The October security patch updates include fixes for critical flaws and zero-day vulnerabilities from Microsoft, Apple and Apache.
Microsoft October Updates
October’s security patch bundle from Microsoft includes fixes for four zero-day vulnerabilities, at least one of which is actively being exploited in the wild. Overall Microsoft fixes 70 vulnerabilities include the first inclusion of patches for the newly released Windows 11.
The four zero-days are:
- CVE-2021-40449 – Win32k Elevation of Privilege Vulnerability
- CVE-2021-40469 – Windows DNS Server Remote Code Execution Vulnerability
- CVE-2021-41335 – Windows Kernel Elevation of Privilege Vulnerability
- CVE-2021-41338 – Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability
The Win32 elevation of privilege vulnerability was discovered by Kaspersky who found it was being used by threat actors based in China in a ‘widespread espionage campaigns against IT companies, military / defence contractors and diplomatic entities.’
Apple patches zero-day flaw
Apple has released iOS and iPadOS 15.0.2 to fix a zero day vulnerability (CVE-2021-30883) that allows an application to be able to execute arbitrary code with kernel privileges – and Apple confirms that they received a report that the issue is being actively exploited.
The flaw in IOMobileFrameBuffer has been reverse engineered by a security engineer who compared the compiled iOS code before and after the patch had been applied (known as a bindiff – a binary difference comparison). With a proof of concept now explained in details, it is more likely that other threat actors will attempt to exploit the vulnerability before patches are installed.
Apache critical patch released
Apache has released version 2.4.51 of the Apache HTTP Server just three days after version 2.4.50 failed to address a critical path traversal attack which could result in remote code execution in certain configurations CVE-2021-42013.
According to the security notice:
An attacker could use a path traversal attack to map URLs to files outside the directories configured by Alias-like directives. If files outside of these directories are not protected by the usual default configuration “require all denied”, these requests can succeed. If CGI scripts are also enabled for these aliased paths, this could allow for remote code execution.
“We were very impressed with the service, I will say, the vulnerability found was one our previous organisation had not picked up, which does make you wonder if anything else was missed.”
Aim Ltd Chief Technology Officer (CTO)