November’s security updates bring a bundle of important fixes for vulnerabilities in Windows and Android devices
Microsoft Patch Tuesday Updates
Microsoft’s security update this month fixes 55 security flaws with 6 of them called out as zero-day vulnerabilities. Microsoft classifies a zero-day as a vulnerability that is either under active attack in the wild or the details have been publicly disclosed (giving threat actors the information they need to exploit the vulnerability) – and one of them is yet another on-premises Exchange Server vulnerability.
The six zero-days fixed this month by Microsoft are:
- Exchange Server Remote Code Execution – (CVE-2021-42321)
This is a post-authentication attack which has been observed being used to target Exchange 2016 and 2019 on-premises deployments.
Microsoft recommends admins should use the Exchange Server Health Checker script to identify vulnerabilities in their Exchange server farms.
- Excel Security Bypass (CVE-2021-42292)
- Windows Remote Desktop Information Disclosure x2 (CVE-2021-38631 & CVE-2021-41371)
- Windows 3D Viewer Remote Code Execution x2 (CVE-2021-43209 & CVE-2021-43208)
Android November Update
Google’s November security update for Android provides fixes for 39 vulnerabilities including a remote code execution (RCE) flaw in Android TV (A-180745296), two RCE that affect the core System (A-197536150/CVE-2021-0918, A-181660091/CVE-2021-0930) and an Elevation of Privilege vulnerability in the Kernel (CVE-2021-1048) that has been observed under active attack in the wild.
Also included are fixes from Qualcomm for 2 critical and 9 high rated vulnerabilities in their closed source contributions to Android.