Patch Tuesday For its September Patch Tuesday, Microsoft churned out fixes for 66 vulnerabilities alongside 20 Chromium security bugs in Microsoft Edge.

Affected products include: Azure, Edge (Android, Chromium, and iOS), Office, SharePoint Server, Windows, Windows DNS, and the Windows Subsystem for Linux.

Of these CVEs, three are rated critical, one is rated moderate, and the remainder are considered important.

One of the already publicly disclosed CVEs resolves a critical zero-day vulnerability (CVE-2021-40444) in MSHTML, also known as Microsoft’s legacy Trident rendering engine. The flaw can be abused to achieve arbitrary code execution using a malicious ActiveX control within a Microsoft Office document that hosts the browser rendering engine. This is the vulnerability we learned of on September 7 and was used in targeted attacks on Office users. Code to exploit the hole has been passed around the web and between security researchers, so get patching.

Another fix updates a publicly disclosed patch from August 11 which addressed last month’s Print Spooler RCE (CVE-2021-36958).

“The update has removed the previously defined mitigation as it no longer applies and addresses the additional concerns that were identified by researchers beyond the original fix,” explained Chris Goettl, VP of product management at Ivanti, an IT asset management firm, in a statement emailed to The Register. “The vulnerability has been publicly disclosed and functional exploit code is available, so this puts further urgency on this month’s Windows OS updates.”

Goettl said the third previously disclosed vulnerability (CVE-2021-36968) addresses a privilege elevation flaw in Windows DNS. “This CVE applies to the legacy Windows OSs. Public disclosure gives threat actors a bit of a jump start on developing a working exploit.”

There are other two critical…