Microsoft November 2021 Patch Tuesday fixes 6 zero-days, 55 flaws

Patch Tuesday

Today is Microsoft’s November 2021 Patch Tuesday, and with it comes fixes for six zero-day vulnerabilities and a total of 55 flaws. The actively exploited vulnerabilities are for Microsoft Exchange and Excel, with the Exchange zero-day used as part of the Tianfu hacking contest.

Microsoft has fixed 55 vulnerabilities with today’s update, with six classified as Critical and 49 as Important. The number of each type of vulnerability is listed below:

  • 20 Elevation of Privilege vulnerabilities
  • 2 Security Feature Bypass vulnerabilities
  • 15 Remote Code Execution vulnerabilities
  • 10 Information Disclosure vulnerabilities
  • 3 Denial of Service vulnerabilities
  • 4 Spoofing vulnerabilities

For information about the non-security Windows updates, you can read about today’s Windows 10 KB5007186 & KB5007189 cumulative updates and the Windows 11 KB5007215 cumulative update.

Six zero-days fixed, with two actively exploited

November’s Patch Tuesday includes fixes for six zero-day vulnerabilities, two actively exploited against Microsoft Exchange and Microsoft Excel.

Microsoft classifies a vulnerability as a zero-day if it is publicly disclosed or actively exploited with no official fix available.

The actively exploited vulnerabilities fixed this month are:

  • CVE-2021-42292 – Microsoft Excel Security Feature Bypass Vulnerability
  • CVE-2021-42321 – Microsoft Exchange Server Remote Code Execution Vulnerability

The Microsoft Exchange CVE-2021-42321 vulnerability is an authenticated remote code execution bug used as part of the Tianfu Cup hacking contest last month.

However, the Microsoft Excel CVE-2021-42292 was discovered by the Microsoft Threat Intelligence Center and has been actively used in malicious attacks.

The security updates for Microsoft Office for Mac have not been released as of yet.

Microsoft also fixed four other publicly disclosed vulnerabilities that are not known to be exploited in attacks.

  • CVE-2021-38631 – Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
  • CVE-2021-41371 – Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability
  • CVE-2021-43208 – 3D Viewer Remote Code Execution Vulnerability
  • CVE-2021-43209 – 3D Viewer Remote Code Execution Vulnerability

Recent updates from other companies

Other vendors who released updates in November include:

The November 2021 Patch Tuesday Security Updates

Below is the complete list of resolved vulnerabilities and released advisories in the November 2021 Patch Tuesday updates. To access the full description of each vulnerability and the systems that it affects, you can view the full report here.

