Microsoft’s end-of-summer software security cleanse crushes more than 80 bugs • The Register

T-Mobile is Warning that a data breach has exposed the names, date of birth, Social Security number and driver’s license/ID information of more than 40 million current, former or prospective customers who applied for credit with the company. Get Secured Now with Norton 360

Patch Tuesday For its September Patch Tuesday, Microsoft churned out fixes for 66 vulnerabilities alongside 20 Chromium security bugs in Microsoft Edge.

Affected products include: Azure, Edge (Android, Chromium, and iOS), Office, SharePoint Server, Windows, Windows DNS, and the Windows Subsystem for Linux.

Of these CVEs, three are rated critical, one is rated moderate, and the remainder are considered important.

One of the already publicly disclosed CVEs resolves a critical zero-day vulnerability (CVE-2021-40444) in MSHTML, also known as Microsoft’s legacy Trident rendering engine. The flaw can be abused to achieve arbitrary code execution using a malicious ActiveX control within a Microsoft Office document that hosts the browser rendering engine. This is the vulnerability we learned of on September 7 and was used in targeted attacks on Office users. Code to exploit the hole has been passed around the web and between security researchers, so get patching.

Another fix updates a publicly disclosed patch from August 11 which addressed last month’s Print Spooler RCE (CVE-2021-36958).

“The update has removed the previously defined mitigation as it no longer applies and addresses the additional concerns that were identified by researchers beyond the original fix,” explained Chris Goettl, VP of product management at Ivanti, an IT asset management firm, in a statement emailed to The Register. “The vulnerability has been publicly disclosed and functional exploit code is available, so this puts further urgency on this month’s Windows OS updates.”

Goettl said the third previously disclosed vulnerability (CVE-2021-36968) addresses a privilege elevation flaw in Windows DNS. “This CVE applies to the legacy Windows OSs. Public disclosure gives threat actors a bit of a jump start on developing a working exploit.”

There are other two critical…