Patch Tuesday Microsoft's traditional Patch Tuesday saw the software giant release fixes for 50 flaws, and a reminder to apply updates as soon as possible because six of them are being exploited in the wild by miscreants.
Potentially the most serious of the six, CVE-2021-33742, allows for remote code execution via the Windows MSHTML Platform. Details of this security hole have been disclosed in some form, we're told. Shane Huntley, director of the Google's Threat Analysis Group, noted a “commercial exploit company” seems to be linked to this vulnerability “for limited nation state Eastern Europe and Middle East targeting.”
The bug is present on PC and server platforms going all the way back to Windows 7, and comes with a CVSS score of 7.5. A maliciously crafted webpage or some other file can execute arbitrary code on the machine when opened and parsed by MSHTML, which is "used by Internet Explorer mode in Microsoft Edge as well as other applications through WebBrowser control," according to Microsoft.
The other five exploited-in-the-wild flaws are all rated as important; four deal with elevations of privilege, and there's a single information leakage issue. While this might not sound too bad, it's weaknesses like this that are much beloved by crooks looking to move around networks and sow malware after an initial intrusion. Details of one of the exploited privilege-escalation bugs (CVE-2021-33739)
are said to be public.
An additional important denial-of-service vulnerability with Remote Desktop Services, CVE-2021-31968, that goes back to Windows 7 has been publicly disclosed, too, Microsoft notes, but not yet exploited in the wild. Nevertheless, patch sooner rather than later.
In all, five of the 50 flaws are critical, though they are in high-value areas that criminals would love to exploit. One critical issue is in Microsoft Defender, though that'll be automatically patched, as will the critical VP9 codecs flaw from the Microsoft Store. The others will need patching, warned ZDI's Dustin Childs.
- OpenPGP library RNP updates after Thunderbird decrypt-no-recrypt bug squashed
- What happens when a security hole is fixed in WebKit's source but not released as a patch by Apple? Let's find out
- Microsoft says Outlook hit by 'email visibility issues' – as in, they're blank
- Have I Been Pwned goes open source, bags help from FBI
"The remaining critical-rated bugs include a browse-and-own bug in the scripting engine and a remote code execution vulnerability in SharePoint," Childs wrote.
"The SharePoint bug requires no user interaction but does require some level of privilege. The attack complexity is listed as high, but considering the target, attackers are likely to do everything possible to turn this into a practical exploit."
Microsoft Office got its usual patches, as did Edge, Outlook, Excel, Visual Studio and, funnily enough, Windows Cryptographic Services.
And the rest
Not to be outdone, Adobe released a monster patch bundle too, with 39 fixes for ten of the venerable software house's macOS and Windows applications.
Top of the list is After Effects, with eight critical vulns in Adobe's buffer code, which can be exploited to achieve code execution (all rated CVSS 7.8), seven important issues, and one moderate mistake. Acrobat and Reader got five critical fixes, all allowing for code execution and all down to Adobe's buffer issues again, as are the two critical flaws fixed in PhotoShop.
Adobe says none of the flaws are being actively exploited in the wild, as far as anyone knows, though patching as soon as possible is advised.
Intel, meanwhile, issued 29 security advisories covering 79 specific flaws, over half of which it found itself and another 40 per cent coming from Intel's bug bounty program, according to Jerry Bryant, Chipzilla's director of security communications.
SAP also dumped out 17 security notices, a mostly harmless bunch but with some nasty remote code execution flaws. And Android put its Android patches out on Monday, which should be automatically applied depending on your handset provider. ®