Microsoft fixes 55 vulnerabilities on Patch Tuesday, including two actively exploited
Microsoft fixed 55 vulnerabilities in Windows and Office programs during Patch Tuesday. Six of the vulnerabilities were zero days. 15 cases involved vulnerabilities where code could be run on a machine.
The release for Windows 10 and 11 contains bug fixes for 55 vulnerabilities. In addition to Windows, Office, Azure and Edge have also been fixed. Information was already known about six vulnerabilities. Two of those vulnerabilities were actually attacked in the wild, Microsoft says. Those are CVE-2021-42292 and CVE-2021-42321. These are a circumvention of security preview in Excel and remote code execution in Exchange. For the Exchange RCE, an attacker also needs authentication first. It therefore receives a CVSS score of 8.8. Notably, details about that vulnerability were also figured out at the Chinese Tianfu hacking contest in October. Those details had not been made public at the time.
Other notable bugs include CVE-2021-42298, a remote code execution bug in Microsoft Defender that allowed an attacker to execute code just by sending a file to a system. Two vulnerabilities in the Remote Desktop Protocol were previously pointed out by security researchers, CVE-2021-38631 and CVE-2021-41371. They are classified as ‘Important’, because they made it possible to read RDP passwords from a system. RDP is a popular target for ransomware criminals.
In total, 15 of the Patch Tuesday fixes are for remote code executions. Local privilege escalations were fixed in 20 cases, and an information leak in another 10 cases. Spoofing vulnerabilities and denial-of-service vulnerabilities were also fixed. The number of 55 repaired leaks is relatively low for a Patch Tuesday.