The recent trend with zero-day vulnerabilities continued in September: the information on zero-day vulnerability was publicly disclosed about a week before the Patch Tuesday. Apparently the zero-day vulnerability was not considered too big a threat, as no out-of-band patch was released. September’s total vulnerability count was a pretty standard 84.

This month’s zero-day vulnerability is known as CVE-2021-40444 (CVSS scoring of 8.8). There is also an alternative protection for this vulnerability, and you can find more information on that in the Workarounds section of the vulnerability article. September also saw another publicly disclosed vulnerability, CVE-2021-36968, with a CVSS scoring of 7.8. This month’s highest CVSS scoring goes to the vulnerability CVE-2021-38647.

Key points

  • CVE-2021-40444
    • Absolute recommendation to update as soon as possible.
    • Alternative fix can be found in the vulnerability article’s Workarounds section.

There were five more publicly disclosed vulnerabilities fixed this month.
CVE-2021-36968

Active and known issues in Windows operating systems

Operating System Active known issues (previous month)
Windows 10, version 21H1 and Windows Server, version 21H1 1 (2)
Windows 10, version 20H2 and Windows Server, version 20H2 1 (2)
Windows 10, version 2004 and Windows Server, version 2004 1 (2)
Windows 10, versions 1909* and 1903*, and Windows Server, version 1903** 0 (0) Support has ended for Windows 10 version 1903.
Windows 10, version 1809**, and Windows Server 2019 2 (2) Support has ended for Windows 10 version 1803.
Windows 10, version 1803** Support has ended.
Windows 10, version 1709***, and Windows Server, version 1709 Support has ended.
Windows 10, version 1703*** Support has ended.
Windows 10, version 1607 LTSC*** and Windows Server 20162 0
Windows 8.1**** and Windows Server 2012 R2 1 (1)
Windows Server 2012 1 (1)
Windows 7**** and Windows Server 2008 R2 SP1 1 (2)
  • * 1909 has the same operating system core and identical system files as its predecessor, 1903.
  • ** The support for Windows 10’s build in question has ended for versions Home, Pro, and Enterprise.
  • *** The support for Windows 10’s build in question has ended for all versions.
  • **** The Mainstream support period for the Windows version has ended. Extended support periods end: For Windows 8.1, on Jan 10th 2023, and for Windows 7, on Jan 14th 2020.

Recommended actions

The critical, zero-day, and publicly disclosed vulnerabilities mentioned in the beginning should be patched as soon as possible. CVE-2021-40444 is the vulnerability you should prioritize. If for some reason the patch can’t be installed you should definitely check the MSRC article mentioned before and see whether any of the alternative ways could be used to mitigate the vulnerability.

Organizations should make sure their devices have one of the three most recent Windows 10 property versions (21H1, 20H2, or 2004), meaning their devices are still getting their monthly security patches.

However, Centero recommends testing the updates carefully before migrating them into production. In addition, you should go through any known issues before deploying the updates.

Microsoft’s documentation on the subject

Microsoft maintains a list of Windows updates and their known issues on the following pages. You can find additional information on Windows-versions’ lifecycle behind the last link.

 

With Centero Software Manager Cloud and  CSM Cloud for Servers, your devices get these and other updates in a managed way, according to the configuration you have selected. Read more on Centero Software Manager here.

Read more on this topic:

Comparing Patch Management solutions – Part 7/12 – Centero Software Manager

This blog series is based on our Patch Management Tools’ Comparison, conducted in 2019. In the seventh post of the series we’ll look at the features and function of Centero Software Manager solution.

By popular demand: CSM for Intune Application Groups

With this feature, you can use CSM for Intune to automatically update any applications the users have installed through the Intune Company Portal as self-service.