Patch Tuesday Microsoft’s traditional patch Tuesday saw the software giant release fixes for 50 bugs and a reminder to apply updates as soon as possible because six of them are exploited in nature by criminals.
Potentially the most serious of the six, CVE-2021-33742, allows remote code execution via the Windows MSHTML Platform. Details about this security hole have been revealed in some form, we are told. Shane Huntley, director of Google’s threat analysis team, noted that a “commercial exploitation business” appears to be linked to this vulnerability “for targeting the limited nation state of Eastern Europe and the Middle East.”
The bug is found on PC and server platforms that go all the way back to Windows 7 and come with a CVSS score of 7.5. A maliciously crafted Web page or other file may execute arbitrary code on the machine when opened and parsed by MSHTML, which is “used by Internet Explorer mode in Microsoft Edge, as well as other applications through WebBrowser control,”
The other five exploited faults in nature are all considered important; four deal with increases in privilege and there is a single problem with information leakage. While this may not sound too bad, it is vulnerabilities like this one that are much loved by villains who want to move around in networks and then malware after a first intrusion. Details of one of the exploited privilege escalation bugs (CVE-2021-33739)
is said to be public.
An additional important denial-of-service vulnerability with Remote Desktop Services, CVE-2021-31968, which goes back to Windows 7, has also been released, Microsoft notes, but not yet exploited in nature. Nevertheless, patch faster than later.
In total, five of the 50 deficiencies are critical, although they are in high-value areas that criminals would like to exploit. A critical issue is in Microsoft Defender, though it automatically patches, just as the critical VP9 codecs are bugs from the Microsoft Store. The others need to be patched, warned ZDIs Dustin Childs.
“The remaining critically assessed errors include a browsing-and-own error in the scripting engine and an external vulnerability with code execution in SharePoint,” Childs wrote.
“SharePoint bug requires no user interaction but requires some privilege. Attack complexity is set as high, but given the target, attackers are likely to do anything to make this a practical exploit.”
Microsoft Office got its usual patches, like Edge, Outlook, Excel, Visual Studio and, funnily enough, Windows Cryptographic Services.
And the rest
Not to be outdone, Adobe also released a monster patch bundle with 39 fixes for ten of the venerable software house MacOS and Windows applications.
At the top of the list is After Effects with eight critical vulns in Adobe’s buffer code that can be exploited to achieve code execution (all rated CVSS 7.8), seven key issues, and a moderate bug. Acrobat and Reader received five critical fixes, all of which enabled code execution and all the way back to Adobe’s buffer issues, as well as the two critical bugs fixed in PhotoShop.
Adobe says that none of the shortcomings are actively exploited in nature, as far as anyone knows, although it is recommended to patch as soon as possible.
Meanwhile, Intel issued 29 security consultations covering 79 specific flaws, more than half of which were located, and a further 40 percent came from Intel’s bug bounty program, according to Jerry Bryant, Chipzilla’s director of security communications.
SAP also dumped 17 security messages, a mostly harmless bunch, but with some unpleasant removal of code execution errors. And Android released its Android patches on Monday, which should be used automatically depending on your phone provider. ®