=====================================================================
CERT-Renater
Note d'Information No. 2021/VULN533
_____________________________________________________________________
DATE : 13/10/2021
HARDWARE PLATFORM(S): /
OPERATING SYSTEM(S): Systems running .NET Core, Visual Studio,
Services de fédération Active Directory (AD FS),
Hôte de la fenêtre de la console, HTTP.sys,
Bibliothèque principale du Gestionnaire de fenêtrage Microsoft,
Microsoft Dynamics, Microsoft Edge (basé sur Chromium),
Microsoft Exchange Server, Composant Microsoft Graphics,
Microsoft Intune, Microsoft Office Excel,
Microsoft Office SharePoint, Microsoft Office Visio,
Microsoft Office Word, Bibliothèque de codecs Microsoft Windows,
Contrôle d’édition de texte enrichi,
Rôle : Serveur DNS, Rôle : Serveur Windows Active Directory,
Rôle : Serveur Windows AD FS, Rôle : Windows Hyper-V,
System Center, Visual Studio, Windows AppContainer,
Service de déploiement d’AppX de Windows,
Pilote de filtre de liaison Windows,
Pilote de mini-filtre de fichiers cloud Windows,
Pilote Windows Common Log File System,
Pont du Bureau Windows, Windows DirectX,
Suivi d’événements pour Windows,
Système de fichiers exFAT de Windows,
Pilote Fastfat Windows, Windows Installer,
Noyau Windows, Plateforme MSHTML Windows,
Partage de proximité de Windows,
Traduction d’adresses réseau (NAT) Windows,
Composants du spouleur d’impression Windows,
Runtime d’appel de procédure distante Windows,
Contrôleur des espaces de stockage Windows,
Windows TCP/IP, Formation de texte de Windows,
Windows Win32K.
=====================================================================
https://msrc.microsoft.com/update-guide/
https://msrc.microsoft.com/update-guide/releaseNote/2021-Oct
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38624
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33781
https://msrc.microsoft.com/update-guide/vulnerability/ADV990001
https://msrc.microsoft.com/update-guide/vulnerability/ADV200011
_____________________________________________________________________
********************************************************************
Microsoft Security Update Summary for October 12, 2021
Issued: October 12, 2021
********************************************************************
This summary lists security updates released for October 12, 2021.
Complete information for the October 2021 security update release
Can be found at .
IMPORTANT ANNOUNCEMENT: In the coming months we will be moving to a new,
more user-friendly and flexible system for delivering Microsoft
Technical Security Notifications. Upcoming information about how you
can sign up for and receive these Technical Security Notifications will
be coming soon.
Please note the following information regarding the security updates:
* For information regarding enabling Windows 10, version 1909 features,
please see Windows 10, version 1909 delivery options:
https://techcommunity.microsoft.com/t5/Windows-IT-Pro-Blog/Windows-10-
version-1909-delivery-options/ba-p/1002660. Note that these versions of
Windows 10 share a common core operating system with an identical set of
system files: 1903 and 1909; 2004, 20H2,and 21H1. They will also share
the same security update KBs.
* Windows 10 updates are cumulative. The monthly security release
includes all security fixes for vulnerabilities that affect Windows
10, in addition to non-security updates. The updates are available
via the Microsoft Update Catalog:
https://catalog.update.microsoft.com/v7/site/Home.aspx.
* For information on lifecycle and support dates for Windows 10
operating systems, please see the Windows Lifecycle Facts Sheet:
https://support.microsoft.com/en-us/help/13853/windows-
lifecycle-fact-sheet).
* A list of the latest servicing stack updates for each operating
system can be found in ADV990001: https://msrc.microsoft.com/update-
guide/vulnerability/ADV990001. This list will be updated whenever a
new servicing stack update is released. It is important to install
the latest servicing stack update.
* In addition to security changes for the vulnerabilities, updates
include defense-in-depth updates to help improve security-related
features.
* Customers running Windows 7, Windows Server 2008 R2, or Windows Server
2008 need to purchase the Extended Security Update to continue receiving
security updates.
See https://support.microsoft.com/en-us/help/4522133/procedure-to-
continue-receiving-security-updates for more information.
