Yesterday was the second Tuesday of the month, which means that Microsoft is rolling out patches for security vulnerabilities found in Windows and its other products. This year’s second batch of security updates brings fixes for 56 vulnerabilities, including a zero-day flaw that is being actively exploited in the wild.
The elevation of privilege vulnerability, tracked as CVE-2021-1732 and ranked as “important” on the Common Vulnerability Scoring System (CVSS) scale, resides in Windows' Win32k kernel component. According to the SANS Technology Institute, it is a local vulnerability and “an attacker would have to have local access to the machine (console or SSH for example) or rely on user interaction, like a user opening a malicious document.”
The security loophole a prompted a response from the Cybersecurity and Infrastructure Security Agency (CISA), which issued a security advisory: “CISA encourages users and administrators to review Microsoft Advisory for CVE-2021-1732 and apply the necessary patch to Windows 10 and Windows 2019 servers.”
Beyond the zero-day bug, the latest round of updates also includes fixes for 11 security flaws that received the highest ranking of “critical”, while 6 security holes are listed as publicly known at the time of the release. The vast majority of the rest were ranked as “important” and two were classified as “moderate” in severity.
RELATED READING: Google: Better patching could have prevented 1 in 4 zero‑days last year
Among those ranked as critical, four vulnerabilities earned an almost “perfect score” of 9.8 out of 10 on the CVSS scale and were classified as remote code execution (RCE) vulnerabilities.
The first one, tracked as CVE-2021-24078, can be found in the Microsoft DNS server and could allow a remote attacker to run arbitrary code with service on the target host. The SANS Institute also warned that since the bug doesn’t require any user interaction, it could potentially be wormable.
Meanwhile, two other critical RCEs indexed as CVE-2021-24074 and CVE-2021-24094 were found to affect the Windows TCP/IP implementation. Although Microsoft said that it would be difficult to create functional exploits for them, the Redmond giant believes attackers could exploit them together with a Denial of Service (DoS) vulnerability tracked as CVE-2021-24086 in a DoS attack.
Security updates were released for various flavors of Windows products, Microsoft Office, and Skype for Business, as well as other offerings in Microsoft’s portfolio.
As always, both system administrators and regular users are advised to apply the patches as soon as possible.