Microsoft Fixes Exchange Server Zero-Day

November security update contains patches for 55 bugs — including six zero-days across various products.

Microsofts November security updates, released today, contained fixes for 55 vulnerabilities, including six zero-day flaws — two of which are being currently exploited.
But according to at least one security researcher, the flaw that organizations should be most concerned about is
CVE-2021-42298
, a critical bug in Microsoft Defender that attackers can exploit to remotely execute malicious code on vulnerable systems.
I think this CVE should be top of mind for all enterprises, said Danny Kim, principal architect at Virsec, in a statement. Microsoft itself has assessed the flaw as severe and likely to be exploited. Also, Windows Defender runs on all supported versions of Windows, so the vulnerability therefore significantly increases the potential attack surface for organizations.
This CVE does require some user interaction; however, we have seen in the past how attackers can use social engineering/phishing emails to achieve such interaction fairly easily, Kim said.
Kim described
CVE-2021-26443
as another vulnerability that organizations should consider prioritizing. The remote code execution flaw is present in Microsoft Virtual Machine Bus (VMBus), a communication component of the companys Hyper-V virtualization technology. The flaw gives attackers a way to escape a virtual machines built-in protections and run malicious code on the underlying physical host system.
This means the attacker can inflict damage not only on the VM, but all VMs running on that physical host, Kim said. The ability to run arbitrary code on a physical host is one of the deepest levels of infiltration an attacker can achieve, he noted.
Meanwhile, the two vulnerabilities for which exploit code is currently available are present in Microsoft Exchange Server (
CVE-2021-42321
) and Microsoft Excel (
CVE-2021-42292
).
The Exchange Server flaw results from improper validation of cmdlet — a command that is often used in PowerShell environments. The flaw can be exploited over the network, is not very complex, and requires low privileges and no user interaction. Microsoft described the vulnerability as having a high impact on data confidentiality, integrity, and availability, and said it had detected exploitation activity of the flaw in the wild.
As with all Exchange bugs in the wild, we urge Exchange admins to test and deploy the patches as soon as possible,” said Dustin Childs, with Trend Micros Zero-Day Initiative, in a statement.
The Microsoft Excel flaw (CVE-2021-42292) — the other vulnerability in the companys November update actively exploited — is a security feature bypass flaw that results in malicious code being executed when certain maliciously crafted files are opened.
It’s unclear if it’s a malicious macro or some other form of code loading within a spreadsheet, Childs said. But users should be cautious about opening unexpected attachments for a while, especially users of Office for Mac because Microsoft has not yet released a patch for it, Childs noted.
“It’s also interesting to note Microsoft lists this as under active attack, but the CVSS rating lists the exploit code maturity as ‘proof of concept, he said.
Four other flaws in Microsofts latest security update have been publicly disclosed, though no exploit activity has been associated with any of them yet. Two of the flaws —
CVE-2021-38631
and
CVE-2021-41371
— involve Microsofts frequently targeted Remote Desktop Protocol technology. Both are information disclosure vulnerabilities that Microsoft described as less likely to be exploited. The other two publicly known flaws —
CVE-2021-43208
and
CVE-2021-43209
— are both remote code execution flaws in Microsofts 3D Viewer Remote technology. Microsoft has disclosed multiple severe to critical flaws in the 3D model viewing software over the past year.
As always, the 55 vulnerabilities for which Microsoft has issued patches impact a wide range of the companys products, including Microsoft Office, Windows, Azure, Power BI, and Visual Studio. However, the actual number of flaws the company disclosed this month is lower than in some previous months this year. Microsofts January 2021 security update, for instance, addressed 83 vulnerabilities. In June and September, the company disclosed more than 60 bugs, and Microsofts October 21 update contained fixes for more than 70 flaws.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Microsoft Fixes Exchange Server Zero-Day