* There is a change coming with regards to Servicing Stack Updates.
Please see Simplifying SSUs for more information.
Critical Security Updates
============================
Windows 10 for 32-bit Systems
Windows 10 for x64-based Systems
Windows 10 Version 1607 for 32-bit Systems
Windows 10 Version 1607 for x64-based Systems
Windows 10 Version 1809 for 32-bit Systems
Windows 10 Version 1809 for ARM64-based Systems
Windows 10 Version 1809 for x64-based Systems
Windows 10 Version 1909 for 32-bit Systems
Windows 10 Version 1909 for ARM64-based Systems
Windows 10 Version 1909 for x64-based Systems
Windows 10 Version 2004 for 32-bit Systems
Windows 10 Version 2004 for ARM64-based Systems
Windows 10 Version 2004 for x64-based Systems
Windows 10 Version 20H2 for 32-bit Systems
Windows 10 Version 20H2 for ARM64-based Systems
Windows 10 Version 20H2 for x64-based Systems
Windows 10 Version 21H1 for 32-bit Systems
Windows 10 Version 21H1 for ARM64-based Systems
Windows 10 Version 21H1 for x64-based Systems
Windows 11 for ARM64-based Systems
Windows 11 for x64-based Systems
Windows 8.1 for 32-bit systems
Windows 8.1 for x64-based systems
Windows RT 8.1
Windows Server 2012
Windows Server 2012 (Server Core installation)
Windows Server 2012 R2
Windows Server 2012 R2 (Server Core installation)
Windows Server 2016
Windows Server 2016 (Server Core installation)
Windows Server 2019
Windows Server 2019 (Server Core installation)
Windows Server 2022
Windows Server 2022 (Server Core installation)
Windows Server, version 2004 (Server Core installation)
Windows Server, version 20H2 (Server Core Installation)
Microsoft 365 Apps for Enterprise for 32-bit Systems
Microsoft 365 Apps for Enterprise for 64-bit Systems
Microsoft Excel 2013 RT Service Pack 1
Microsoft Excel 2013 Service Pack 1 (32-bit editions)
Microsoft Excel 2013 Service Pack 1 (64-bit editions)
Microsoft Excel 2016 (32-bit edition)
Microsoft Excel 2016 (64-bit edition)
Microsoft Office 2013 RT Service Pack 1
Microsoft Office 2013 Service Pack 1 (32-bit editions)
Microsoft Office 2013 Service Pack 1 (64-bit editions)
Microsoft Office 2016 (32-bit edition)
Microsoft Office 2016 (64-bit edition)
Microsoft Office 2019 for 32-bit editions
Microsoft Office 2019 for 64-bit editions
Microsoft Office 2019 for Mac
Microsoft Office LTSC 2021 for 32-bit editions
Microsoft Office LTSC 2021 for 64-bit editions
Microsoft Office LTSC for Mac 2021
Microsoft Office Online Server
Microsoft Office Web Apps Server 2013 Service Pack 1
Microsoft SharePoint Enterprise Server 2013 Service Pack 1
Microsoft SharePoint Enterprise Server 2016
Microsoft SharePoint Foundation 2013 Service Pack 1
Microsoft SharePoint Server 2019
Microsoft Word 2013 RT Service Pack 1
Microsoft Word 2013 Service Pack 1 (32-bit editions)
Microsoft Word 2013 Service Pack 1 (64-bit editions)
Microsoft Word 2016 (32-bit edition)
Microsoft Word 2016 (64-bit edition)
Important Security Updates
============================
Microsoft Visual Studio 2017 version 15.9 (includes 15.0 - 15.8)
Microsoft Visual Studio 2019 version 16.11 (includes 16.0 - 16.10)
Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3)
Microsoft Visual Studio 2019 version 16.7 (includes 16.0 - 16.6)
Microsoft Visual Studio 2019 version 16.9 (includes 16.0 - 16.8)
Microsoft Exchange Server 2013 Cumulative Update 23
Microsoft Exchange Server 2016 Cumulative Update 21
Microsoft Exchange Server 2016 Cumulative Update 22
Microsoft Exchange Server 2019 Cumulative Update 10
Microsoft Exchange Server 2019 Cumulative Update 11
Microsoft Dynamics 365 (on-premises) version 9.0
Microsoft Dynamics 365 (on-premises) version 9.1
Microsoft Dynamics 365 Customer Engagement V9.0
Microsoft Dynamics 365 Customer Engagement V9.1
System Center 2012 R2 Operations Manager
System Center 2016 Operations Manager
System Center 2019 Operations Manager
Intune management extension
.NET 5.0
Other Information
=================
Recognize and avoid fraudulent email to Microsoft customers:
=============================================================
If you receive an email message that claims to be distributing
a Microsoft security update, it is a hoax that may contain
malware or pointers to malicious websites. Microsoft does
not distribute security updates via email.
