Χθες η Microsoft κυκλοφόρησε το Patch Tuesday του Σεπτεμβρίου 2021 το οποίο διορθώνει συνολικά 60 ευπάθειες, εκ των οποίων οι δύο είναι zero-day.
Δείτε επίσης: Το Pegasus spyware ξαναχτυπά: Ενημερώστε iPhone, Mac, Apple Watch!
Οι ευπάθειες που διορθώνουν οι νέες ενημερώσεις ασφαλείας, επηρεάζουν πολλά προϊόντα της εταιρείας, όπως τα: Azure Open Management Infrastructure, Azure Sphere, Office Excel, PowerPoint, Word και Access, kernel, Visual Studio, Microsoft Windows DNS και BitLocker.
Το Patch Tuesday Σεπτεμβρίου 2021 διορθώνει και ένα RCE σφάλμα στο MSHTML, το οποίο ανακοίνωσε η Microsoft πριν μερικές ημέρες. Η εταιρεία είχε πει ότι η συγκεκριμένη ευπάθεια είχε χρησιμοποιηθεί σε επιθέσεις εναντίον Windows συστημάτων. Πρόκειται για ένα zero-day σφάλμα, γνωστό ως CVE-2021-40444, που διορθώνεται με τη νέα ενημέρωση ασφαλείας. Η Microsoft προτείνει στους χρήστες να εφαρμόσουν άμεσα το Patch Tuesday στα συστήματά τους για να προστατευτούν από τη συγκεκριμένη ευπάθεια.
Bot χρησιμοποιούν scalping και εξαντλούν τα δημοφιλή δώρα
Perseverance: Μελετά τους αρχαιότερους βράχους στον Άρη
Μυστήρια drones στο New Jersey: Τι λέει το Πεντάγωνο;
Δείτε επίσης: Η Microsoft διορθώνει τις υπόλοιπες ευπάθειες Windows PrintNightmare
Άλλες σημαντικές ευπάθειες που διορθώνονται με το Microsoft Patch Tuesday Σεπτεμβρίου είναι οι ακόλουθες:
CVE-2021-38647: Με βαθμολογία 9,8 στην κλίμακα CVSS, είναι το πιο σοβαρό σφάλμα που διορθώνει το patch. Αυτή η ευπάθεια επηρεάζει το πρόγραμμα Open Management Infrastructure (OMI) και επιτρέπει στους επιτιθέμενους να εκτελούν απομακρυσμένες επιθέσεις.
CVE-2021-36968: Πρόκειται για μια Windows DNS privilege escalation zero-day ευπάθεια με βαθμολογία CVSS 7,8. Η Microsoft δεν έχει βρει μέχρι στιγμής κανένα στοιχείο που να αποδεικνύει ότι η ευπάθεια έχει χρησιμοποιηθεί σε επιθέσεις.
CVE-2021-26435: Είναι μια κρίσιμη ευπάθεια (CVSS 8.1) στο Microsoft Windows scripting engine. Πρόκειται για ένα memory corruption σφάλμα, το οποίο ωστόσο απαιτεί αλληλεπίδραση από το χρήστη για να χρησιμοποιηθεί.
CVE-2021-36967: Άλλη μια σοβαρή ευπάθεια με βαθμολογία 8,0 στην κλίμακα CVSS. Εντοπίζεται στην υπηρεσία Windows WLAN AutoConfig και δίνει στον επιτιθέμενο περισσότερα προνόμια στο σύστημα-στόχο.
Νωρίτερα μέσα στο Σεπτέμβριο, η εταιρεία διόρθωσε και μερικές ευπάθειες για το Microsoft Edge (Chromium).
