During Patch Tuesday September, Microsoft released over 60 security-related updates and patches, including fixes for two issues labeled as “critical” – CVE-2021-40444, that leverages IE’s MSHTML component and CVE-2021-36965, also nicknamed the WLAN AutoConfig flaw. The company also addressed several other vulnerabilities, some of which came by the way of bug bounty hunting. All security roll items were marked as “solved” by Microsoft.

 Patch Tuesday September 2021 Highlights

September’s Patch Tuesday brought us a bounty of fixes, updates, and patches. MS’s Chromium-based Edge receives another update, as well as other MS products such as Office Access, Edge for Android, Accessibility Insights for Android, the Dynamics Business Central Control, Azure Open Management Infrastructure, and Visual Studio.

Mitigations-wise, Microsoft managed to solve about around 60 CVEs, ranging from “Moderate” to “Important. Of note are CVE-2021-40444, impacting Internet Explorer’s MSHTML component, and the WLAN Autoconfig flaw (CVE-2021-36965), a bug stemming from an April-reported vulnerability, that triggers a similar Remote Code Execution (RCE) behavior.  Other noteworthy CVEs with fixes or workaround found in September’s roll:

  • CVE-2021-26435 Windows Scripting Engine Memory Corruption Vulnerability. Using a crafted, web-sent file, an attacker could trigger RCE in the victim by leveraging a flaw in the Scripting Engine.
  • CVE-2021-30606 Use after free in Blink vulnerability. Impacts older Google Chrome versions (before 93.0.4577.67). Social engineering techniques used to persuade a user to execute a drag-and-drop action on a crafted HTML page to circumvent sandboxing.
  • CVE-2021-30607 Use after free in Permissions. Google Chrome vulnerability (versions below 93.0.4577.63) that would have potentially allowed a threat actor to trigger an exploit heap corruption by using a forged HTML page.
  • CVE-2021-30609  Use after free in Sign-In. RCE-based vulnerability leveraging Chrome’s Use after free Sign-In mechanism. Similar to CVE-2021-30607, a forged HTML page is employed to trigger an exploit heap corruption.

Microsoft’s major September achievements are the fixes for CVE-2021-40444 and CVE-2021-36965. The details can be found below.

CVE-2021-36965 – Windows WLAN AutoConfig Service Remote Code Execution (RCE) Vulnerability

Rated “critical” by Microsoft, this vulnerability leverages a hidden flaw in the WLAN Autoconfig Service to trigger Remote Code Execution. CVE-2021-36965 has received an official fix as part of MS’s September patching bout.

Despite its high impact level, several conditions must be met for an attack conducted by the means of WLAN AutoConfig Service to be successful – the attacker must have access to the local network to trigger this behavior. In addition, an advisory released by Vulnerability Database might suggest a possible connection between CVE-2021-36965 and RaaS-type infrastructures. The flaw can be fixed by applying the latest MS security patches.

CVE-2021-40444 – Microsoft MSHTML Remote Code Execution (RCE) Vulnerability

On the more exotic side, we have CVE-2021-40444, an RCE vulnerability that triggers arbitrary RCE and Cobalt Strike payload(ing) by leveraging an MSHTML vulnerability that allows for ‘unsandboxing’ of malicious content when viewed online via Microsoft’s Internet Explorer.

This specific attack form, which requires interaction on the user side, is specifically designed to circumvent file-opening and file-editing safeguards such as Protected View.  Additionally, CVE-2021-40444 requires a forged Microsoft HTML to triggered the desired RCE behavior on the victim’s machine. Ultimately, the user will be coaxed into downloading evil code on the machine, which will run on the available privileges.

Wrap-up and recommendations

Microsoft’s Patch Tuesday September has managed to resolve quite a number of pressing issues. As always, my number one recommendation would be to download and deploy the latest security patches and/or updates as fast as possible, using whatever method suits you best. Of course, Heimdal™ Security supports all patching and updating flow with Patch & Asset Management, a fast-track and easy to deploy automatic patching & updating solution that secures your network end-to-end, closing all security gaps (associated with running legacy or older software). And, as always, never open suspicious attachments or click on links received from unknown sources.

Additional Resources:

What Is Patch Management? Definition, Importance, Key Steps, and Best Practices

WSUS vs. SCCM vs. Intune Comparison – Benefits, Ease of Use, and Deployment

Patch Management Policy: A Practical Guide

Understanding the Automated Patch Management Process

What Is a Software Patch?


I dont want more letters from you

Leave a Reply

Your email address will not be published. Required fields are marked *