Microsoft has introduced security updates as aspect of its monthly Patch Tuesday release cycle to tackle 55 vulnerabilities across Windows, Azure, Visible Studio, Windows Hyper-V, and Office environment, together with fixes for two actively exploited zero-day flaws in Excel and Trade Server that could be abused to consider regulate of an affected program.
Of the 55 glitches, 6 are rated Critical and 49 are rated as Crucial in severity, with four other people outlined as publicly recognized at the time of launch.
The most critical of the flaws are CVE-2021-42321 (CVSS score: 8.8) and CVE-2021-42292 (CVSS score: 7.8), just about every about a post-authentication distant code execution flaw in Microsoft Trade Server and a security bypass vulnerability impacting Microsoft Excel variations 2013-2021 respectively.
The Exchange Server issue is also just one of the bugs that was shown at the Tianfu Cup held in China very last thirty day period. However, the Redmond-based mostly tech large did not provide any specifics on how the two aforementioned vulnerabilities were being utilized in true-planet attacks.
“Previously this 12 months, Microsoft alerted that APT Group HAFNIUM was exploiting four zero-working day vulnerabilities in the Microsoft Exchange server,” claimed Bharat Jogi, director of vulnerability and menace investigate at Qualys.
“This developed into exploits of Trade server vulnerabilities by DearCry Ransomware — which include attacks on infectious disorder researchers, law corporations, universities, defense contractors, coverage think tanks and NGOs. Circumstances these kinds of as these further more underscore that Microsoft Trade servers are superior-price targets for hackers on the lookout to penetrate critical networks,” Jogi included.
Also tackled are four publicly disclosed, but not exploited, vulnerabilities —
- CVE-2021-43208 (CVSS rating: 7.8) – 3D Viewer Distant Code Execution Vulnerability
- CVE-2021-43209 (CVSS score: 7.8) – 3D Viewer Remote Code Execution Vulnerability
- CVE-2021-38631 (CVSS score: 4.4) – Windows Remote Desktop Protocol (RDP) Facts Disclosure Vulnerability
- CVE-2021-41371 (CVSS rating: 4.4) – Windows Distant Desktop Protocol (RDP) Information Disclosure Vulnerability
Microsoft’s November patch also comes with a resolution for CVE-2021-3711, a critical buffer overflow flaw in OpenSSL’s SM2 decryption perform that came to light-weight in late August 2021 and could be abused by adversaries to operate arbitrary code and cause a denial-of-services (DoS) problem.
Other critical remediations consist of fixes for numerous distant code execution flaws in Chakra Scripting Engine (CVE-2021-42279), Microsoft Defender (CVE-2021-42298), Microsoft Digital Device Bus (CVE-2021-26443), Remote Desktop Consumer (CVE-2021-38666), and on-premises variations of Microsoft Dynamics 365 (CVE-2021-42316).
And finally, the update is rounded by patches for a variety of privilege escalation vulnerabilities influencing NTFS (CVE-2021-41367, CVE-2021-41370, CVE-2021-42283), Windows Kernel (CVE-2021-42285), Visual Studio Code (CVE-2021-42322), Windows Desktop Bridge (CVE-2021-36957), and Windows Fast Fats File Procedure Driver (CVE-2021-41377)
To install the hottest security updates, Windows end users can head to Get started > Settings > Update & Security > Windows Update or by picking Examine for Windows updates.
Program Patches From Other Distributors
In addition to Microsoft, security updates have also been produced by a selection of other sellers to rectify several vulnerabilities, which includes —
- Linux distributions Oracle Linux, Crimson Hat, and SUSE
- Schneider Electric powered, and
Observed this post attention-grabbing? Follow THN on Fb, Twitter and LinkedIn to browse much more special written content we put up.
Some pieces of this article are sourced from: