Table of Contents
As part of Tuesday’s operating window system and other software security updates, Microsoft zipped up 50 vulnerabilities, including six zero-days that some cyber security researchers claim are being actively exploited.
In addition to Microsoft Windows and .NET Core and Visual Studio, Microsoft Office and Microsoft Edge (Chromium-based and EdgeHTML), Hyper-V, Visual Studio Code – Kubernetes Tools, and Released Window Security HTML Platform, the vulnerabilities were identified and fixed in Released Window Security Remote Desktop.
Five of the 50 issues are Critical, and 45 Important, and three of them are public knowledge.
Below are the vulnerabilities that are being actively exploited:
- CVE-2021-33742 (CVSS score: 7.5) – Windows MSHTML Platform Remote Code Execution Vulnerability
- CVE-2021-33739 (CVSS score: 8.4) – Microsoft DWM Core Library Elevation of Privilege Vulnerability
- CVE-2021-31199 (CVSS score: 5.2) – Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability
- CVE-2021-31201 (CVSS score: 5.2) – Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability
- CVE-2021-31955 (CVSS score: 5.5) – Windows Kernel Information Disclosure Vulnerability
- CVE-2021-31956 (CVSS score: 7.8) – Released Window Security NTFS Elevation of Privilege Vulnerability
Microsoft did not disclose the identity of the threat actors exploiting the attacks, the nature of the attacks, or the extent of their dissemination. However, it is worth noting that four of these problems are privilege escalation flaws, which suggests that attackers may use them, in conjunction with other vulnerabilities, to gain elevated permissions on the targets to execute malicious code or steal sensitive information.
Microsoft noted both CVE-2021-31201 and CVE-2021-31199 addressed the arbitrary code execution vulnerability CVE-2021-28550, which Adobe corrected last month and that was presently being used in “limited attacks targeting Adobe Reader users on Windows.”
CVE-2021-33742 was reported to Microsoft by Google’s Threat Analysis Group, which stated, “this appears to be a commercial exploit company providing limited country-state technical capabilities in Eastern Europe and the Middle East.”
Organizers of the highly targeted attack on multiple companies on April 14 and 15 used CVE-2021-31955 and CVE-2021-31956 in Chrome zero-day exploit chains (CVE-2021-21224), according to the Russian cybersecurity firm Kaspersky. A new threat actor named PuzzleMaker was credited with the intrusions.
Kaspersky Lab researchers said about Released Window Security:
“While we were not able to retrieve the exploit used for remote code execution (RCE) in the Chrome web browser, we were able to find and analyze an elevation of privilege (EoP) exploit that was used to escape the sandbox and obtain system privileges.”
As part of the changes, Microsoft fixed remote code execution vulnerabilities in Paint 3D, Microsoft SharePoint, Microsoft Office Graphics, Microsoft Excel, and Microsoft Defender.
There were several privilege escalation flaws in Microsoft Edge, Windows Filter Manager, as well as the Window Kernel, the Windows Kernel-Mode Driver, and the Windows NTLM Elevation.