Microsoft has released 50 security fixes for software to resolve critical and important issues including six zero-days that are being actively exploited in the wild. 5 of the vulnerabilities are considered critical and 45 are deemed important.
Microsoft has fixed problems including remote code execution (RCE) bugs, denial-of-service issues, privilege escalation, and memory corruption issues.
Products impacted include Microsoft Office, .NET Core & Visual Studio, the Edge browser, Windows Cryptographic Services, SharePoint, Outlook, and Excel.
The zero-day vulnerabilities that Microsoft has tracked as being actively exploited, now patched in this update, are:
- CVE-2021-33742: Windows MSHTML Platform Remote Code Execution Vulnerability, CVSS 7.5
- CVE-2021-33739: Microsoft DWM Core Library Elevation of Privilege Vulnerability, CVSS 8.4
- CVE-2021-31199: Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability, CVSS 5.2
- CVE-2021-31201: Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability, CVSS 5.2
- CVE-2021-31955: Windows Kernel Information Disclosure Vulnerability, CVSS 5.5
- CVE-2021-31956: Windows NTFS Elevation of Privilege Vulnerability, CVSS 7.8
Another zero-day reported, but not actively exploited in the wild, is CVE-2021-31968 with CVSS Score of 7.5, could be exploited to trigger denial-of-service.
Eight of the vulnerabilities were reported by the Zero Day Initiative (ZDI). Microsoft has also acknowledged reports from Google’s Threat Analysis Group, Google Project Zero, Nixu Cybersecurity, Check Point Research, FireEye, Kaspersky, and others.
These vulnerabilities have already been exploited in the wild as zero-days, it is still vital that organizations apply these patches as soon as possible. Unpatched flaws remain a problem for many organizations months after patches have been released