Microsoft has introduced security updates as part of its month to month Patch Tuesday release cycle to tackle 55 vulnerabilities across Windows, Azure, Visible Studio, Windows Hyper-V, and Business, including fixes for two actively exploited zero-working day flaws in Excel and Trade Server that could be abused to choose control of an affected program.
Of the 55 glitches, 6 are rated Critical and 49 are rated as Essential in severity, with 4 many others detailed as publicly acknowledged at the time of release.
The most critical of the flaws are CVE-2021-42321 (CVSS rating: 8.8) and CVE-2021-42292 (CVSS score: 7.8), each and every about a article-authentication remote code execution flaw in Microsoft Exchange Server and a security bypass vulnerability impacting Microsoft Excel versions 2013-2021 respectively.
The Trade Server issue is also 1 of the bugs that was shown at the Tianfu Cup held in China past month. Nevertheless, the Redmond-dependent tech big did not give any aspects on how the two aforementioned vulnerabilities had been utilized in authentic-planet assaults.
“Before this yr, Microsoft alerted that APT Group HAFNIUM was exploiting four zero-day vulnerabilities in the Microsoft Exchange server,” reported Bharat Jogi, director of vulnerability and menace research at Qualys.
“This evolved into exploits of Trade server vulnerabilities by DearCry Ransomware — like assaults on infectious disease researchers, law companies, universities, defense contractors, plan feel tanks and NGOs. Occasions these types of as these further underscore that Microsoft Exchange servers are high-value targets for hackers looking to penetrate critical networks,” Jogi included.
Also dealt with are four publicly disclosed, but not exploited, vulnerabilities —
- CVE-2021-43208 (CVSS rating: 7.8) – 3D Viewer Remote Code Execution Vulnerability
- CVE-2021-43209 (CVSS rating: 7.8) – 3D Viewer Remote Code Execution Vulnerability
- CVE-2021-38631 (CVSS score: 4.4) – Windows Remote Desktop Protocol (RDP) Details Disclosure Vulnerability
- CVE-2021-41371 (CVSS rating: 4.4) – Windows Remote Desktop Protocol (RDP) Data Disclosure Vulnerability
Microsoft’s November patch also arrives with a resolution for CVE-2021-3711, a critical buffer overflow flaw in OpenSSL’s SM2 decryption operate that arrived to mild in late August 2021 and could be abused by adversaries to operate arbitrary code and bring about a denial-of-services (DoS) situation.
Other important remediations include fixes for numerous remote code execution flaws in Chakra Scripting Engine (CVE-2021-42279), Microsoft Defender (CVE-2021-42298), Microsoft Virtual Device Bus (CVE-2021-26443), Remote Desktop Customer (CVE-2021-38666), and on-premises variations of Microsoft Dynamics 365 (CVE-2021-42316).
Finally, the update is rounded by patches for a selection of privilege escalation vulnerabilities affecting NTFS (CVE-2021-41367, CVE-2021-41370, CVE-2021-42283), Windows Kernel (CVE-2021-42285), Visual Studio Code (CVE-2021-42322), Windows Desktop Bridge (CVE-2021-36957), and Windows Rapidly Excess fat File Process Driver (CVE-2021-41377)
To put in the latest security updates, Windows end users can head to Commence > Configurations > Update & Security > Windows Update or by deciding on Test for Windows updates.
Application Patches From Other Distributors
In addition to Microsoft, security updates have also been unveiled by a selection of other vendors to rectify quite a few vulnerabilities, which includes —
- Adobe
- Android
- Cisco
- Citrix
- Intel
- Linux distributions Oracle Linux, Purple Hat, and SUSE
- Samba
- SAP
- Schneider Electrical, and
- Siemens
Located this post fascinating? Comply with THN on Facebook, Twitter and LinkedIn to go through a lot more distinctive articles we publish.
Some parts of this article are sourced from:
thehackernews.com
THX's tiny Onyx USB-C DAC is $50 off at Amazon