Microsoft November 2021 Patch Tuesday fixes 6 zero-days

On November 9, Microsoft released the November routine security update as scheduled, repairing at least 55 security vulnerabilities in Windows products and components. This month’s security update repaired 6 0-days vulnerabilities, and 6 of the 55 vulnerabilities were rated as “critical”, 49 as important levels. There were 15 remote code execution vulnerabilities, 20 privilege escalation vulnerabilities, 10 information disclosure vulnerabilities, 3 denials of service vulnerabilities, and 2 security function bypasses.

The actively exploited vulnerabilities target Microsoft Exchange and Excel. We recommend that all users upgrade and install repairs as soon as possible. It is recommended to install patches using Windows Update.


Vulnerability Detail

  • CVE-2021-42292: Microsoft Excel Security Feature Bypass Vulnerability

The vulnerability affects all versions of Office 2013, 2016, 2019, 2021, and Office365. The CVSS score is 7.8, an important level. The vulnerability was discovered by the Microsoft Threat Intelligence Center and used for malicious attacks in the wild.

  • CVE-2021-42321: Microsoft Exchange Server Remote Code Execution Vulnerability

The Microsoft Exchange CVE-2021-42321 vulnerability is an authenticated remote code execution vulnerability that was disclosed in the Tianfu Cup hacker contest last month. The vulnerability affects Exchange Server 2016 and 2019 versions. CVSS score: 8.8, which is a severe level, the vulnerability EXP has been made public, and wild exploitation has been detected.

  • CVE-2021-42298: Microsoft Defender Remote Code Execution Vulnerability

The CVSS score is 7.8, the severity level, and the utilization assessment is more likely to be exploited. Users can automatically fix the vulnerability through Windows security updates.