November’s security updates bring a bundle of important fixes for vulnerabilities in Windows and Android devices

Microsoft Patch Tuesday Updates

Microsoft’s security update this month fixes 55 security flaws with 6 of them called out as zero-day vulnerabilities.  Microsoft classifies a zero-day as a vulnerability that is either under active attack in the wild or the details have been publicly disclosed (giving threat actors the information they need to exploit the vulnerability) – and one of them is yet another on-premises Exchange Server vulnerability.

The six zero-days fixed this month by Microsoft are:

• Exchange Server Remote Code Execution – (CVE-2021-42321)
  This is a post-authentication attack which has been observed being used to target Exchange 2016 and 2019 on-premises deployments.
  Microsoft recommends admins should use the Exchange Server Health Checker script to identify vulnerabilities in their Exchange server farms.
• Excel Security Bypass (CVE-2021-42292)
• Windows Remote Desktop Information Disclosure x2 (CVE-2021-38631 & CVE-2021-41371)
• Windows 3D Viewer Remote Code Execution x2 (CVE-2021-43209 & CVE-2021-43208)

In addition, 4 critical remote code execution vulnerabilities are patched in Windows Virtual machine Bus, Windows RDP, Windows Defender, and Microsoft Dynamics (on-premises).

Android November Update

Google’s November security update for Android provides fixes for 39 vulnerabilities including a remote code execution (RCE) flaw in Android TV (A-180745296), two RCE that affect the core System (A-197536150/CVE-2021-0918, A-181660091/CVE-2021-0930) and an Elevation of Privilege vulnerability in the Kernel (CVE-2021-1048) that has been observed under active attack in the wild.

Also included are fixes from Qualcomm for 2 critical and 9 high rated vulnerabilities in their closed source contributions to Android.