Patch Tuesday Fixes for the software giant were released on Microsoft’s traditional Patch Tuesday 50 mistakes, and a reminder to apply updates ASAP as six of them are being exploited by villains in the wild.
Potentially most serious of the six, CVE-2021-33742, enables remote code execution over the Windows MSHTML platform. Details of this vulnerability have been disclosed in some form. Shane Huntley, director of Google’s Threat Analysis Group, noticed a “commercial exploit company” appears to be associated with this vulnerability “for limited nation-state targets on Eastern Europe and the Middle East”.
The error is present on PC and server platforms up to Windows 7 and has a CVSS score of 7.5. A maliciously crafted web page or other file can run arbitrary code on your computer if opened and parsed by MSHTML, which Microsoft says is “used by Internet Explorer mode in Microsoft Edge and other applications through web browser controls” .
The other five bugs exploited in the wild are all classified as important; four deal with elevation of privilege and there is a single problem with loss of information. While this may not sound bad, it is weaknesses like these that are very popular with crooks who move around networks and want to spread malware after an initial attack. Details on one of the exploited errors in privilege escalation (CVE-2021-33739)
should be public.
Another major denial of service vulnerability in remote desktop services, CVE-2021-31968, which dates back to Windows 7, was also publicly disclosed, according to Microsoft, but has not yet been exploited in the wild. Still patch sooner rather than later.
Overall, five of the 50 vulnerabilities are critical despite being in high quality areas that criminals would like to exploit. A critical issue is in Microsoft Defender, but it is automatically patched, as is the critical VP9 codec bug from the Microsoft Store. The others need to be patched, warned Dustin Childs from ZDI.
“The remaining critical bugs include a browse-and-own bug in the scripting engine and a remote code execution vulnerability in SharePoint.” wrote.
“The SharePoint bug does not require user interaction, but it does require a degree of privilege. The complexity of the attack is considered high, but given the target, attackers will likely do whatever it takes to turn it into a practical exploit.”
Microsoft Office got its usual patches, as did Edge, Outlook, Excel, Visual Studio and, funnily enough, Windows Cryptographic Services.
And the rest
In order not to exceed, Adobe also released a monster patch bundle with 39 fixes for ten of the macOS and Windows applications of the venerable software house.
At the top of the list is After Effects with eight critical vulnerabilities in Adobe’s buffer code that can be exploited to execute code (all rated CVSS 7.8), seven major problems, and one moderate bug. Get Acrobat and Reader five critical fixesall of which allow code to run, and all of which are again due to Adobe’s buffering problems, as well as the two critical flaws fixed in Photoshop.
Adobe says none of the bugs are actively exploited in the wild as far as known, although it is recommended that you patch as soon as possible.
Intel meanwhile problematic 29 security advisories on 79 specific bugs, more than half of which were found and a further 40 percent originate from Intel’s bug bounty program, according to Jerry Bryant, Chipzilla’s director of security communications.
Also kicked out SAP 17 Safety Instructions, a mostly harmless bunch, but with some nasty remote code execution errors. And Android put his Android patches on Monday, which should be applied automatically depending on the handset provider. ®