Microsoft issues patch for zero-day flaw in windows
Microsoft has released fixes for software in its monthly Patch release cycle to address 66 security holes impacting Windows and other components. These include Azure, Office, BitLocker, and Visual Studio, along with an exploited zero-day in its MSHTML Platform that was identified last week.
All the 66 flaws are Critical, where 62 of them are rated Important, and one of them is rated Moderate in severity. This is apart from the 20 flaws in the Microsoft Edge browser addressed by the company.
One of the most important updates relates to a fix for CVE-2021-40444 (CVSS score: 8.8) which is an actively exploited remote code execution flaw in MSHTML that takes advantage of malicious Microsoft Office documents. The EXPMON researchers pointed out that the exploit uses logical flaws, so the attack is perfectly reliable.
The multinational technology giant also addressed a publicly revealed flaw in Windows DNS. The flaw is dubbed CVE-2021-36968 and has not been actively exploited. This elevation of privilege flaw is rated 7.8 in severity.
Other vulnerabilities resolved by Microsoft include many remote code execution bugs in Open Management Infrastructure (CVE-2021-38647), Windows WLAN AutoConfig Service (CVE-2021-36965), Office (CVE-2021-38659), Visual Studio (CVE-2021-36952), and Word (CVE-2021-38656) along with memory corruption flaw in Windows Scripting Engine (CVE-2021-26435)
There is more to it. Microsoft also fixed three privilege escalation flaws newly discovered in its Print Spooler service, which are designated CVE-2021-38667, CVE-2021-38671, and CVE-2021-40447. Other flaws CVE-2021-36975 and CVE-2021-38639 relate to an elevation of privilege flaws in Win32k. These are recorded as exploitation more likely, indicating that users should quickly take steps to apply the security updates.