9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
Microsoft has released security updates as part of its monthly Patch Tuesday release cycle to address 55 vulnerabilities across Windows, Azure, Visual Studio, Windows Hyper-V, and Office, including fixes for two actively exploited zero-day flaws in Excel and Exchange Server that could be abused to take control of an affected system.
Of the 55 glitches, six are rated Critical and 49 are rated as Important in severity, with four others listed as publicly known at the time of release.
The most critical of the flaws are CVE-2021-42321 (CVSS score: 8.8) and CVE-2021-42292 (CVSS score: 7.8), each concerning a post-authentication remote code execution flaw in Microsoft Exchange Server and a security bypass vulnerability impacting Microsoft Excel versions 2013-2021 respectively.
The Exchange Server issue is also one of the bugs that was demonstrated at the Tianfu Cup held in China last month. However, the Redmond-based tech giant did not provide any details on how the two aforementioned vulnerabilities were used in real-world attacks.
“Earlier this year, Microsoft alerted that APT Group HAFNIUM was exploiting four zero-day vulnerabilities in the Microsoft Exchange server,” said Bharat Jogi, director of vulnerability and threat research at Qualys.
“This evolved into exploits of Exchange server vulnerabilities by DearCry Ransomware — including attacks on infectious disease researchers, law firms, universities, defense contractors, policy think tanks and NGOs. Instances such as these further underscore that Microsoft Exchange servers are high-value targets for hackers looking to penetrate critical networks,” Jogi added.
Also addressed are four publicly disclosed, but not exploited, vulnerabilities —
Microsoft’s November patch also comes with a resolution for CVE-2021-3711, a critical buffer overflow flaw in OpenSSL’s SM2 decryption function that came to light in late August 2021 and could be abused by adversaries to run arbitrary code and cause a denial-of-service (DoS) condition.
Other important remediations include fixes for multiple remote code execution flaws in Chakra Scripting Engine (CVE-2021-42279), Microsoft Defender (CVE-2021-42298), Microsoft Virtual Machine Bus (CVE-2021-26443), Remote Desktop Client (CVE-2021-38666), and on-premises versions of Microsoft Dynamics 365 (CVE-2021-42316).
Lastly, the update is rounded by patches for a number of privilege escalation vulnerabilities affecting NTFS (CVE-2021-41367, CVE-2021-41370, CVE-2021-42283), Windows Kernel (CVE-2021-42285), Visual Studio Code (CVE-2021-42322), Windows Desktop Bridge (CVE-2021-36957), and Windows Fast FAT File System Driver (CVE-2021-41377)
To install the latest security updates, Windows users can head to Start > Settings > Update & Security > Windows Update or by selecting Check for Windows updates.
In addition to Microsoft, security updates have also been released by a number of other vendors to rectify several vulnerabilities, including —
Found this article interesting? Follow THN on Facebook, Twitter and LinkedIn to read more exclusive content we post.
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C