Microsoft has released patches for 71 new vulnerabilities in Windows systems and applications this past Tuesday, which follows 11 previously patched software flaws in Microsoft Edge and OpenSSL.
That makes 82 patches this month, which is just slightly down from the 86 patches issued by Microsoft in September. This month’s patches address issues in Edge, Exchange Server, .NET Core and Visual Studio, Microsoft Office services and web apps, SharePoint, Microsoft Dynamics, InTune and Systems Center Operation Manager, according to Zero Day Initiative.
In addition, Adobe issued six patches that cover 10 security vulnerabilities in Adobe Reader, Acrobat Reader for Android, Adobe Campaign Standard, Commerce, Ops-LCI and Adobe Connect, ZDI said in a blog.
Of the 71 Microsoft vulnerabilities patched Tuesday, just two are rated critical, 68 are rated important and is rated low.
Notably, one Zero Day (CVE-2021-40449) is being actively exploited – a Win32k elevation of privilege vulnerability that is likely being used in conjunction with other code execution flaws to take over a system or as part of a targeted malware attack.
According to Microsoft, this flaw was reported by cybersecurity firm Kaspersky, which posted a blog calling it a use-after-free vulnerability in the NtGdiResetDC function of the Win32k driver that can lead to leakage of kernel module addresses in the computer’s memory which is then used to elevate the privileges of another malicious process.
Kaspersky says attackers then download and launch a Remote Access Trojan called MysterSnail to gain access to the victim’s system. From there, attackers can issue various commands, including create, read or delete certain files; create or delete a process get a directory list; or open a proxy channel and send data through it.
Attackers can also view the list of connected drives, monitor the connection of external drives in the background and launch the cmd.exe interactive shell.
Systems affected include a wide range of Microsoft and Windows operating systems, including Vista, 7, 8, 8.1, Server 2008, Server 2008 R2, Server 2012, Server 2012 R2, Windows 10 (build 14393), Server 2016 (build 14393), 10 (build 17763), and Server 2019 (build 17763).
Kaspersky notes that the exploit exists to specifically escalate privileges on server version of the operating system. Targets include IT companies, diplomatic organizations and the defense industry.
There were three other Zero Days patched in this release, including an Exchange Server remote code execution vulnerability (CVE-2021-26427) that ZDI links to the “more severe Exchange issues back in April.”
According to Microsoft, the attack is limited at the protocol level to a logically adjacent topology, meaning the attack needs something specific tied to the target like sharing a physical or logical network, or from within a secure or otherwise limited admin domain. However, Microsoft patched other Exchange bugs earlier this month, so Exchange admins have their work cut out for them.
Microsoft also patched a remote code execution vulnerability in Word (CVE-2021-40486) that allows code execution when a specially crafted Word document is viewed on an affected system. According to ZDI, this bug can be used to take over a target system when used in conjunction with a privilege escalation like the one detailed by Kaspersky. .
Another vulnerability (CVE-2021-40454), is a rich text edit control information disclosure bug that ZDI says could allow an attacker to recover cleartext passwords from memory, even on Windows 11.
Adobe also released six patches that cover 10 vulnerabilities, but none were publicly known or under attack. However, two are rated critical and two are rated moderate, so users should still apply patches.