Microsoft Patch Tuesday: 84 new vulnerabilities

Microsoft disclosed 84 vulnerabilities on Tuesday, including one that was exploited and one that was made public.

Released patches address common vulnerabilities and exposures (CVEs) in: Microsoft Windows and Windows components; Azure, Azure Arc, and Azure DevOps; Microsoft Edge (Chromium-based); Office and Office Components; Visual Studio Code; Active Directory Domain Services and Active Directory Certificate Services; Bare get the customer; Hyper-V; and Windows Resilient File System (ReFS).

This build adds to 12 fixes for CVEs in Microsoft Edge (Chromium-based) released earlier this month.

The vulnerability that was exploited is a Windows COM+ Event System Service elevation of privilege vulnerability. An attacker who successfully exploited this vulnerability could gain system privileges.

The publicly disclosed vulnerability is a Microsoft Office Information Disclosure Vulnerability. This vulnerability, discovered by Cody Thomas with SpecterOps, puts user tokens and other potentially sensitive information at risk.

“What may be more interesting is what’s not included in this month’s release,” wrote Dustin Childs for Zero Day Initiative. “There are no updates for Exchange Server, although two Exchange bugs have been actively exploited for at least two weeks. These bugs were purchased by ZDI in early September and reported to Microsoft at the time. None update is available to fully address these bugs, the best administrators can do is ensure that the September 2021 Cumulative Update (CU) is installed.”