Tag CVE ID CVE Title Severity
3D Viewer CVE-2021-43209 3D Viewer Remote Code Execution Vulnerability Important
3D Viewer CVE-2021-43208 3D Viewer Remote Code Execution Vulnerability Important
Azure CVE-2021-41373 FSLogix Information Disclosure Vulnerability Important
Azure RTOS CVE-2021-42303 Azure RTOS Elevation of Privilege Vulnerability Important
Azure RTOS CVE-2021-42302 Azure RTOS Elevation of Privilege Vulnerability Important
Azure RTOS CVE-2021-42301 Azure RTOS Information Disclosure Vulnerability Important
Azure RTOS CVE-2021-42323 Azure RTOS Information Disclosure Vulnerability Important
Azure RTOS CVE-2021-26444 Azure RTOS Information Disclosure Vulnerability Important
Azure RTOS CVE-2021-42304 Azure RTOS Elevation of Privilege Vulnerability Important
Azure Sphere CVE-2021-41374 Azure Sphere Information Disclosure Vulnerability Important
Azure Sphere CVE-2021-41376 Azure Sphere Information Disclosure Vulnerability Important
Azure Sphere CVE-2021-42300 Azure Sphere Tampering Vulnerability Important
Azure Sphere CVE-2021-41375 Azure Sphere Information Disclosure Vulnerability Important
Microsoft Dynamics CVE-2021-42316 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability Critical
Microsoft Edge (Chromium-based) in IE Mode CVE-2021-41351 Microsoft Edge (Chrome based) Spoofing on IE Mode Important
Microsoft Exchange Server CVE-2021-42305 Microsoft Exchange Server Spoofing Vulnerability Important
Microsoft Exchange Server CVE-2021-41349 Microsoft Exchange Server Spoofing Vulnerability Important
Microsoft Exchange Server CVE-2021-42321 Microsoft Exchange Server Remote Code Execution Vulnerability Important
Microsoft Office Access CVE-2021-41368 Microsoft Access Remote Code Execution Vulnerability Important
Microsoft Office Excel CVE-2021-40442 Microsoft Excel Remote Code Execution Vulnerability Important
Microsoft Office Excel CVE-2021-42292 Microsoft Excel Security Feature Bypass Vulnerability Important
Microsoft Office Word CVE-2021-42296 Microsoft Word Remote Code Execution Vulnerability Important
Microsoft Windows CVE-2021-41356 Windows Denial of Service Vulnerability Important
Microsoft Windows Codecs Library CVE-2021-42276 Microsoft Windows Media Foundation Remote Code Execution Vulnerability Important
Power BI CVE-2021-41372 Power BI Report Server Spoofing Vulnerability Important
Role: Windows Hyper-V CVE-2021-42284 Windows Hyper-V Denial of Service Vulnerability Important
Role: Windows Hyper-V CVE-2021-42274 Windows Hyper-V Discrete Device Assignment (DDA) Denial of Service Vulnerability Important
Visual Studio CVE-2021-3711 OpenSSL: CVE-2021-3711 SM2 Decryption Buffer Overflow Critical
Visual Studio CVE-2021-42319 Visual Studio Elevation of Privilege Vulnerability Important
Visual Studio Code CVE-2021-42322 Visual Studio Code Elevation of Privilege Vulnerability Important
Windows Active Directory CVE-2021-42278 Active Directory Domain Services Elevation of Privilege Vulnerability Important
Windows Active Directory CVE-2021-42291 Active Directory Domain Services Elevation of Privilege Vulnerability Important
Windows Active Directory CVE-2021-42287 Active Directory Domain Services Elevation of Privilege Vulnerability Important
Windows Active Directory CVE-2021-42282 Active Directory Domain Services Elevation of Privilege Vulnerability Important
Windows COM CVE-2021-42275 Microsoft COM for Windows Remote Code Execution Vulnerability Important
Windows Core Shell CVE-2021-42286 Windows Core Shell SI Host Extension Framework for Composable Shell Elevation of Privilege Vulnerability Important
Windows Cred SSProvider Protocol CVE-2021-41366 Credential Security Support Provider Protocol (CredSSP) Elevation of Privilege Vulnerability Important
Windows Defender CVE-2021-42298 Microsoft Defender Remote Code Execution Vulnerability Critical
Windows Desktop Bridge CVE-2021-36957 Windows Desktop Bridge Elevation of Privilege Vulnerability Important
Windows Diagnostic Hub CVE-2021-42277 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability Important
Windows Fastfat Driver CVE-2021-41377 Windows Fast FAT File System Driver Elevation of Privilege Vulnerability Important
Windows Feedback Hub CVE-2021-42280 Windows Feedback Hub Elevation of Privilege Vulnerability Important
Windows Hello CVE-2021-42288 Windows Hello Security Feature Bypass Vulnerability Important
Windows Installer CVE-2021-41379 Windows Installer Elevation of Privilege Vulnerability Important
Windows Kernel CVE-2021-42285 Windows Kernel Elevation of Privilege Vulnerability Important
Windows NTFS CVE-2021-42283 NTFS Elevation of Privilege Vulnerability Important
Windows NTFS CVE-2021-41370 NTFS Elevation of Privilege Vulnerability Important
Windows NTFS CVE-2021-41378 Windows NTFS Remote Code Execution Vulnerability Important
Windows NTFS CVE-2021-41367 NTFS Elevation of Privilege Vulnerability Important
Windows RDP CVE-2021-38665 Remote Desktop Protocol Client Information Disclosure Vulnerability Important
Windows RDP CVE-2021-38631 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability Important
Windows RDP CVE-2021-38666 Remote Desktop Client Remote Code Execution Vulnerability Critical
Windows RDP CVE-2021-41371 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability Important
Windows Scripting CVE-2021-42279 Chakra Scripting Engine Memory Corruption Vulnerability Critical
Windows Virtual Machine Bus CVE-2021-26443 Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability Critical