Microsoft tends to provide a lot of information around its patches and, so, there’s a lot to digest and piece together to give you an overview of the most important ones. In total, Microsoft has fixed 71 Windows vulnerabilities, 81 if you include those for Microsoft Edge.
One of the vulnerabilities immediately jumps out since it was used in the wild as part of the MysterySnail attacks, attributed by the researchers that discovered it to a Chinese speaking APT group called IronHusky.
Earlier this month, researchers discovered that a zero-day exploit was used in widespread espionage campaigns against IT companies, military contractors, and diplomatic entities. The payload of these MysterySnail attacks is a Remote Access Trojan (RAT). The actively exploited vulnerability allows malware or an attacker to gain elevated privileges on a Windows device. So far, the MysterySnail RAT has only been spotted on Windows Servers, but the vulnerability can also be used against non-server Windows Operating Systems.
Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). This one is listed as CVE-2021-40449, a Win32k Elevation of Privilege (EoP) vulnerability, which means the vulnerability allows a user to raise their permissions.
I scared you by mentioning PrintNightmare, right? Well, that may not be completely in vain. The same researchers that discovered the PrintNightmare vulnerability have found yet another vulnerability in Microsoft’s Windows Print Spooler. This one is listed as CVE-2021-36970, a Windows Print Spooler spoofing vulnerability. The exploitation is known to be easy, and the attack may be initiated remotely. No form of authentication is needed for a successful exploitation, but it does require some action by the intended target. We may be hearing more about this one.
An Exchange bug that gets a CVSS score of 9.0 out of 10 is enough to make my hair stand on end. Listed as CVE-2021-26427, this one is a Microsoft Exchange Server Remote Code Execution (RCE) vulnerability. The exploitation appears to be easy and the attack can be initiated remotely. A single authentication is required for exploitation, so the attacker will need to have some kind of access to exploit this one, which may be why Microsoft listed it as “exploitation less likely.” Exchange Servers are an attractive target and so we have seen a lot of attacks. One worrying flaw reveals users’ passwords and might provide attackers with the credentials they need to use this vulnerability.
Critical Microsoft Word vulnerability
One of the three vulnerabilities classified as critical is an RCE vulnerability in Word, listed as CVE-2021-40486. The vulnerability could allow a remote attacker to trick a victim into opening a specially crafted file, executing arbitrary code on their system.
Windows DNS Server RCE
The last one is only of interest if you are running a server that is configured to act as a DNS server. Listed as CVE-2021-40469, a Windows DNS Server Remote Code Execution vulnerability. The exploitation is known to be easy. The attack may be launched remotely, but the exploitation requires an enhanced level of successful authentication. The vulnerability was disclosed in the form of a Proof-of-Concept (PoC). While it may not be up to you to maintain or patch a DNS server, it’s good to know that this vulnerability exists in case we see weird connection issues as a result of a DNS hijack or denial-of-service.
While many details are still unknown, we have tried to list the ones we can expect to surface as real world problems if they are not patched as soon as possible.
Stay safe, everyone!