Microsoft has patched a host of vulnerabilities, including three rated “critical” and one actively being exploited by nation state threat actors.
Background
Microsoft came out swinging this month with a loaded Patch Tuesday, patching 74 vulnerabilities across 43 products and technologies.
This includes three critical vulnerabilities, a slew of Remote Code Execution (RCE) vulnerabilities, and some under active exploit.
Vulnerability details
– CVE-2021-40449 – A use-after-free zero-day in the Win32 kernel driver. Kaspersky researchers identified nation-state threat actors utilizing this vulnerability as a privilege escalation method in their Remote Access Trojan (RAT).
– A critical Remote Code Execution vulnerability impacting Exchange servers.
– Two HyperV Remote Code Execution Vulnerabilities (CVE-2021-40461 and CVE-2021-38672), which ThreatPost reports can also allow for the VM guest to escape restrictions preventing it from tampering with the host.
– A fix for PrintNightmare (CVE-2021-36970), whose previous patch did not resolve the issue.
– Other notable Remote Code Execution Vulnerabilities:
- Word/Office/Sharepoint (CVE-2021-40486),
- SharePoint Server (CVE-2021-40487) and
- DNS Servers (CVE-2021-40469).
An extensive writeup has been provided by ThreatPost.
Mitigations
The extensive list of impacted products is listed on the Microsoft Patch Tuesday Notes.
It is urgent that affected systems be updated as soon as possible.
Resources
Microsoft’s Patch Tuesday Notes
https://msrc.microsoft.com/update-guide/releaseNote/2021-Oct
CISA Patch Tuesday Advisory
https://us-cert.cisa.gov/ncas/current-activity/2021/10/12/microsoft-releases-october-2021-security-updates
ThreatPost Patch Tuesday Writeup
https://threatpost.com/microsoft-patch-tuesday-bug-exploited-mysterysnail-espionage-campaign/175431/
Kaspersky Documenting MysterySnail RAT
https://securelist.com/mysterysnail-attacks-with-windows-zero-day/104509/
