Microsoft on Tuesday disclosed 84 vulnerabilities, including one that has been exploited and one that has been publicly disclosed.
The patches released address common vulnerabilities and exposures (CVEs) in: Microsoft Windows and Windows Components; Azure, Azure Arc, and Azure DevOps; Microsoft Edge (Chromium-based); Office and Office Components; Visual Studio Code; Active Directory Domain Services and Active Directory Certificate Services; Nu Get Client; Hyper-V; and the Windows Resilient File System (ReFS).
This release comes on top of 12 patches for CVEs in Microsoft Edge (Chromium-based) released earlier this month.
The vulnerability that has been exploited is a Windows COM+ Event System Service Elevation of Privilege Vulnerability. An attacker who successfully exploited this vulnerability could gain system privileges.
The publicly disclosed vulnerability is a Microsoft Office Information Disclosure Vulnerability. This vulnerability, discovered by Cody Thomas with SpecterOps, puts at risk user tokens and other potentially sensitive information.
“What may be more interesting is what isn’t included in this month’s release,” Dustin Childs wrote for the Zero Day Initiative. “There are no updates for Exchange Server, despite two Exchange bugs being actively exploited for at least two weeks. These bugs were purchased by the ZDI at the beginning of September and reported to Microsoft at the time. With no updates available to fully address these bugs, the best administrators can do is ensure the September 2021 Cumulative Update (CU) is installed.”