Microsoft has released fixes for six zero-days that are being actively exploited in the wild – and one that is not – on a Patch Tuesday that this month continues a recent trend of generally lighter updates. Indeed, this is the lowest collective number of bugs found so far in 2021.
The six exploited zero-days are: CVE-2021-33742, a remote code execution (RCE) flaw in Windows MHSTML Platform; CVE-2021-31955, an information disclosure bug in Windows Kernel; and CVE-2021-31199 and CVE-2021-31201, two elevation of privilege vulnerabilities in Microsoft Enhanced Cryptographic Provider, which both relate to previously disclosed Adobe vulnerabilities as well.
Also on the list of zero-days are CVE-2021-33739, an elevation of privilege vulnerability in Microsoft DWM Core Library; and CVE-2021-31956, another elevation of privilege vulnerability in Windows NTFS Elevation. The seventh, unexploited, bug is CVE-2021-31968, a denial of service vulnerability in Windows Remote Desktop Service.
While all of them warrant attention, there may be some concern this month that because some of them are only rated as important and have lower common vulnerability scoring system (CVSS) base scores (-31199 and -31201 are both scored 5.2), they may be missed in prioritisation, according to Chris Goettl, senior director of product management and security at Ivanti.
“This brings a very important prioritisation challenge to the forefront this month,” he said. “Vendor severity ratings and scoring systems like CVSS may not reflect the real-world risk in many cases. Adopting a risk-based vulnerability management approach and using additional risk indicators and telemetry on real-world attack trends is vital to stay ahead of threats like modern ransomware.
“The Windows OS updates this month are the top priority and resolve all of the zero-day vulnerabilities that Microsoft has resolved. Prioritise the OS update to reduce this risk quickly.”
Tenable’s senior research engineer, Satnam Narang, added: “While these vulnerabilities have already been exploited in the wild as zero-days, it is still vital that organisations apply these patches as soon as possible. Unpatched flaws remain a problem for many organisations months after patches have been released.”
Beyond the zero-day vulnerabilities, there are also a number of noteworthy, critically scored vulnerabilities this month, among them CVE-2021-31963, another remote code execution vulnerability in Microsoft Sharepoint Server that carries a critical CVSS score.
“This vulnerability was not previously publicly disclosed and is not being exploited in the wild, according to Microsoft, but it should be a high priority as previous SharePoint vulnerabilities, such as CVE-2019-0604, have been exploited and used to deliver multiple payload types, including ransomware,” said Recorded Future senior security architect Allan Liska.
Qualys’s principal research analyst, Anand Paturi, also flagged CVE-2021-31985, an RCE vulnerability in Microsoft Defender, and CVE-2021-31959, a memory corruption vulnerability in the Chakra JScript scripting engine.