September 2021 Patch Tuesday contains fixes for 86 vulnerabilities, including two zero-days



As sysadmins eagerly await a patch for CVE-2021-40444, this month’s Patch Tuesday contains fixes for 86 vulnerabilities, including those previously released for Microsoft Edge, among which three are classified as critical and 56 as important. Two days zero have also been fixed, one of which is actively exploited. Needless to say, IT admins are going to have their hands full with this month’s patch and update process.

After a first discussion of the updates released, we will offer you our advice for designing a patch management plan in a hybrid work environment. You can also sign up for our free Patch Tuesday webinar and listen to our experts walk through Patch Tuesday updates.

What is Patch Tuesday?

Patch Tuesday falls on the second Tuesday of each month. It is on this day that Microsoft releases security and non-security updates for its operating system and other related applications. Because Microsoft has maintained this process of releasing updates periodically, IT administrators expect and have time to prepare for these updates.

Why is Patch Tuesday important?

The most important security updates and fixes to fix bugs or critical vulnerabilities are released on Patch Tuesday. Usually zero-day vulnerabilities are also patched during Patch Tuesday, unless the vulnerability is critical and highly exploited, in which case an out-of-band security update is released to fix that particular vulnerability.

September Patch Tuesday product line

Security updates have been released for the following products:

  • Azure open management infrastructure

  • Microsoft Edge (Chrome based)

  • Microsoft Office

  • Microsoft Windows Codec Library

  • Microsoft Windows DNS

  • Visual studio

  • Windows BitLocker

  • Windows kernel

  • Windows platform MSHTML

  • Windows Print Spooler Components

  • Windows Script

  • Windows Win32K

  • Windows WLAN Auto Configuration Service

Two zero-day vulnerabilities corrected

Of the two zero-days corrected this month, one is actively mined and the other is publicly disclosed but not actively mined. Here is the list :

  • CVE-2021-36968 – Windows DNS Elevation of Privilege Vulnerability (publicly disclosed but not actively exploited).

  • CVE-2021-40444 – Microsoft MSHTML remote code execution vulnerability (actively exploited). This vulnerability is actively used in phishing attacks. These attacks distributed malicious Word documents that exploited CVE-2021-40444 to download and run a malicious DLL file that installed a Cobalt Strike tag on the victim’s computer. This beacon allows a malicious actor to remotely access the device and steal files and spread laterally across the network.

Critical Updates

There are three critical updates released this Patch Tuesday:





Azure open management infrastructure

Open Management Infrastructure Remote Code Execution Vulnerability


Windows Script

Windows Scripting Engine Memory Corruption Vulnerability


Windows WLAN Auto Configuration Service

Windows WLAN AutoConfig Service Remote Code Execution Vulnerability

Third-party updates released after August Patch Tuesday

Third-party vendors such as Adobe, Cisco, SAP, Apple, and Android released updates after Patch Tuesday last month.

Best Practices for Managing Patch Management in a Hybrid Work Environment

Most organizations have chosen to embrace remote working even after being allowed to return to the office. This decision poses various challenges for IT administrators, particularly in terms of managing and securing distributed terminals. Here are some tips to make the remote patching process easier.

  • Disable automatic updates, as a faulty patch could cause the entire system to crash. IT administrators can teach end users how to turn off automatic updates on their machines. Patch Manager Plus and Desktop Central also have a dedicated fix, 105427, which can be deployed to endpoints to ensure that automatic updates are disabled.

  • Create a restore point (a backup or image that captures the state of machines) before deploying big updates like Patch Tuesday.

  • Establish a patch schedule and notify end users of it. It is recommended that you set a time for patch deployment and system restart. Inform end users of what needs to be done on their end for a trouble-free fix.

  • Test the fixes on a pilot group of systems before deploying them to the production environment. This will ensure that the patches do not interfere with the operation of other applications.

  • Since many users work from home, they may all work different hours; in this case, you can allow end users to bypass scheduled deployment and restarts. This will give them the freedom to install updates at their convenience and avoid disrupting their work. Our patch management products come with user-defined deployment and restart options.

  • Most organizations patch using a VPN. To prevent patch jobs from consuming your VPN bandwidth, first install critical patches and security updates. You may want to delay the deployment of feature packs and cumulative updates because these are large updates and consume too much bandwidth.

  • Schedule the deployment of non-security updates and security updates that are not rated Critical after Patch Tuesday, such as in the third or fourth week of the month. You can also choose to decline certain updates if you think they are not needed in your environment.

  • Run patch reports to get a detailed view of the health of your endpoints.

  • For machines belonging to users returning to the office after working remotely, check whether they comply with your security policies. Otherwise, quarantine them.

  • Install the latest updates and feature packs before judging your back-to-office machines suitable for production.

  • Take inventory and remove applications that are now obsolete for your back-to-office machines, like remote collaboration software.

With Desktop Central or Patch Manager Plus, you can completely automate the entire patch management process, from testing patches to deploying them. You can also tailor patch tasks based on your current situation. For hands-on experience with any of these products, start a 30-day free trial and keep thousands of apps patched and secure.

Want to learn more about Patch Tuesday updates? Join our experts as they analyze this month’s Patch Tuesday updates and provide in-depth analysis. You can also ask our experts questions and get immediate answers. Sign up for our free Patch Tuesday webinar!

Good patch!

The post-September 2021 Patch Tuesday contains fixes for 86 vulnerabilities, including two zero-days that first appeared on the ManageEngine blog.

*** This is a Syndicated Security Bloggers Network blog from ManageEngine Blog written by Karthika Surendran. Read the original post at: vulnerabilities-including-two-zero-days.html



About Author

Leave A Reply