Only three patches were rated Critical this month. Two of them were remote code execution (RCE) vulnerabilities (CVE-2021-38672 and CVE-2021-40461) found in Hyper-V, a hardware virtualization tool. The other Critical fix was for an RCE found in Microsoft Word (CVE-2021-40486).
Meanwhile, CVE-2021-40449, a Win32k Elevation of Privilege Vulnerability, was discovered being actively exploited in what was likely a targeted campaign. Microsoft also fixed three other publicly known vulnerabilities, CVE-2021-40469, CVE-2021-41338, and CVE-2021-41335, with no reported exploits.
Among the 71 bulletins addressed issues found in Microsoft Storage Spaces, Microsoft Excel, and SharePoint. Most of the RCE vulnerabilities were found within the Office family. Exploits to these vulnerabilities would require a specially crafted file that a user would have to open. An exception is CVE-2021-40469, a DNS vulnerability mentioned earlier, but this still requires high privilege to use in an attack.
Two bulletins were also included for print spooler and one for MSHTML. In July, Microsoft released an out-of-band (OOB) patch to quickly address print spooler flaws; the company also issued an early fix ahead of the patch Tuesday for an MSHTML vulnerability in August.