Microsoft Patch Tuesday: 4 Critical CVEs, 3 Publicly Known, 1 Wormable

  /     /     /  
Publicated : 23/11/2024   Category : security


Microsoft Patch Tuesday: 4 Critical CVEs, 3 Publicly Known, 1 Wormable


Microsoft releases security patches for 55 vulnerabilities in its monthly roundup, which includes a critical, wormable flaw in the HTTP protocol stack.



Microsofts May Patch Tuesday release is smaller compared with previous months, but there are several vulnerabilities to note: Four are considered critical, one of which is wormable, and three of the flaws are publicly known at the time of disclosure. None are listed as under active attack.
This month brought patches for 55 CVEs in Microsoft Windows, Microsoft Office, .NET Core and Visual Studio, Internet Explorer, SharePoint Server, Hyper-V, Skype for Business and Microsoft Lync, Open Source Software, and Exchange Server. Fifty of these vulnerabilities are classified as Important in severity, one as Moderate.
One concerning CVE to prioritize is
CVE-2021-31166
, a critical remote code execution flaw in the HTTP protocol stack with a CVSS score of 9.8. An attack using this would be low in complexity and require no privileges or user interaction, Microsoft says in its disclosure.
To exploit this, an attacker would need to send a specially crafted packet to a vulnerable server using the HTTP protocol stack to process packets. This makes the bug wormable, a danger Microsoft points out. And as Dustin Childs of Trend Micros ZDI writes in a blog post, Windows 10 can be configured as a server, meaning its also affected.
Microsoft and security experts advise prioritizing patching for affected servers. While the wormable bug hasnt been seen in active attacks, Microsofts exploitability assessment warns exploitation is more likely.
Wormable exploits should always be a high priority, especially if they are for services that are designed to be public facing, says Kevin Breen, director of cyber-threat research at Immersive Labs. As this specific exploit would not require any form of authentication, its even more appealing for attackers, and any organization using the HTTP.sys protocol stack should prioritize this patch.
This vulnerability has the potentially to be both directly impactful and is also exceptionally simple to exploit, notes Steve Povolny, head of advanced threat research and principal engineer at McAfee. While this could lead to code execution in the Windows kernel, that type of exploit would be a higher bar for attackers. Achieving remote code execution could give them the ability to create a self-propagating worm, which could cause widespread damage.
Another CVE worth noting is
CVE-2021-28476
, a critical remote code execution flaw in Hyper-V with a CVSS score of 9.9. This attack also requires low complexity, low privileges, and no user interaction to be successful. The flaw lets a guest virtual machine force the Hyper-V hosts kernel to read from an arbitrary, potentially invalid address, which wouldnt be returned to the guest VM.
In most circumstances, this would result in a denial of service to the Hyper-V host (bugcheck) due to reading an unmapped address, Microsoft writes. It is possible to read from a memory mapped device register corresponding to a hardware device attached to the Hyper-V host which may trigger additional, hardware specific side effects that could compromise the Hyper-V hosts security.
Microsoft has deployed patches for four Exchange Server vulnerabilities (
CVE-2021-31198
,
CVE-2021-31207
,
CVE-2021-31209
, and
CVE-2021-31195
), all of which are categorized as Important or Moderate in severity. One of these,
CVE-2021-31207
, is publicly known and is a security bypass vulnerability in Microsoft Exchange versions 2013–2019. While it isnt critical, this was exploited in the
recent Pwn2Own competition
and should be patched.
While none of these flaws is deemed critical in nature, it is a reminder that researchers and attackers are still looking closely at Exchange Server for additional vulnerabilities, so organizations that have yet to update their systems should do so as soon as possible, says Satnam Narang, staff research engineer at Tenable.
Other publicly known vulnerabilities patched today include
CVE-2021-31204
, an Important elevation of privilege flaw in .NET Core and Visual Studio, and
CVE-2021-31200
, an Important remote code execution vulnerability in Common Utilities.

Last News

▸ Security Problem Growing for Dairy Queen, UPS & Retailers, Back off ◂
Discovered: 23/12/2024
Category: security

▸ Veritabile Defecte de Proiectare a Securitatii in Software -> Top 10 Software Security Design Flaws ◂
Discovered: 23/12/2024
Category: security

▸ Sony, XBox Targeted by DDoS Attacks, Hacktivist Threats ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft Patch Tuesday: 4 Critical CVEs, 3 Publicly Known, 1 Wormable