Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Audits

MS Patch Tuesday: 71 Vulns, One Exploited as Zero-Day

The Microsoft Patch Tuesday freight train for October rolled in with fixes for at least 71 security defects in Windows products and components and an urgent warning about a newly discovered zero-day cyberespionage campaign.

The Microsoft Patch Tuesday freight train for October rolled in with fixes for at least 71 security defects in Windows products and components and an urgent warning about a newly discovered zero-day cyberespionage campaign.

The Redmond, Wash. software maker confirmed in-the-wild exploitation of one of the patched bugs — CVE-2021-40449 — in an exploit chain discovered and reported by malware hunters at Kaspersky.

Kaspersky separately said the vulnerability was used in a Chinese-speaking cyber-espionage campaign targeting IT companies, diplomatic entities and military and defense contractors.   

Kaspersky researchers Boris Larin and Costin Raiu documented the findings in a blog post on “MysterySnail” and warned that a second information-disclosure vulnerability that was used by the attacker was not fixed. 

“We discovered that it was using a previously unknown vulnerability in the Win32k driver and exploitation relies heavily on a technique to leak the base addresses of kernel modules. We promptly reported these findings to Microsoft. The information disclosure portion of the exploit chain was identified as not bypassing a security boundary, and was therefore not fixed,” the Kaspersky researchers said.

[ READ: Microsoft Raises Alarm for New Windows Zero-Day Attacks ]

Kaspersky described the issue as a use-after-free vulnerability in the Win32k’s NtGdiResetDC function and said it was intercepted by anti-exploit technologies built into its security product lines..

Microsoft slapped an “important” rating on the flaw and warned that it introduced elevation of privilege risks on unpatched Windows systems.

Advertisement. Scroll to continue reading.

In total, Redmond shipped patches for 71 documented security vulnerabilities in the flagship Windows OS, the Chromium-based Edge browser, Microsoft Exchange, Microsoft Office Services and SharePoint Server.

Two of the 71 documented vulnerabilities are rated “critical,” Microsoft’s highest severity rating.

Security professionals are urging Windows fleet administrators to pay attention to CVE-2021-26427, a remote code execution flaw in Exchange Server that was reported by the U.S. government’s National Security Agency (NSA).

[ READ: Apple Confirms iOS 15 Zero-Day Exploitation ]

The Microsoft patches come one day after Apple rushed out an urgent iOS mobile platform patch to address a software flaw being “actively exploited” in the wild.

The Cupertino, Calif. device maker confirmed the latest zero-day in an advisory and urged iOS and iPad users to upgrade to the newest iOS 15.0.2.

So far in 2021, there have been 73 documented in-the-wild zero day attacks, the majority hitting vulnerable code in products sold by Microsoft, Apple and Google.

Related: Microsoft Office Zero-Day Hit in Targeted Attacks 

Related: Apple Confirms New Zero-Day Attacks on Older iPhones

Related: Google: Sophisticated APT Group Burned 11 Zero-Days

Related: Apple Ships Urgent Patch for FORCEDENTRY Zero-Days

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.