Δείτε επίσης: Chrome: Η Google διορθώνει άλλες δύο zero-day ευπάθειες
Microsoft Patch Tuesday Σεπτεμβρίου 2021
Στον παρακάτω πίνακα μπορείτε να δείτε όλες τις ευπάθειες που έχει διορθώσει η Microsoft αυτό το μήνα (μαζί με Microsoft Edge):
Tag | CVE ID | CVE Title | Severity |
---|---|---|---|
Azure Open Management Infrastructure | CVE-2021-38648 | Open Management Infrastructure Elevation of Privilege Vulnerability | Important |
Azure Open Management Infrastructure | CVE-2021-38645 | Open Management Infrastructure Elevation of Privilege Vulnerability | Important |
Azure Open Management Infrastructure | CVE-2021-38647 | Open Management Infrastructure Remote Code Execution Vulnerability | Critical |
Azure Open Management Infrastructure | CVE-2021-38649 | Open Management Infrastructure Elevation of Privilege Vulnerability | Important |
Azure Sphere | CVE-2021-36956 | Azure Sphere Information Disclosure Vulnerability | Important |
Dynamics Business Central Control | CVE-2021-40440 | Microsoft Dynamics Business Central Cross-site Scripting Vulnerability | Important |
Microsoft Accessibility Insights for Android | CVE-2021-40448 | Microsoft Accessibility Insights for Android Information Disclosure Vulnerability | Important |
Microsoft Edge (Chromium-based) | CVE-2021-30606 | Chromium: CVE-2021-30606 Use after free in Blink | Unknown |
Microsoft Edge (Chromium-based) | CVE-2021-30609 | Chromium: CVE-2021-30609 Use after free in Sign-In | Unknown |
Microsoft Edge (Chromium-based) | CVE-2021-30608 | Chromium: CVE-2021-30608 Use after free in Web Share | Unknown |
Microsoft Edge (Chromium-based) | CVE-2021-30607 | Chromium: CVE-2021-30607 Use after free in Permissions | Unknown |
Microsoft Edge (Chromium-based) | CVE-2021-38641 | Microsoft Edge for Android Spoofing Vulnerability | Important |
Microsoft Edge (Chromium-based) | CVE-2021-38642 | Microsoft Edge for iOS Spoofing Vulnerability | Important |
Microsoft Edge (Chromium-based) | CVE-2021-38669 | Microsoft Edge (Chromium-based) Tampering Vulnerability | Important |
Microsoft Edge (Chromium-based) | CVE-2021-36930 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | Important |
Microsoft Edge (Chromium-based) | CVE-2021-30632 | Chromium: CVE-2021-30632 Out of bounds write in V8 | Unknown |
Microsoft Edge (Chromium-based) | CVE-2021-30610 | Chromium: CVE-2021-30610 Use after free in Extensions API | Unknown |
Microsoft Edge (Chromium-based) | CVE-2021-30620 | Chromium: CVE-2021-30620 Insufficient policy enforcement in Blink | Unknown |
Microsoft Edge (Chromium-based) | CVE-2021-30619 | Chromium: CVE-2021-30619 UI Spoofing in Autofill | Unknown |
Microsoft Edge (Chromium-based) | CVE-2021-30618 | Chromium: CVE-2021-30618 Inappropriate implementation in DevTools | Unknown |
Microsoft Edge (Chromium-based) | CVE-2021-30621 | Chromium: CVE-2021-30621 UI Spoofing in Autofill | Unknown |
Microsoft Edge (Chromium-based) | CVE-2021-30624 | Chromium: CVE-2021-30624 Use after free in Autofill | Unknown |
Microsoft Edge (Chromium-based) | CVE-2021-30623 | Chromium: CVE-2021-30623 Use after free in Bookmarks | Unknown |
Microsoft Edge (Chromium-based) | CVE-2021-30622 | Chromium: CVE-2021-30622 Use after free in WebApp Installs | Unknown |
Microsoft Edge (Chromium-based) | CVE-2021-30613 | Chromium: CVE-2021-30613 Use after free in Base internals | Unknown |
Microsoft Edge (Chromium-based) | CVE-2021-30612 | Chromium: CVE-2021-30612 Use after free in WebRTC | Unknown |
Microsoft Edge (Chromium-based) | CVE-2021-30611 | Chromium: CVE-2021-30611 Use after free in WebRTC | Unknown |
Microsoft Edge (Chromium-based) | CVE-2021-30614 | Chromium: CVE-2021-30614 Heap buffer overflow in TabStrip | Unknown |
Microsoft Edge (Chromium-based) | CVE-2021-30617 | Chromium: CVE-2021-30617 Policy bypass in Blink | Unknown |
Microsoft Edge (Chromium-based) | CVE-2021-30616 | Chromium: CVE-2021-30616 Use after free in Media | Unknown |
Microsoft Edge (Chromium-based) | CVE-2021-30615 | Chromium: CVE-2021-30615 Cross-origin data leak in Navigation | Unknown |
Microsoft Edge (Chromium-based) | CVE-2021-26436 | Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability | Important |
Microsoft Edge for Android | CVE-2021-26439 | Microsoft Edge for Android Information Disclosure Vulnerability | Moderate |
Microsoft MPEG-2 Video Extension | CVE-2021-38644 | Microsoft MPEG-2 Video Extension Remote Code Execution Vulnerability | Important |
Microsoft Office | CVE-2021-38657 | Microsoft Office Graphics Component Information Disclosure Vulnerability | Important |
Microsoft Office | CVE-2021-38658 | Microsoft Office Graphics Remote Code Execution Vulnerability | Important |
Microsoft Office | CVE-2021-38650 | Microsoft Office Spoofing Vulnerability | Important |
Microsoft Office | CVE-2021-38659 | Microsoft Office Remote Code Execution Vulnerability | Important |
Microsoft Office Access | CVE-2021-38646 | Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability | Important |
Microsoft Office Excel | CVE-2021-38655 | Microsoft Excel Remote Code Execution Vulnerability | Important |
Microsoft Office Excel | CVE-2021-38660 | Microsoft Office Graphics Remote Code Execution Vulnerability | Important |
