[ad_1]
This month’s relatively modest package of security updates fixes 56 vulnerabilities, including a zero-day bug and 11 flaws rated critical.
Yesterday was the second Tuesday of the month, which means that Microsoft is rolling out patches for security vulnerabilities found in Windows and its other products. The second batch of security updates this year brings fixes for 56 vulnerabilities, including a zero-day flaw that is actively being exploited in the wild.
The Elevation of Privilege Flaw vulnerability, registered as CVE-2021-1732 and classified as “significant” on the Common Vulnerability Scoring System (CVSS) scale, resides in the Windows kernel component Win32k. According to the SANS Institute of Technology, it is a local vulnerability and “an attacker should have local access to the machine (console or SSH, for example) or depend on user interaction, such as a user opening a malicious document.”
The security loophole prompted a response from the Cybersecurity and Infrastructure Security Agency (CISA) that issued a security advisory: “CISA encourages users and administrators to review Microsoft’s Advisory for CVE-2021-1732 and apply the patch necessary to Windows 10 and Windows 2019 servers “.
Beyond the zero-day bug, the latest round of updates also includes fixes for 11 security flaws that received the highest rating of “critical”, while 6 security flaws are listed as publicly known at launch. The vast majority of the remainder were classified as “significant” and two were classified as “moderate” in severity.
RELATED READING: Google: A Better Patch Could Have Prevented 1 In 4 Zero Days Last Year
Among those classified as critical, four vulnerabilities scored “near perfect” of 9.8 out of 10 on the CVSS scale and were classified as Remote Code Execution (RCE) vulnerabilities.
The first, registered as CVE-2021-24078, can be found on Microsoft’s DNS server and could allow a remote attacker to execute arbitrary code with service on the target host. The SANS Institute also cautioned that since the bug requires no user interaction, it could potentially be deworming.
Meanwhile, two other critical RCEs indexed as CVE-2021-24074 and CVE-2021-24094 were found to affect the Windows TCP / IP implementation. Although Microsoft said it would be difficult to create functional exploits for them, the Redmond giant believes attackers could exploit them in conjunction with a denial of service (DoS) vulnerability tracked as CVE-2021-24086 in a DoS attack.
Security updates were released for various types of Windows products, Microsoft Office, Skype for Business, and other offerings in the Microsoft portfolio.
As always, both system administrators and regular users are advised to apply patches as soon as possible.
[ad_2]
