Microsoft identified 84 vulnerabilities on Tuesday, one of which has been exploited and one of which has been publicly reported.
The patches address CVEs in Microsoft Windows and Windows Components, Azure, Azure Arc, and Azure DevOps, Microsoft Edge (Chromium-based), Office and Office Components, Visual Studio Code, Active Directory Domain Services and Active Directory Certificate Services, Nu Get Client, Hyper-V, and the Windows Resilient File System (ReFS).
This release follows the earlier this month release of 12 updates for CVEs in Microsoft Edge (Chromium-based).
The exploited vulnerability is a Windows COM+ Event System Service Elevation of Privilege Vulnerability. An attacker who successfully exploited this flaw may get system access.
A Microsoft Office Information Disclosure Vulnerability has been publicly revealed. This flaw, found by Cody Thomas of SpecterOps, puts user tokens and other potentially sensitive information at risk.
“What isn’t included in this month’s publication may be more fascinating,” Dustin Childs wrote for the Zero Day Initiative. “Despite the fact that two Exchange issues have been extensively exploited for at least two weeks, there are no fixes for Exchange Server. The ZDI purchased these flaws in early September and reported them to Microsoft at the time. Because there are no patches available to adequately fix these problems, administrators can only verify that the September 2021 Cumulative Update (CU) is implemented.”