The Microsoft Security Response Center (MSRC) uses PGP to digitally
sign all security notifications. However, PGP is not required for
reading security notifications, reading security information, or
installing security updates. You can obtain the MSRC public PGP key
at
.
********************************************************************
THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE
LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY
FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
LIMITATION MAY NOT APPLY.
********************************************************************
Microsoft respects your privacy. Please read our online Privacy
Statement at
.
If you would prefer not to receive future technical security
notification alerts by email from Microsoft and its family of
companies please visit the following website to unsubscribe:
.
These settings will not affect any newsletters you've requested or
any mandatory service communications that are considered part of
certain Microsoft services.
For legal Information, see:
.
This newsletter was sent by:
Microsoft Corporation
1 Microsoft Way
Redmond, Washington, USA
98052
_____________________________________________________________________
**************************************************************************************
Title: Microsoft Security Update Releases
Issued: October 12, 2021
**************************************************************************************
Summary
=======
The following CVEs have undergone a major revision increment:
* CVE-2021-38624
* CVE-2021-33781
CVE-2021-38624
- Windows Key Storage Provider Security Feature Bypass Vulnerability
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-38624
- Version 2.0
- Reason for Revision: The following revisions have been made: 1) To
comprehensively address CVE-2021-38624, Microsoft has released the
October 2021 Security Updates for all affected editions of Windows 10
Version 1809 and newer because these versions are also affected by
CVE-2021-38624. 2) In the Security Updates table, Windows 11 for
x64-based systems and Windows 11 for ARM64-based systems have been
added as Windows 11 is also affected by this vulnerability. Microsoft
strongly recommends that customers install the October updates to be
fully protected from this vulnerability. Customers whose systems are
configured to receive automatic updates do not need to take any
further action.
- Originally posted: September 14, 2021
- Updated: October 12, 2021
CVE-2021-33781
- Azure AD Security Feature Bypass Vulnerability
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33781
- Version 2.0
- Reason for Revision: In the Security Updates table, added all
supported versions of Windows 10 Version 1607, Windows Server 2016,
and Windows 11 because these versions of Windows 10, Windows Server,
and Windows 11 are also affected by this vulnerability.
Microsoft strongly recommends that customers running any of these
versions install the updates to be fully protected from the
vulnerability. Customers whose systems are configured to receive
automatic updates do not need to take any further action.
- Originally posted: July 13, 2021
- Updated: October 12, 2021
**************************************************************************************
Other Information
=================
Recognize and avoid fraudulent email to Microsoft customers:
======================================================================================
If you receive an email message that claims to be distributing a
Microsoft security update, it is a hoax that may contain malware or
pointers to malicious websites.
Microsoft does not distribute security updates via email.
The Microsoft Security Response Center (MSRC) uses PGP to digitally sign
all security notifications. However, PGP is not required for reading
security notifications, reading security bulletins, or installing
security updates. You can obtain the MSRC public PGP key at
.
**************************************************************************************
THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS PROVIDED "AS
IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES,
EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT
APPLY.
**************************************************************************************
Microsoft respects your privacy. Please read our online Privacy
Statement at
.
If you would prefer not to receive future technical security
notification alerts by email from Microsoft and its family of companies
please visit the following website to unsubscribe:
.
These settings will not affect any newsletters you’ve requested or any
mandatory service communications that are considered part of certain
Microsoft services.
For legal Information, see:
.
