Microsoft to Patch multiple Zero-Days, 110 vulnerabilities in total
Reading Time: 1 Minute
Microsoft had its hands full Tuesday snuffing out five zero-day vulnerabilities, a flaw under active attack and applying more patches to its problem-plagued Microsoft Exchange Server software.
In all, Microsoft released patches for 110 security holes, 19 classified critical in severity and 88 considered important. The most dire of those flaws disclosed is arguably a Win32k elevation of privilege vulnerability (CVE-2021-28310) actively being exploited in the wild by the cybercriminal group BITTER APT.
Actively Exploited Zero-Day
“We believe this exploit is used in the wild, potentially by several threat actors. It is an escalation of privilege (EoP) exploit that is likely used together with other browser exploits to escape sandboxes or get system privileges for further access,” wrote Kaspersky in a Tuesday report detailing its find.
The bug is an out-of-bounds write vulnerability in Windows dwmcore.dll library, which is part of Desktop Window Manager (dwm.exe). “Due to the lack of bounds checking, attackers are able to create a situation that allows them to write controlled data at a controlled offset using DirectComposition API,” wrote Kaspersky researchers Boris Larin, Costin Raiu and Brian Bartholomew, co-authors of the report.
More Bugs Tied to Plagued Exchange
Of note, the U.S. National Security Agency released information on four critical Exchange Server vulnerabilities (CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, CVE-2021-28483) impacting versions released between 2013 and 2019.
“These vulnerabilities have been rated ‘exploitation more likely’ using Microsoft’s Exploitability Index. Two of the four vulnerabilities (CVE-2021-28480, CVE-2021-28481) are pre-authentication, meaning an attacker does not need to authenticate to the vulnerable Exchange server to exploit the flaw. With the intense interest in Exchange Server since last month, it is crucial that organizations apply these Exchange Server patches immediately,” wrote Satnam Narang, staff research engineer with Tenable in commentary shared with Threatpost.
Microsoft notes that two of the four Exchange bugs reported by the NSA were also found internally by its own research team.
Office Remote Code-Execution Bugs
Troublesome given the ubiquitous nature of the Microsoft Office are four remote code execution (RCE) vulnerabilities patched this month within the productivity suite. Microsoft Word (CVE-2021-28453) and Excel (CVE-2021-28454, CVE-2021-28451) are impacted, and a fourth bug (CVE-2021-28449) is only listed as effecting Microsoft Office. The updates are rated “important” and, according to Microsoft, impact all versions of Office including Office 365.
Jay Goodman, manager of product marketing at Automox, noted in his Patch Tuesday commentary that Microsoft’s security holes this month include a number of flaws identified as remote procedure call (RPC) runtime RCE bugs.
“RPC is a protocol used to request a service from a program that is located on another computer or device on the same network,” he explained. “The vulnerabilities allow for remote code execution on the target system. The vulnerability may be exploited by sending a specially crafted RPC request. Depending on the user privileges, an attacker could install programs, change or delete data, or create additional user accounts with full user rights.”
Microsoft marks the vulnerability type as “exploitation less likely,” however, it’s highly recommended to quickly patch and remediate any RCE vulnerabilities on systems, Goodman said: “Leaving latent vulnerabilities with RCE exploits can easily lead to a faster-spreading attack.”
Microsoft’s April Patch Tuesday update was complemented by Adobe’s monthly slew of patches, which addressed 10 security bugs, seven of them critical.
Source: threatpost.com
(Click Link)