Among the 60 security fixes and updates Microsoft released on Patch Tuesday (14th september), was a fix resolving a Remote Code Execution problem in MSHTML.
The products affected by the September security update include Azure Sphere, Azure Open Management, PowerPoint, Office Excel, Access, Word, the kernel, Visual Studio, Microsoft Windows DNS, and BitLocker, among others.
On September 7, the Redmond giant said a remote code execution flaw in MSHTML had been found and was being used in a limited number of attacks against Windows systems. The zero-day bug was tracked as CVE-2021-40444 and was resolved in the recent update.
As with any other update, users should apply it immediately to stay safe. Another notable vulnerability fixed was tracked as CVE-2021-38647, with a score of 9.8.
The critical bug on the September patch list affects the Open Management Infrastructure (OMI), allowing attackers to perform RCE attacks without authentication by sending malicious messages via HTTPS to port 5986.
Some Azure products expose an HTTP/S port for interacting with OMI where the HTTP/S listener is enabled, offering an opportunity for remote code execution. Microsoft noted that most Azure services that use OMI deploy it without exposing the HTTP/S port.
- CVE-2021-36968– a zero-day vulnerability found and disclosed by Microsoft, with a score of 7.8. No evidence of exploitation in the wild is available.
- CVE-2021-26435– A flaw with a score of 8.1, found in the Microsoft Windows scripting engine. It requires user interaction to trigger, though.
- CVE-2021-36967– This flaw scored an 8.0 and is found in the Windows WLAN AutoConfig service and may be used to elevate privileges.
As the hybrid work model continues, security will always be a challenge, as shown by the high patch rate the Redmond giant has had this year.