CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?


Application Security

Patch Tuesday: Microsoft Warns of Under-Attack Windows Kernel Flaw

Microsoft’s scheduled monthly batch of security patches landed with a loud thud Tuesday with fixes for at least 56 security vulnerabilities in a range of operating system and software products.

Microsoft’s scheduled monthly batch of security patches landed with a loud thud Tuesday with fixes for at least 56 security vulnerabilities in a range of operating system and software products.

At least one of the flaws (CVE-2021-1732) is being exploited in the wild in zero-day attacks.  Microsoft did not provide any additional details on the in-the-wild attacks beyond a generic “exploitation detected” checkbox in the advisory.

The acknowledgement of this zero-day attack, reported to Microsoft by Chinese security vendor DBAPPSecurity Ltd., comes just days after reports of a separate — and still unpatched — Internet Explorer vulnerability being used by hackers linked to the North Korean government.

[ ALSO READ: Adobe Confirms PDF Reader Flaw Being Exploited ]

The zero-day patch headlines a mega-patch release by Microsoft with fixes for 56 documented CVEs in multiple Windows OS frameworks and components, the widely deployed Office Product line and the Skype for Business and Windows Defender utilities.

Microsoft rates 11 of the 56 vulnerabilities as “critical,” its highest severity rating.   A total of 43 patched flaws are classified as “important” while two are rated “moderated.”

The Microsoft patch drop adds to the workloads for weary defenders struggling to keep pace with the volume and pace of security updates from major vendors.

Earlier Tuesday, Adobe shipped fixes for multiple dangerous security holes, including a bug in the Adobe Reader that is being exploited in “limited targeted attacks” against Windows OS users.  

Advertisement. Scroll to continue reading.

[ ALSO BY RYAN NARAINE: Google Chrome, Microsoft IE in Zero-Day Crosshairs ]

A few days ago, Sonicwall warned of zero-day attacks against some products in its portfolio while Apple and Google scrambled to provide band-aids for under-attack flaws in the iOS and Android operating systems.

To make matters worse, the communications and guidance from these big-name vendors have been poor.   Adobe, for example, casually mentioned the in-the-wild PDF Reader attacks but did not provide any IOCs (indicators of compromise) or other attack artifacts to aid enterprise threat hunters.

Microsoft, too, has been scarce with information on flaws that are being actively exploited or publicly known.  It is likely the information has been shared with the company’s MAPP (Microsoft Active Protection Program) partners of security vendors but several CISOs tell SecurityWeek it’s becoming more and more difficult to mount a response plan without proper technical documentation of live attacks.

In addition to the bug under active exploitation (no IOCs available), Microsoft mentioned that six separate vulnerabilities are publicly known and exploit code may be available but the company did not provide additional documentation.

For a round-up of the major vulnerabilities and issues to prioritize, we recommend this recap from ZDI (Zero Day Initiative).  Some highlights: 

CVE-2021-1732 – Windows Win32k Elevation of Privilege Vulnerability

This local privilege escalation would allow a logged-on user to execute code of their choosing at higher privileges. Bugs of this nature are typically paired with another bug that allows code execution a the logged-on user level. For example, this could be paired with an Adobe Reader exploit. An attacker would entice a user to open a specially crafted PDF, which would result in code execution through the Reader bug then escalation through this bug. This is also a common tactic for malware.

CVE-2021-24078 – Windows DNS Server Remote Code Execution Vulnerability

This patch fixes a bug in the Windows DNS Server that could allow remote code execution on affected systems. Fortunately, if your system is not configured to be a DNS server, it is not impacted by this bug. However, for those systems that are configured as DNS servers, this bug allows code execution in a privileged service from a remote, unauthenticated attacker. This is potentially wormable, although only between DNS servers. Prioritize this update if you depend on Microsoft DNS servers.

CVE-2021-24074 – Windows TCP/IP Remote Code Execution Vulnerability

There are two TCP/IP bugs in this month’s release, but I chose to highlight this vulnerability over CVE-2021-24094 since this bug affects IPv4 while the other impacts IPv6. Both bugs could allow remote, unauthenticated code execution on affected systems. For CVE-2021-24074, the vulnerability resides in IPv4 source routing, which should be disabled by default. You can also block source routing at firewalls or other perimeter devices. The IPv6 bug involves packet fragmentation where a large number of fragments could lead to code execution. 

CVE-2021-26701 – .NET Core and Visual Studio Remote Code Execution Vulnerability

This is the only Critical-rated bug to be listed as publicly known, and without more information from Microsoft, that’s about all we know about it. Based on the CVSS, this could all remote, unauthenticated attackers to execute arbitrary code on an affected system. Regardless, if you rely on the .NET Framework or .NET Core, make sure you test and deploy this one quickly.

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.