Microsoft Patch Tuesday Fixes 82 CVEs, Internet Explorer Zero-Day

  /     /     /  
Publicated : 23/11/2024   Category : security


Microsoft Patch Tuesday Fixes 82 CVEs, Internet Explorer Zero-Day


The monthly rollout follows last weeks emergency Microsoft Exchange Server patch covering seven CVEs, four of which are under attack.



Microsoft today released 82 security fixes as part of its monthly Patch Tuesday rollout, which this month addresses 10 critical vulnerabilities and one Internet Explorer zero-day. This brings its March patch count to 89 after the release of emergency patches for seven CVEs last week. 
The
out-of-band
Exchange patch released March 2 covers seven unique CVEs, four of which are under active attack. Organizations running on-premises Exchange Servers are advised to
address the vulnerabilities
as soon as possible, as attackers are continuing to scan for and exploit them.
Microsoft today pushed
additional patches
for older, unsupported versions of Exchange Server.
Todays Patch Tuesday release addresses vulnerabilities in Microsoft Windows, Azure and Azure DevOps, Azure Sphere, Internet Explorer, the Edge browser, Office and Office Services and Web Apps, SharePoint Server, Visual Studio, and Windows Hyper-V. One is both publicly known and under active attack.
That is
CVE-2021-26411
, a memory corruption vulnerability in Internet Explorer that could let a successful attacker run code on a target system if a victim views a specially designed HTML file. This affects older versions such as Internet Explorer 11, and newer EdgeHTML-based versions.
This kind of exploit would give the attacker the same operating system permissions as the user visiting the website, says Kevin Breen, director of cyber-threat research at Immersive Labs. So, if youre browsing the Internet as a standard user, the attacker will get user level access to your file system and limited access to the operating system. 
Its a reminder that employees should never browse the Web while logged in with admin privileges, he adds. If a victim is browsing the Internet as an admin, attackers could get full unrestricted access to the file system and operating system, Breen adds. Microsoft notes the attack to exploit this critical flaw is low in complexity and requires no privileges.
Worth noting is
CVE-2021-26897
, a critical remote code execution (RCE) vulnerability in Windows DNS Server. Its worth noting Microsoft patched five RCE flaws in DNS server this month; this is the only one rated Critical. This flaw is also rated as exploitation more likely by Microsoft, and requires no privileges and low attack complexity.
These attacks are not limited to external attackers — they also become a target for attackers who may already be inside your network, Breen says. An attacker gaining access to manipulate a DNS server within your organization can have a significant impact on your overall security. 
Another CVE that draws attention to privileges is
CVE-2021-27076
, an RCE vulnerability in SharePoint Server. This is also categorized as exploitation more likely and indicates an attacker could exploit the server to gain code execution over the network. A successful attacker would need privileges to create or modify Sites in SharePoint, which authenticated users can do by default. Its a reminder that users who dont need specific privileges shouldnt have them. 
Todays Critical patches also address two RCE flaws in Azure Sphere, both of which are unsigned code execution vulnerabilities. However, users likely wont need to take action because devices running Azure Sphere connected to the Internet get automatic updates, as Dustin Childs, with Trend Micros Zero-Day Initiative,
points out
. These flaws are listed as
CVE-2021-27074
and
CVE-2021-27080
.

Last News

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security

▸ 7 arrested, 3 more charged in StubHub cyber fraud ring. ◂
Discovered: 23/12/2024
Category: security

▸ Nigerian scammers now turning into mediocre malware pushers. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft Patch Tuesday Fixes 82 CVEs, Internet Explorer Zero-Day