Microsoft has released 55 security fixes for software for the month of November, including patches that fix zero-day vulnerabilities that are actively exploited in the wild.
The tech giant’s latest set of patches, typically released on the second Tuesday of each month in the so-called Patch Tuesday, includes fixes for six critical vulnerabilities, 15 remote code execution bugs (RCE), information leaks, and privilege elevation security vulnerabilities, including patches for issues related to spoofing and tampering.
The November security update affects Microsoft Azure, the Chromium-based Edge browser, Microsoft Office and related products such as Excel, Word, and SharePoint – Visual Studio, Exchange Server, Windows Kernel, and Windows Defender.
In addition, the most important vulnerabilities that have been fixed in this update are:
- CVE-2021-42321: (CVSS:3.1 8.8 / 7.7). In active exploit, this vulnerability affects Microsoft Exchange Server and may lead to RCE due to improper validation of cmdlet arguments. However, attackers must be authenticated.
- CVE-2021-42292: (CVSS:3.1 7.8 / 7.0). This vulnerability has been found in Microsoft Excel and can be exploited to circumvent security controls. Microsoft says the Preview Pane is not an attack vector. A patch for Microsoft Office 2019 for Mac or Microsoft Office LTSC for Mac 2021 is still not available.
- CVE-2021-43209: (CVSS:3.1 7.8 / 6.8). A 3D Viewer vulnerability made public, this bug can be locally exploited and trigger RCE.
According to the Zero Day Initiative (ZDI), this is a relatively small number of vulnerabilities that were fixed in November.
In addition, Visual Studio 2022 and .NET 6 were made available to the general public from November 8. Visual Studio 2022 now includes a refresher of some of its key features as well as debug enhancements for developers.
.NET 6, on the other hand, contains performance improvements and is the first version to support both Windows Arm64 and Apple Arm64 Silicon.