Microsoft Security Releases for September 2021

For September, Microsoft released patches today for 66 CVEs in Microsoft Windows and Windows components, Microsoft Edge (Chromium, iOS, and Android), Azure, Office and Office Components, SharePoint Server, Microsoft Windows DNS, and the Windows Subsystem for Linux. This is in addition to the 20 CVEs patched by Microsoft Edge (Chromium-based) earlier this month, which brings the September total to 86 CVEs.

Of the 66 new CVEs patched today, three are rated Critical, 62 are rated Important, and one is rated Moderate in severity. This volume is slightly higher than the average for 2021, which is below the 2020 volume while still above what was seen in 2019. As with last month, Microsoft spent significant resources responding to bugs under active attack, most notably CVE-2021-40444. One other bug is listed as publicly known but not being exploited (for now).

Executive Summary

Microsoft released security updates for all Windows client and server products.

Security updates were released for other company products such as Azure Sphere, Microsoft Edge, Microsoft Office, Visual Studio, Dynamics Business Central Control or Microsoft Accessibility Insights for Android.

The following client versions of Windows have known issues: Windows 7, Windows 8.1, Windows 10 version 1809, Windows 10 version 2004, 20H2, and 21H1

The following server versions of Windows have known issues: Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server version 2004 and 20H2

Windows Clients

Windows 7 (extended support only): 22 vulnerabilities: 2 critical and 20 important

Windows Scripting Engine Memory Corruption Vulnerability — CVE-2021-26435

Windows WLAN AutoConfig Service Remote Code Execution Vulnerability — CVE-2021-36965

Windows 8.1: 24 vulnerabilities: 2 critical and 22 important

same as Windows 7

Windows 10 version 1903 and 1909: 32 vulnerabilities: 2 critical and 30 important

same as Windows 7

Windows 10 version 2004, 20H2 and 21H1 : 32 vulnerabilities, 2 critical and 30 important

same as Windows 7

Windows Servers

Windows Server 2008 R2 (extended support only): 22 vulnerabilities: 2 critical and 20 important

Windows Scripting Engine Memory Corruption Vulnerability — CVE-2021-26435

Windows WLAN AutoConfig Service Remote Code Execution Vulnerability — CVE-2021-36965

Windows Server 2012 R2: 24 vulnerabilities: 2 critical and 22 important

same as Windows Server 2008 R2.

Windows Server 2016: 28 vulnerabilities: 2 critical and 26 important

same as Windows Server 2008 R2.

Windows Server 2019: 32 vulnerabilities: 2 critical and 30 important

same as Windows Server 2008 R2.

Windows Server 2022: 29 vulnerabilities: 7 critical and 18 important

same as Windows Server 2008 R2.

Windows Security Updates

Windows 7 SP1 and Windows Server 2008 R2 (extended support only):

Monthly Rollup: KB5005633

Security-Only: KB5005615

Updates and improvements:

Addresses an issue in which a driver might not install if the driver is signed with more than one code sign signatures.

This update also contains miscellaneous security improvements to internal OS functionality.

Windows 8.1 and Windows Server 2012 R2

Monthly Rollup: KB5005613

Security-only: KB5005627

Updates and improvements:

This update contains miscellaneous security improvements to internal OS functionality. No additional issues were documented for this release.

Windows 10 version 1909

Support Page: KB5005566 

Updates and improvements:

Addresses an issue that causes PowerShell to create an infinite number of child directories. This issue occurs when you use the PowerShell Move-Item command to move a directory to one of its children. As a result, the volume fills up and the system stops responding.

Security updates

Windows 10 version 2004, 20H2 and 21H1

Support Page: KB5005565 

Updates and improvements:

Addresses an issue that causes PowerShell to create an infinite number of child directories. This issue occurs when you use the PowerShell Move-Item command to move a directory to one of its children. As a result, the volume fills up and the system stops responding.

Security updates

Other security updates

2021-09 Cumulative Security Update for Internet Explorer (KB5005563)

Windows Server

2021-09 Security Monthly Quality Rollup for Windows Server 2008 (KB5005606)

2021-09 Security Only Quality Update for Windows Server 2008 (KB5005618)

2021-09 Security Only Quality Update for Windows Embedded 8 Standard and Windows Server 2012 (KB5005607)

2021-09 Security Monthly Quality Rollup for Windows Embedded 8 Standard and Windows Server 2012 (KB5005623)

2021-09 Cumulative Update for Microsoft server operating system version 21H2 for x64-based Systems (KB5005575)

2021-09 Cumulative Update for Windows Server 2016 and Windows 10 Version 1607 (KB5005573)

Servicing Stack Updates

2021-09 Servicing Stack Update for Windows Server 2016 and Windows 10 Version 1607 (KB5005698)

 

Known Issues

Windows 7 SP1 and Windows Server 2008 R2

Certain operations may fail on Cluster Shared Volumes with the error “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”

Workaround: run the operations from an elevated process, or from a node that does not have CSV ownership

Updates may be reverted if the system does not support ESU.

Expected behaviour.

Windows 8.1 and Windows Server 2012 R2

Certain operations may fail on Cluster Shared Volumes with the error “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”

Workaround: run the operations from an elevated process, or from a node that does not have CSV ownership

Windows 10 version 1809

Some devices with unspecified Asian language packs installed may throw the error “0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND”.

Try uninstalling and reinstalling the recently added language packs, then running a manual check for updates.

If that does not work, Microsoft suggests to use the Reset this PC function and selecting to keep the files.

Windows 10 version 2004, 20H2 and 21H1

Some devices may be unable to install updates, throwing the error “PSFX_E_MATCHING_BINARY_MISSING”.

Check out our guide on fixing the error.

Custom offline media or custom ISO image installations on devices may remove Microsoft Edge Legacy but may not replace it with the Chromium-based Microsoft Edge.

Workaround described on the support page.

 

Security advisories and updates

ADV 990001  Latest Servicing Stack Updates

Other updates

2021-09 Cumulative Update for .NET Framework 3.5 and 4.8 for Windows Server, version 20H2, Windows 10 Version 20H2, Windows Server, version 2004, Windows 10 Version 2004, Windows Server, version 1909, Windows 10 Version 1909, Windows Server 2019 (1903), and Windows 10 Version 1903 (KB5005548)

 

 

Additional resources

 

September 2021 Security Updates release notes

List of software updates for Microsoft products

List of the latest Windows Updates and Services Packs

Security Updates Guide

Microsoft Update Catalog site

Our in-depth Windows update guide

How to install optional updates on Windows 10

Windows 10 Update History

Windows 8.1 Update History

Windows 7 Update History

Big thanks to the patchmanagement.org team!