The company released details of one zero-day earlier this month.
The company said at the time that it was investigating reports of a remote code execution vulnerability in MSHTML.
The 86 flaws detailed on Tuesday, in its regular Patch Tuesday release, were in the following categories:
- elevation of privilege (27);
- remote code execution (16);
- information disclosure (11);
- spoofing (8);
- security feature bypass (2); and
- denial of service (1).
"This month's release includes a fix for CVE-2021-40444, a critical vulnerability in Microsoft's MSHTML (Trident) engine. This vulnerability was disclosed on September 7 and researchers developed a number of proof-of-concept exploits showing the ease and reliability of exploitation. An attacker would need to convince a user to open a specially crafted Microsoft Office document containing the exploit code.
"There have been warnings that this vulnerability will be incorporated into malware payloads and used to distribute ransomware. There are no indications that this has happened yet, but with the patch now available, organisations should prioritise updating their systems as soon as possible."
Narang pointed out that Microsoft had also patched three elevation of privilege vulnerabilities in Windows Print Spooler (CVE-2021-38667, CVE-2021-38671 and CVE-2021-40447).
"For the last few months, we have seen a steady stream of patches for flaws in Windows Print Spooler following the disclosure of PrintNightmare in July," he said.
"Researchers continue to discover ways to exploit Print Spooler, and we expect continued research in this area. Only one (CVE-2021-38671) of the three vulnerabilities is rated as more likely to be exploited. Organisations should also prioritise patching these flaws as they are extremely valuable to attackers in post-exploitation scenarios."