Microsoft Patches MSHTML Vuln Among 66 CVEs

  /     /     /  
Publicated : 23/11/2024   Category : security


Microsoft Patches MSHTML Vuln Among 66 CVEs


This months Patch Tuesday release addresses a remote code execution bug under active attack and a publicly known flaw in Windows DNS.



Microsoft today released patches for 66 CVEs, two of which are publicly known and one of which is under attack, the company reports.
This months Patch Tuesday release addresses 66 vulnerabilities in Microsoft Windows, the Edge browser, Azure, Office, SharePoint Server, Microsoft Windows DNS, and the Windows Subsystem for Linux. Three are classified as Critical, 62 as Important, and one as Moderate.
The vulnerability under active attack is remote code execution flaw
CVE-2021-40444
, which exists in Microsoft MSHTML, the browser engine built into Windows that allows the operating system to read and display HTML files. Microsoft
disclosed the CVE
last week in an advisory that warned it was being exploited in targeted attacks, along with mitigations and workarounds.
An attacker could exploit this vulnerability by embedding a specially crafted ActiveX control in an Office file and sending it to a victim. If opened, the malicious code would execute at the level of the logged-in victim, meaning people with fewer user rights on the system may be less affected than those within administrative user right, Microsoft says. An attack would require low complexity and no privileges, but a successful exploit does require user interaction.
This flaw affects Windows 7 through Windows 10, and Windows Server 2008 to Windows Server 2019. While there have been no reports of active attacks beyond the targeted exploits Microsoft mentioned, organizations should update their systems now that a patch is available.
Security teams should also note
CVE-2021-36965
, a remote code execution vulnerability in the Windows WLAN AutoConfig Service. If exploited, this flaw could allow attackers on the same network as their victims to run their code on target machines at a system level. Its labeled Critical, with a CVSS 3.0 score of 8.8 and no privileges or user interaction required to exploit.
It specifically relies on the attacker being located in the same network, so it would not be surprising to see this vulnerability used in combination with another CVE/attack to achieve an attackers end goal, says Danny Kim, principal architect at Virsec.
The highest-rated patch this month is
CVE-2021-38647
, an Open Management Infrastructure (OMI) remote code execution bug with a CVSS 3.0 score of 9.8. An attacker could exploit this by sending a specially crafted message via HTTPS to port 5986, also known as WinRMport, on a vulnerable system.
Microsoft notes that some Azure products, such as Configuration Management, expose an HTTP/S port for interacting with OMI, or port 5986. The configuration where the HTTP/S listener is enabled could allow remote code execution. It is important to mention that most Azure services that use OMI deploy it without exposing the HTTP/S port.
Another patch to prioritize is
CVE-2021-36968
, an elevation of privilege vulnerability in Windows DNS that is publicly known and has a CVSS 3.0 score of 7.8. Microsoft provided few details but noted an attack requires low attack complexity, low privileges, and no user interaction. This one affects Windows 7, Windows Server 2008, and Windows Server 2008 R2.
The lack of executive summaries, which Microsoft removed from its vulnerability disclosures last year, is frustrating for security teams seeking more details.
The executive summaries were a critical part of vulnerability and patch management and, across the board, the pain of their removal is still felt, says Tyler Reguly, manager of security R&D at Tripwire. While this flaw has a high CVSS score, there are absolutely no details to help admins understand what they are dealing with or where the risk is.
And finally, todays rollout brought three additional patches for Windows Print Spooler:
CVE-2021-38667
,
CVE-2021-38671
, and
CVE-2021-40447
. Print Spooler vulnerabilities have been regular following the July 2021
disclosure of PrintNightmare
. Security researchers continue to find new ways to target the service, and its expected they will continue exploring this area.

Last News

▸ Some DLP Products Vulnerable to Security Holes ◂
Discovered: 23/12/2024
Category: security

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Microsoft Patches MSHTML Vuln Among 66 CVEs