It is another low volume Patch Tuesday this month as Microsoft releases fixes for 50 vulnerabilities. This should not diminish the importance of speedily applying the updates. 6 of the vulnerabilities being patched this month are 0-days under active exploitation (CVE-2021-31955, CVE-2021-31956, CVE-2021-33739, CVE-2021-33742, CVE-2021-31199, and CVE-2021-31201). These patches should be given immediate priority. Luckily they can all be addressed by normal operating system patches and should not require additional manual intervention. Additionally, Enterprises should take action on CVE-2021-31962 if they use Kerberos in their environment as it may allow an attacker to bypass Kerberos authentication altogether.
Windows MSHTML Platform Remote Code Execution Vulnerability (CVE-2021-33742)
This is the only 0-day vulnerability this month which results in a remote code execution. The vulnerability lies within the MSHTML platform which is used by Internet Explorer 11 and Edge Legacy. While these two products are no longer fully supported (Edge Legacy is end of life and IE 11 is no longer supported on certain platforms) the underlying HTML libraries continue to be updated as other applications can make use of it. Further details for this vulnerability will be published by Google's Threat Analysis Group within the next 30 days.
While this vulnerability has not been exploited in the wild yet, it would be a rather juicy target for exploit developers. Were this to be exploited it may allow a complete bypass of Kerberos authentication, allowing a connection without a password. Kerberos is generally used in Enterprise environments and as such sysadmins should patch this if they are leveraging the strong cryptography authentication mechanism.
The rest of the 0-days this month can result in elevation of privilege. These vulnerabilities are often chained with other vulnerabilities in order to achieve code execution as an Administrator. Luckily for defenders, these vulnerabilities are simply patched using the traditional update methods.
Here are this month's patched vulnerabilities split by the product family.