Patch Tuesday: Microsoft patches a zero-day bug under active attack
In total, 66 security flaws have been addressed in this month's security update
Microsoft has released software updates to address dozens of security vulnerabilities in Windows and other products, including a zero-day that is being actively exploited in the wild.
In total, Microsoft's September 2021 Patch Tuesday update plugs a total of 66 security holes across Windows, Office, SharePoint Server, Azure Sphere, Azure Open Management Infrastructure, Visual Studio, BitLocker, Windows DNS and Windows Subsystem for Linux, among other software.
Of all security flaws fixed this month, three are rated as 'Critical', one is 'Moderate' and the remainder are 'Important' in terms of severity.
In addition, 20 Chromium security bugs in Microsoft Edge have been addressed this month.
In a security advisory last week, Microsoft disclosed details of a zero-day, remote code execution (RCE) bug in MSHTML, which the company said, was being used by threat actors in a limited number of attacks against Windows systems.
The vulnerability, indexed as CVE-2021-40444, affects the 'MSHTML' component of Internet Explorer on Windows 10 and many Windows Server versions, and could be abused to achieve arbitrary code execution.
The bug has now been resolved, and Microsoft is urging users to update their software as soon as possible.
Another notable security bug addressed by Microsoft in its Patch Tuesday update is CVE-2021-38647, a 'Critical' flaw with a CVSS score of 9.8. It impacts the Open Management Infrastructure (OMI) programme and could allow an attacker to carry out RCE attacks against a vulnerable machine, by sending malicious messages via HTTPS to port 5986.
CVE-2021-36965 is another RCE bug impacting 'WLAN AutoConfig' service in Windows 10 and many Server versions. It could allow an attacker to take over a vulnerable target system, although the attacker and the target should be on the same network for that to happen.
CVE-2021-26435 is a critical, memory corruption bug affecting the Microsoft Windows scripting engine. The bug has been assigned a CVSS score of 8.1, and it requires user interaction to trigger.
Three elevation of privilege bugs in Windows Print Spooler (CVE-2021-38667, CVE-2021-38671 and CVE-2021-40447) have also been fixed and all these bugs are rated as 'Important'.
Commenting on the latest security update from Microsoft, Immersive Labs' Kevin Breen, director of Cyber Threat Research, said: "On the surface, it's quite a light Patch Tuesday, with only one CVE being actively exploited in the wild (CVE-2021-40444)."
"This cycle we've seen 25 vulnerabilities that have been patched in Chrome and ported over to Microsoft's Chromium-based Edge. I cannot underestimate the importance of patching your browsers and keeping them up to date. After all, browsers are the way we interact with the internet and web-based services that contain all sorts of highly sensitive, valuable and private information. Whether you're thinking about your online banking or the data collected and stored by your organization's web apps, they could all be exposed by attacks that exploit the browser."
Breen also drew attention to several "privilege escalation" flaws fixed this month. He noted that while these flaws carry lesser severity ratings, the Redmond giant considers them more likely to be exploited by threat actors and malware.
"Local Priv Esc vulnerabilities are a key component of almost every successful cyberattack, especially for the likes of ransomware operators who abuse this kind of exploit to gain the highest level of access," Breen said.
In other security news, Apple this week patched a zero-day vulnerability that was reportedly exploited by NSO Group to spy on users of Mac, iPhone, iPad, and Watch products.
The company also released security updates to address a second security bug that impacted WebKit for iOS and macOS Big Sur. Apple credited an 'anonymous researcher' for the discovery of this security vulnerability and said that it 'may have been actively exploited'.