Microsoft on Tuesday released another round of security updates for Windows operating system and other supported software, squashing 50 vulnerabilities, including six zero-days that are said to be under active attack.
The flaws were identified and resolved in Microsoft Windows, .NET Core and Visual Studio, Microsoft Office, Microsoft Edge (Chromium-based and EdgeHTML), SharePoint Server, Hyper-V, Visual Studio Code - Kubernetes Tools, Windows HTML Platform, and Windows Remote Desktop.
Of these 50 bugs, five are rated Critical, and 45 are rated Important in severity, with three of the issues publicly known at the time of release. The vulnerabilities that being actively exploited are listed below -
- CVE-2021-33742 (CVSS score: 7.5) - Windows MSHTML Platform Remote Code Execution Vulnerability
- CVE-2021-33739 (CVSS score: 8.4) - Microsoft DWM Core Library Elevation of Privilege Vulnerability
- CVE-2021-31199 (CVSS score: 5.2) - Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability
- CVE-2021-31201 (CVSS score: 5.2) - Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability
- CVE-2021-31955 (CVSS score: 5.5) - Windows Kernel Information Disclosure Vulnerability
- CVE-2021-31956 (CVSS score: 7.8) - Windows NTFS Elevation of Privilege Vulnerability
Microsoft didn't disclose the nature of the attacks, how widespread they are, or the identities of the threat actors exploiting them. But the fact that four of the six flaws are privilege escalation vulnerabilities suggests that attackers could be leveraging them as part of an infection chain to gain elevated permissions on the targeted systems to execute malicious code or leak sensitive information.
The Windows maker also noted that both CVE-2021-31201 and CVE-2021-31199 address flaws related to CVE-2021-28550, an arbitrary code execution vulnerability rectified by Adobe last month that it said was being "exploited in the wild in limited attacks targeting Adobe Reader users on Windows."
Google's Threat Analysis Group, which has been acknowledged as having reported CVE-2021-33742 to Microsoft, said "this seem[s] to be a commercial exploit company providing capability for limited nation state Eastern Europe / Middle East targeting."
Russian cybersecurity firm Kaspersky, for its part, detailed that CVE-2021-31955 and CVE-2021-31956 were abused in a Chrome zero-day exploit chain (CVE-2021-21224) in a series of highly targeted attacks against multiple companies on April 14 and 15. The intrusions were attributed to a new threat actor dubbed "PuzzleMaker."
"While we were not able to retrieve the exploit used for remote code execution (RCE) in the Chrome web browser, we were able to find and analyze an elevation of privilege (EoP) exploit that was used to escape the sandbox and obtain system privileges," Kaspersky Lab researchers said.
Elsewhere, Microsoft fixed numerous remote code execution vulnerabilities spanning Paint 3D, Microsoft SharePoint Server, Microsoft Outlook, Microsoft Office Graphics, Microsoft Intune Management Extension, Microsoft Excel, and Microsoft Defender, as well as several privilege escalation flaws in Microsoft Edge, Windows Filter Manager, Windows Kernel, Windows Kernel-Mode Driver, Windows NTLM Elevation, and Windows Print Spooler.
To install the latest security updates, Windows users can head to Start > Settings > Update & Security > Windows Update or by selecting Check for Windows updates.
Software Patches From Other Vendors
Alongside Microsoft, a number of other vendors have also released a slew of patches on Tuesday, including —
- Linux distributions SUSE, Oracle Linux, and Red Hat
- SAP (with cybersecurity firm Onapsis credited with identifying 20 of the 40 remediated flaws)
- Schneider Electric, and