Microsoft November 2021 Patch Tuesday: 55 bugs squashed, two under active exploit

This month includes fixes for zero-day flaws, some of which have been made public prior to patch release.

Microsoft has released 55 security fixes for software including patches that resolve zero-day vulnerabilities actively exploited in the wild.

The Redmond giant's latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, includes fixes for six critical vulnerabilities, 15 remote code execution (RCE) bugs, information leaks, and elevation of privilege security flaws, as well as issues that could lead to spoofing and tampering. 

Products impacted by November's security update include Microsoft Azure, the Chromium-based Edge browser, Microsoft Office -- as well as associated products such as Excel, Word, and SharePoint -- Visual Studio, Exchange Server, Windows Kernel, and Windows Defender.   

Read on:

Some of the most interesting vulnerabilities resolved in this update, all deemed as important, are: 

  • CVE-2021-42321: (CVSS:3.1 8.8 / 7.7). Under active exploit, this vulnerability impacts Microsoft Exchange Server and due to improper validation of cmdlet arguments, can lead to RCE. However, attackers must be authenticated.
  • CVE-2021-42292: (CVSS:3.1 7.8 / 7.0). Also detected as exploited in the wild, this vulnerability was found in Microsoft Excel and can be used to circumvent security controls. Microsoft says that the Preview Pane is not an attack vector. No patch is currently available for Microsoft Office 2019 for Mac or Microsoft Office LTSC for Mac 2021.
  • CVE-2021-43209: (CVSS:3.1 7.8 / 6.8). A 3D Viewer vulnerability made public, this bug can be exploited locally to trigger RCE. 
  • CVE-2021-43208: (CVSS:3.1 7.8 / 6.8). Another known issue, this 3D Viewer security flaw can also be weaponized by a local attacker for code execution purposes. 
  • CVE-2021-38631: (CVSS:3.0 4.4 / 3.9). Also made public, this security flaw, found in the Windows Remote Desktop Protocol (RDP), can be used for information disclosure.
  • CVE-2021-41371: (CVSS:3.1 4.4 / 3.9). Finally, this RDP vulnerability, known before patching was available, can also be exploited locally to force an information leak.

According to the Zero Day Initiative (ZDI), historically, this is a relatively low number of vulnerabilities resolved during the month of November.

"Last year, there were more than double this number of CVEs fixed," the organization says. "Even going back to 2018 when there were only 691 CVEs fixed all year, there were more November CVEs fixed than in this month. Given that December is typically a slower month patch-wise, it causes one to wonder if there is a backlog of patches awaiting deployment due to various factors."

Last month, Microsoft resolved 71 bugs in the October batch of security fixes. Of particular note are patches for a total of four zero-day flaws, one of which was being actively exploited in the wild, whereas three were made public. 

A month prior, the tech giant tackled over 60 vulnerabilities during the September Patch Tuesday. Among the patches was a fix for an RCE in MSHTML.

In recent Microsoft news, Visual Studio 2022 and .NET 6 were made generally available on November 8. Visual Studio 2022 includes a refresh of some features as well as debug improvements for developers. .NET 6 includes performance enhancements and is the first version able to support both Windows Arm64 and Apple Arm64 Silicon.


Alongside Microsoft's Patch Tuesday round, other vendors, too, have published security updates which can be accessed below.