Microsoft Office SharePoint | CVE-2021-38651 | Microsoft SharePoint Server Spoofing Vulnerability | Important |
Microsoft Office SharePoint | CVE-2021-38652 | Microsoft SharePoint Server Spoofing Vulnerability | Important |
Microsoft Office Visio | CVE-2021-38654 | Microsoft Office Visio Remote Code Execution Vulnerability | Important |
Microsoft Office Visio | CVE-2021-38653 | Microsoft Office Visio Remote Code Execution Vulnerability | Important |
Microsoft Office Word | CVE-2021-38656 | Microsoft Word Remote Code Execution Vulnerability | Important |
Microsoft Windows Codecs Library | CVE-2021-38661 | HEVC Video Extensions Remote Code Execution Vulnerability | Important |
Microsoft Windows DNS | CVE-2021-36968 | Windows DNS Elevation of Privilege Vulnerability | Important |
Visual Studio | CVE-2021-36952 | Visual Studio Remote Code Execution Vulnerability | Important |
Visual Studio | CVE-2021-26434 | Visual Studio Elevation of Privilege Vulnerability | Important |
Visual Studio | CVE-2021-26437 | Visual Studio Code Spoofing Vulnerability | Important |
Windows Ancillary Function Driver for WinSock | CVE-2021-38628 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Important |
Windows Ancillary Function Driver for WinSock | CVE-2021-38638 | Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability | Important |
Windows Authenticode | CVE-2021-36959 | Windows Authenticode Spoofing Vulnerability | Important |
Windows Bind Filter Driver | CVE-2021-36954 | Windows Bind Filter Driver Elevation of Privilege Vulnerability | Important |
Windows BitLocker | CVE-2021-38632 | BitLocker Security Feature Bypass Vulnerability | Important |
Windows Common Log File System Driver | CVE-2021-38633 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important |
Windows Common Log File System Driver | CVE-2021-36963 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important |
Windows Common Log File System Driver | CVE-2021-36955 | Windows Common Log File System Driver Elevation of Privilege Vulnerability | Important |
Windows Event Tracing | CVE-2021-36964 | Windows Event Tracing Elevation of Privilege Vulnerability | Important |
Windows Event Tracing | CVE-2021-38630 | Windows Event Tracing Elevation of Privilege Vulnerability | Important |
Windows Installer | CVE-2021-36962 | Windows Installer Information Disclosure Vulnerability | Important |
Windows Installer | CVE-2021-36961 | Windows Installer Denial of Service Vulnerability | Important |
Windows Kernel | CVE-2021-38626 | Windows Kernel Elevation of Privilege Vulnerability | Important |
Windows Kernel | CVE-2021-38625 | Windows Kernel Elevation of Privilege Vulnerability | Important |
Windows Key Storage Provider | CVE-2021-38624 | Windows Key Storage Provider Security Feature Bypass Vulnerability | Important |
Windows MSHTML Platform | CVE-2021-40444 | Microsoft MSHTML Remote Code Execution Vulnerability | Important |
Windows Print Spooler Components | CVE-2021-38667 | Windows Print Spooler Elevation of Privilege Vulnerability | Important |
Windows Print Spooler Components | CVE-2021-38671 | Windows Print Spooler Elevation of Privilege Vulnerability | Important |
Windows Print Spooler Components | CVE-2021-40447 | Windows Print Spooler Elevation of Privilege Vulnerability | Important |
Windows Redirected Drive Buffering | CVE-2021-36969 | Windows Redirected Drive Buffering SubSystem Driver Information Disclosure Vulnerability | Important |
Windows Redirected Drive Buffering | CVE-2021-38635 | Windows Redirected Drive Buffering SubSystem Driver Information Disclosure Vulnerability | Important |
Windows Redirected Drive Buffering | CVE-2021-36973 | Windows Redirected Drive Buffering System Elevation of Privilege Vulnerability | Important |
Windows Redirected Drive Buffering | CVE-2021-38636 | Windows Redirected Drive Buffering SubSystem Driver Information Disclosure Vulnerability | Important |
Windows Scripting | CVE-2021-26435 | Windows Scripting Engine Memory Corruption Vulnerability | Critical |
Windows SMB | CVE-2021-36960 | Windows SMB Information Disclosure Vulnerability | Important |
Windows SMB | CVE-2021-36972 | Windows SMB Information Disclosure Vulnerability | Important |
Windows SMB | CVE-2021-36974 | Windows SMB Elevation of Privilege Vulnerability | Important |
Windows Storage | CVE-2021-38637 | Windows Storage Information Disclosure Vulnerability | Important |
Windows Subsystem for Linux | CVE-2021-36966 | Windows Subsystem for Linux Elevation of Privilege Vulnerability | Important |
Windows TDX.sys | CVE-2021-38629 | Windows Ancillary Function Driver for WinSock Information Disclosure Vulnerability | Important |
Windows Update | CVE-2021-38634 | Microsoft Windows Update Client Elevation of Privilege Vulnerability | Important |
Windows Win32K | CVE-2021-38639 | Win32k Elevation of Privilege Vulnerability | Important |
Windows Win32K | CVE-2021-36975 | Win32k Elevation of Privilege Vulnerability | Important |
Windows WLAN Auto Config Service | CVE-2021-36965 | Windows WLAN AutoConfig Service Remote Code Execution Vulnerability | Critical |
Windows WLAN Service | CVE-2021-36967 | Windows WLAN AutoConfig Service Elevation of Privilege Vulnerability | Important |