Microsoft unveils mega security update, so update now
Microsoft addresses actively exploited MSHTML vulnerability in latest Patch Tuesday
The monthly edition of bug fixes from Microsoft addresses over 60 vulnerabilities in products from Microsoft’s stable, and another 20 Chromium security bugs in Microsoft Edge.
Microsoft’s September Patch Tuesday impacts over a dozen products including Azure Open Management Infrastructure, Azure Sphere, Microsoft Office, Microsoft Windows DNS, Visual Studio, BitLocker, Windows Subsystem for Linux (WSL), and more.
Importantly however, the release also patches the recently disclosed zero-day vulnerability in Internet Explorer’s browsing engine MSHTML/Trident that was being exploited in the wild.
We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.
- These are the best endpoint protection tools
- Here's our choice of the best malware removal software on the market
- Also take a look at the best firewall apps and services
“The Zero Day vulnerability in MSHTML (CVE-2021-40444) has been resolved this month. Microsoft’s original mitigation guidance released on September 7 can be disabled once you have updated all Windows OSs this month,” Chris Goettl, Vice President of Product Management for Security at Ivanti shared with TechRadar Pro.
Patch without delay
Analyzing all the patched vulnerabilities, 27 are privilege escalation vulnerabilities, 16 could enable remote code execution, 11 are information disclosure vulnerabilities, eight are spoofing vulnerabilities, two could help bypass security features, and one could cause denial of service.
Goettl adds that in addition to the MSHTML vulnerability, the update includes a couple more that are of note.
One of them, tracked as CVE-2021-36958, is a Print Spooler vulnerability that was initially addressed last month, but has been updated this month to address some additional concerns that were identified by researchers beyond the original fix.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
“The vulnerability has been publicly disclosed and functional exploit code is available, so this puts further urgency on this month’s Windows OS updates,” stresses Goettl.
The third vulnerability that Goettl points out is the elevation of privilege vulnerability in Windows DNS. Tracked as CVE-2021-36968, the vulnerability applies to the legacy Windows OSs, which is what makes it particularly attractive to threat actors.
“Public disclosure gives threat actors a bit of a jump start on developing a working exploit. In this case, they could find the fact that this only affects legacy OSs as attractive, banking on the fact that companies are still running on the legacy OSs but not continuing with ESU support from Microsoft,” he shares, urging businesses still using legacy Windows releases to either migrate off these platforms or at least subscribe to Microsoft’s extended security update (ESU) program.
- Protect your devices with these best antivirus software
Via BleepingComputer
With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.
“It's not just one silver bullet” - AWS unveils plans for continued major environmental push as it looks to lead the way on sustainability
No, you can't run Windows on its tiny screen; minuscule mini PC has built-in display, fingerprint reader, OCuLink, double 2.5Gb LAN port and can drive four 8K monitors without an extra GPU