This month’s Patch Tuesday release includes fixes for 74 CVEs, three of which are rated critical including one vulnerability that was exploited in the wild as a zero-day.
<p>This month’s release includes a fix for CVE-2021-36970, a spoofing vulnerability in Microsoft’s Windows Print Spooler. The vulnerability was discovered by researchers XueFeng Li and Zhiniang Peng of Sangfor. They were also credited with the discovery of CVE-2021-1675, one of two vulnerabilities known as PrintNightmare. While no details have been shared publicly about the flaw, this is definitely one to watch for, as we saw a constant stream of Print Spooler-related vulnerabilities patched over the summer while ransomware groups began incorporating PrintNightmare into their affiliate playbook. We strongly encourage organizations to apply these patches as soon as possible.</p>
<p>Microsoft also patched CVE-2021-40449, an elevation of privilege vulnerability in Win32k. According to reports, this flaw was exploited in the wild as a zero-day. It is not uncommon to see zero-day elevation of privilege flaws patched during Patch Tuesday. These flaws are most valuable in post-compromise scenarios once an attacker has gained access to a target system through other means, in order to execute code with elevated privileges.</p>
<p>Today’s Patch Tuesday sees Microsoft issuing fixes for over 70 CVEs, affecting the usual mix of their product lines. From Windows, Edge, and Office, to Exchange, SharePoint, and Dynamics, there is plenty of patching to do for workstation and server administrators alike.</p>
<p>One vulnerability has already been seen exploited in the wild: CVE-2021-40449 is an elevation of privilege vulnerability in all supported versions of Windows, including the newly released Windows 11. Rated as Important, this is likely being used alongside Remote Code Execution (RCE) and/or social engineering attacks to gain more complete control of targeted systems.<br /><br />Three CVEs were publicly disclosed before today, though haven’t yet been observed in active exploitation. CVE-2021-40469 is an RCE vulnerability affecting Microsoft DNS servers, CVE-2021-41335 is another privilege escalation vulnerability in the Windows Kernel, and CVE-2021-41338 is a flaw in Windows AppContainer allowing attackers to bypass firewall rules.<br /><br />Attackers will likely be paying attention to the latest Windows Print Spooler vulnerability – CVE-2021-36970 is a Spoofing vulnerability with a CVSSv3 score of 8.8 that we don’t yet have much more information about. Also worth noting is CVE-2021-40486, an RCE affecting Microsoft Word, OWA, as well as SharePoint Server, and can be exploited via the Preview Pane. CVE-2021-40487 is another RCE affecting SharePoint Server that Microsoft expects to be exploited before too long.<br /><br />Another notable vulnerability is CVE-2021-26427, the latest in Exchange Server RCEs. The severity is mitigated by the fact that attacks are limited to a “logically adjacent topology,” meaning that it cannot be exploited directly over the public Internet. Three other vulnerabilities related to Exchange Server were also patched: CVE-2021-41350, a Spoofing vulnerability; CVE-2021-41348, allowing elevation of privilege, and CVE-2021-34453, which is a Denial of Service vulnerability.<br /><br />Finally, virtualisation administrators should be aware of two RCEs affecting Windows Hyper-V: CVE-2021-40461 and CVE-2021-38672. Both affect relatively new versions of Windows and are considered Critical. allowing a VM to escape from guest to host by triggering a memory allocation error, allowing it to read kernel memory in the host.</p>
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics