The company reported that Microsoft today deployed patches for 50 vulnerabilities, including six zero-day vulnerabilities that were actively attacked.
For Microsoft’s monthly security release, 50 is a relatively small number—most of its 2020 releases have exceeded 100—but this patch Tuesday brought an impact. The resolved CVE affects Microsoft Windows, Office, Edge browsers, SharePoint Server, .NET Core and Visual Studio, Hyper-V, Visual Studio Code-Kubernetes tools, Windows HTML platform and Windows Remote Desktop.
The six widely exploited vulnerabilities include a remote code execution vulnerability, an information disclosure vulnerability and four privilege escalation vulnerabilities. One of them is classified as key; the other five are classified as “important.” Two zero-day vulnerabilities were disclosed at the time of disclosure; one vulnerability patched today was public but was not attacked.
The severe zero-day CVE-2021-33742 is a remote code execution error in the Windows MSHTML platform, with a CVSS score of 7.5, and was known to the public at the time of patching. If attackers can persuade victims to view specially crafted Web content, they can successfully exploit this vulnerability and execute code on the target system. Microsoft pointed out that the attack requires some user interaction, but the attacker does not need to access files or settings to succeed.
“Because the vulnerability exists in the Trident (MSHTML) engine itself, many different applications will be affected—not just Internet Explorer,” Dustin Childs of the Zero-Day Project wrote in a blog post. “It is not clear how extensive the active attack is, but considering that the vulnerability affects all supported Windows versions, this should be the top of your test and deployment list.”
Microsoft thanks Clément Lecigne of Google Threat Analysis Team for discovering this vulnerability.
CVE-2021-33739 is another well-known zero-day vulnerability with a CVSS score of 8.4, which is considered important. This is a privilege escalation vulnerability in the Microsoft DWM core library. It requires low attack complexity, no privileges, and no user interaction to successfully exploit it.
“The attacker will most likely arrange to run executable files or scripts on the local computer,” Microsoft wrote in the disclosure. They have many ways to do this, it says; for example, a phishing attack in which the victim clicks on an executable file attached in an email. Microsoft attributed the DBAPPSecurity Liying Lab that discovered the vulnerability to Jinquan (@jq0904).
The two zero-day vulnerabilities patched today, CVE-2021-31955 and CVE-2021-31956, were discovered by Boris Lalin (oct0xor) of Kaspersky Lab and used as the exploit chain along with the Chrome zero-day In part, the researchers stated that the active attacks observed between April 14 and 15 were “highly targeted.”
CVE-2021-31955 is an information disclosure vulnerability in the Windows kernel, with a CVSS score of 5.5. Microsoft reports that taking advantage of this will review low complexity, low permissions, and no user interaction. If successful, the attacker can access the contents of kernel memory from the user-mode process.
Another vulnerability used in this chain, CVE-2021-31956, is an elevation of privilege vulnerability in Windows NTFS, with a CVSS score of 7.8. Again, this requires low complexity, low permissions, and does not require user interaction to take advantage.
Microsoft said that attackers may use the following methods: they can log in to the target system; from there, they can run a specially crafted application to exploit this vulnerability and control it. Or, they can use email or instant messaging to persuade local users to open malicious files.
The last two zero-day vulnerabilities exploited this month, CVE-2021-31199 and CVE-2021-31201, are privilege escalation vulnerabilities in the Microsoft Enhanced Cryptographic Provider. Both have a CVSS score of 5.2, are classified as important, have low attack complexity, low authority, and attack without user interaction. Both vulnerabilities are related to Adobe CVE-2021-28550, which is a zero-day vulnerability that affects Windows and macOS patched last month.
“We often see the combination of privilege escalation and code execution errors. These two vulnerabilities seem to be the privilege escalation part of these vulnerabilities,” Childs wrote, although he pointed out that it is “a bit unusual” to see gaps between patches in different parts Active attack.
CVE-2021-31968 is a denial of service (DoS) vulnerability in Windows Remote Desktop Services. It is well-known but has not been found to be exploited in the wild. This is one of five DoS vulnerabilities patched this month; there are other previously unknown features in Microsoft Defender, .NET Core and Visual Studio, Server for NFS, and Windows Hyper-V.
Kelly Sheridan is a full-time editor of Dark Reading. She focuses on cybersecurity news and analysis.She is a business technology journalist. She has previously reported on Microsoft for InformationWeek, and has reported on finance in insurance and technology… View full bio