Microsoft Patches Multiple Zero-Day Bugs
Microsoft fixed 74 new CVEs yesterday, including several zero-day vulnerabilities, one of which is being actively exploited in the wild.
Zero-day bug CVE-2021-40449 is a Win32k elevation of privilege vulnerability in Windows affecting Windows 7 and Server 2008 up to Windows 11 and Server 2022. It has reportedly been exploited by Chinese threat actors known as “IronHusky.”
“Microsoft only rated the vulnerability as “important” by their severity scoring system, which is a good example of why organizations need to focus on vulnerability remediation based on risk,” argued Ivanti senior director of product management, Chris Goettl.
“A risk-based approach to vulnerability management takes into account more real-world indicators such as known exploited, public disclosure, and usage trends by threat actors to better understand what exposures you should be focusing on first.”
Microsoft also fixed three publicly disclosed (zero-day) flaws which have had proof-of-concept code released, giving attackers a head-start in crafting exploits for them.
These are CVE-2021-41338, a security feature bypass vulnerability in Windows AppContainer Firewall; Windows kernel elevation of privilege bug CVE-2021-41335; and Windows DNS remote code execution vulnerability CVE-2021-40469.
There was also an updated fix for CVE-2021-33781, a security feature bypass flaw in Azure AD. This vulnerability was initially resolved in the July Patch Tuesday but has been updated to fix Windows 10 v1607, Server 2016 and Windows 11.
Elsewhere, Adobe updated Acrobat, Reader, Connect, Reader Mobile, Commerce, Campaign Standard and ops-cli.
“Adobe Acrobat and Reader (APSB21-104) resolves the most CVEs out of the line-up. A total of four CVEs, two of which are rated as Critical with CVSS scores of 7.8 were resolved in this update.”