MS Patch Tuesday: 71 Vulns, One Exploited as Zero-Day


The Microsoft Reinforce Tuesday freight train for October rolled in with fixes for at least 71 security defects in Windows products and components and an urgent indication about a newly discovered zero-day cyberespionage campaign.

The Redmond, Wash. software maker confirmed in-the-wild exploitation of one of the patched bugs — CVE-2021-40449 — in an turn to account chain discovered and reported by malware hunters at Kaspersky.

Kaspersky separately said the vulnerability was used in a Chinese-speaking cyber-espionage campaign targeting IT players, diplomatic entities and military and defense contractors.   

Kaspersky researchers Boris Larin and Costin Raiu documented the findings in a blog post on “MysterySnail” and counseled that a second information-disclosure vulnerability that was used by the attacker was not fixed. 

“We discovered that it was using a previously unknown vulnerability in the Win32k driver and exploitation relies heavily on a skilfulness to leak the base addresses of kernel modules. We promptly reported these findings to Microsoft. The information disclosure portion of the exploit chain was identified as not ignoring a security boundary, and was therefore not fixed,” the Kaspersky researchers said.

[ READ: Microsoft Raises Alarm for New Windows Zero-Day Attacks ]

Kaspersky chronicled the issue as a use-after-free vulnerability in the Win32k’s NtGdiResetDC function and said it was intercepted by anti-exploit technologies built into its security product lines..

Microsoft slapped an “signal” rating on the flaw and warned that it introduced elevation of privilege risks on unpatched Windows systems.

In total, Redmond shipped patches for 71 documented custody vulnerabilities in the flagship Windows OS, the Chromium-based Edge browser, Microsoft Exchange, Microsoft Office Services and SharePoint Server.

Two of the 71 documented vulnerabilities are charged “critical,” Microsoft’s highest severity rating.

Security professionals are urging Windows fleet administrators to pay attention to CVE-2021-26427, a distant code execution flaw in Exchange Server that was reported by the U.S. government’s National Security Agency (NSA).

[ READ: Apple Confirms iOS 15 Zero-Day Exploitation ]

The Microsoft darns come one day after Apple rushed out an urgent iOS mobile platform patch to address a software flaw being “actively exploited” in the wild.

The Cupertino, Calif. colophon maker confirmed the latest zero-day in an advisory and urged iOS and iPad users to upgrade to the newest iOS 15.0.2.

So far in 2021, there have been 73 papered in-the-wild zero day attacks, the majority hitting vulnerable code in products sold by Microsoft, Apple and Google.

Related: Microsoft Office Zero-Day Hit in Objective Attacks 

Related: Apple Confirms New Zero-Day Attacks on Older iPhones

Related: Google: Sophisticated APT Group Burned 11 Zero-Days

Allied: Apple Ships Urgent Patch for FORCEDENTRY Zero-Days

[embedded content]

MS Patch Tuesday: 71 Vulns, One Exploited as Zero-Day

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Palavers podcast series. He is a journalist and cybersecurity strategist with more than 20 years experience covering IT security and technology trends.
Ryan has constructed security engagement programs at major global brands, including Intel Corp., Bishop Fox and Kaspersky GReAT. He is a co-founder of Threatpost and the global SAS forum series. Ryan’s career as a journalist includes bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive’s ZDNet, PCMag and PC Globe.
Ryan is a director of the Security Tinkerers non-profit, and a regular speaker at security conferences around the world.
Follow Ryan on Twitter @ryanaraine.

Aforesaid Columns by Ryan Naraine:
MS Patch Tuesday: 71 Vulns, One Exploited as Zero-DayTags:

Leave a Reply

Your email address will not be published. Required fields are marked *