critical vulnerabilities are around Microsoft Word and Hyper-v. An Interesting side note is that the highest rated CVSS scores are not rated as critical this month Some Highlights (Or Lowlights)
CVE-2021-40449 - This is not one of the critical exploits, but it is the one that has already been exploited. This is an Elevation of privilege vulnerability that would allow an attacker to escalate privileges on an exploited system. Usually, something like this is paired with code execution exploits allowing the attacker to take over systems.
CVE-2021-26427 - This is the highest rated vulnerability this month coming in at 9.0 out of 10, but is only listed as important not critical. While it is a remote code execution vulnerability it can not be run over the internet but requires the attacker to have access to at least an adjacent topology. Whether they are on the local subnet, sore shared a physical network through something like Bluetooth. From there they can run malicious code with very low user access and without any user interaction.
CVE-202140486 - Microsoft Word has a critical remote code execution vulnerability that does not require any sort of privilege to run, but it does require user interaction. USer interaction seems a little generous as this code can be exploited by the doc opening in the preview pane, making the CVSS score of 7.8 seem a little low to me. An attacker code send the compromised file and it could run to code without the user actually even opening up the document.
That is it for this month. The scoring seemed off from the norm, with no exploits rated over an 8.0 getting the critical designation this time around. This seems like it contributed to only 3 being classified as critical for the month. It kind of feels like maybe this month had more serious patches that are able to be reclassified lower through clever use of gray areas. A lot of patched exploits have several indicators of a serious risk, and one mitigating factor that allows for a lower rating if you squint just enough. Whether or not my insane conspiracy theories about one month on patch Tuesday being buried under the rug are true, it is still wise to get your environment patched as soon as possible. With all things IT every task can be simplified with the right tools. PDQ Deploy and PDQ Inventory can help you get patched ASAP with the workflow easily automated.