This newsletter was sent by:
Microsoft Corporation
1 Microsoft Way
Redmond, Washington, USA
98052
IMPORTANT ANNOUNCEMENT: In the coming months we will be moving to a new,
more user-friendly and flexible system for delivering Microsoft
Technical Security Notifications. Upcoming information about how you can
sign up for and receive these Technical Security Notifications will be
coming soon.
If you would prefer not to receive future technical security
notification alerts by email from Microsoft and its family of
companies please visit the following website to unsubscribe:
https://account.microsoft.com/profile/unsubscribe?CTID=0&ECID=SIN0EELzwbXZlkmUk0u9YhHW%2Bn%2Fk8utQTe9OLKIlbAE%3D&K=a8fd9b58-f7a4-4a68-80e9-c13170091259&CMID=null&D=637695874865511436&PID=18015&TID=adfd46f4-992a-45ec-935c-4c9bc4baf506
_____________________________________________________________________
**************************************************************************************
Title: Microsoft Security Advisory Notification
Issued: October 12, 2021
**************************************************************************************
Security Advisories Released or Updated on October 12, 2021
======================================================================================
* ADV990001
* ADV200011
ADV990001
- ADV990001 | Latest Servicing Stack Updates
- https://msrc.microsoft.com/update-guide/vulnerability/ADV990001
- Reason for Revision: Advisory updated to announce new versions of
Servicing Stack Updates are available. Please see the FAQ for
details.
- Originally posted: November 13, 2018
- Updated: October 12, 2021
- Version: 42.0
ADV200011
- ADV200011 | Microsoft Guidance for Addressing Security Feature Bypass
in GRUB
- https://msrc.microsoft.com/update-guide/vulnerability/ADV200011
- Reason for Revision: The following revisions have been made: 1)
Updated FAQ to indicate that Microsoft will release an update to
address this vulnerability in Spring of 2022. You can register for
the security notifications mailer to be alerted when this update is
available, and when content changes are made to this advisory.
See Microsoft Technical Security Notifications. 2) In the Security
Updates table, added all supported editions of the following versions
of Windows and Windows Server, as they are affected by this
vulnerability: Windows 10 version 20H2, Windows 10 version 21H1,
Windows 11, Windows Server, version 20H2 (Server Core Installation),
and Windows Server 2022. 3) In the Executive Summary, corrected
location of Mitigations section.
- Originally posted: July 29, 2021
- Updated: October 12, 2021
- Version: 3.0
======================================================================================
Other Information
=================
Recognize and avoid fraudulent email to Microsoft customers:
======================================================================================
If you receive an email message that claims to be distributing a
Microsoft security update, it is a hoax that may contain malware or
pointers to malicious websites.
Microsoft does not distribute security updates via email.
The Microsoft Security Response Center (MSRC) uses PGP to digitally sign
all security notifications. However, PGP is not required for reading
security notifications, reading security bulletins, or installing
security updates. You can obtain the MSRC
public PGP key at .
**************************************************************************************
THE INFORMATION PROVIDED IN THIS MICROSOFT COMMUNICATION IS PROVIDED "AS
IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES,
EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY
AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR
ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT
APPLY.
**************************************************************************************
IMPORTANT ANNOUNCEMENT: In the coming months we will be moving to a new,
more user-friendly and flexible system for delivering Microsoft
Technical Security Notifications. Upcoming information about how you can
sign up for and receive these Technical Security Notifications will be
coming soon.
Microsoft respects your privacy. Please read our online Privacy
Statement at
.
If you would prefer not to receive future technical security
notification alerts by email from Microsoft and its family of companies
please visit the following website to unsubscribe:
.
These settings will not affect any newsletters you've requested or any
mandatory service communications that are considered part of certain
Microsoft services.
For legal Information, see:
.
This newsletter was sent by:
Microsoft Corporation
1 Microsoft Way
Redmond, Washington, USA
98052
=========================================================
+ CERT-RENATER | tel : 01-53-94-20-44 +
+ 23/25 Rue Daviel | fax : 01-53-94-20-41 +
+ 75013 Paris | email:cert@support.renater.fr +
=========================================================