Microsoft on Tuesday rolled out its scheduled month to month security update with patches for 55 security flaws affecting Windows, Trade Server, Internet Explorer, Workplace, Hyper-V, Visible Studio, and Skype for Organization.
Of these 55 bugs, four are rated as Critical, 50 are rated as Essential, and just one is listed as Average in severity. A few of the vulnerabilities are publicly identified, although, in contrast to previous month, none of them are less than active exploitation at the time of release.
The most critical of the flaws addressed is CVE-2021-31166, a wormable distant code execution vulnerability in the HTTP protocol stack. The issue, which could allow an unauthenticated attacker to send a specifically crafted packet to a specific server, is rated 9.8 out of a greatest of 10 on the CVSS scale.
An additional vulnerability of observe is a distant code execution flaw in Hyper-V (CVE-2021-28476), which also scores the highest severity amid all flaws patched this thirty day period with a CVSS rating of 9.9.
“This issue will allow a guest VM to power the Hyper-V host’s kernel to read from an arbitrary, perhaps invalid deal with,” Microsoft stated in its advisory. “The contents of the tackle read would not be returned to the visitor VM. In most circumstances, this would end result in a denial of provider of the Hyper-V host (bugcheck) due to examining an unmapped deal with.”
“It is possible to examine from a memory mapped machine sign up corresponding to a components system attached to the Hyper-V host which could set off added, hardware product specific facet results that could compromise the Hyper-V host’s security,” the Windows maker pointed out.
In addition, the Patch Tuesday update addresses a scripting motor memory corruption flaw in Internet Explorer (CVE-2021-26419) and 4 weaknesses in Microsoft Exchange Server, marking the third consecutive thirty day period Microsoft has transported fixes for the product or service since ProxyLogon exploits came to gentle in March —
- CVE-2021-31207 (CVSS rating: 6.6) – Security Characteristic Bypass Vulnerability (publicly regarded)
- CVE-2021-31195 (CVSS score: 6.5) – Distant Code Execution Vulnerability
- CVE-2021-31198 (CVSS score: 7.8) – Remote Code Execution Vulnerability
- CVE-2021-31209 (CVSS score: 6.5) – Spoofing Vulnerability
Though CVE-2021-31207 and CVE-2021-31209 have been demonstrated at the 2021 Pwn2Personal contest, Orange Tsai from DEVCORE, who disclosed the ProxyLogon Trade Server vulnerability, is credited with reporting CVE-2021-31195.
Elsewhere, the update addresses a slew of privilege escalation bugs in Windows Container Supervisor Assistance, an info disclosure vulnerability in Windows Wi-fi Networking, and numerous distant code execution flaws in Microsoft Place of work, Microsoft SharePoint Server, Skype for Business, and Lync, Visual Studio, and Windows Media Foundation Main.
To set up the most recent security updates, Windows users can head to Start out > Configurations > Update & Security > Windows Update, or by choosing Check out for Windows updates.
Identified this write-up attention-grabbing? Adhere to THN on Facebook, Twitter and LinkedIn to go through far more distinctive information we article.
Some components of this article are sourced from: