Microsoft today rolled out updates to plug at least 56 security holes in its Windows operating systems and other software. One of the bugs is already being actively exploited, and six of them were publicized prior to today, potentially giving attackers a head start in figuring out how to exploit the flaws.
Nine of the 56 vulnerabilities earned Microsoft’s most urgent “critical” rating, meaning malware or miscreants could use them to seize remote control over unpatched systems with little or no help from users.
The flaw being exploited in the wild already — CVE-2021-1732 — affects Windows 10, Server 2016 and later editions. It received a slightly less dire “important” rating and mainly because it is a vulnerability that lets an attacker increase their authority and control on a device, which means the attacker needs to already have access to the target system.
Two of the other bugs that were disclosed prior to this week are critical and reside in Microsoft’s .NET Framework, a component required by many third-party applications (most Windows users will have some version of .NET installed).
Windows 10 users should note that while the operating system installs all monthly patch roll-ups in one go, that rollup does not typically include .NET updates, which are installed on their own. So when you’ve backed up your system and installed this month’s patches, you may want to check Windows Update again to see if there are any .NET updates pending.
A key concern for enterprises is another critical bug in the DNS server on Windows Server 2008 through 2019 versions that could be used to remotely install software of the attacker’s choice. microsoft patch tuesday february edition
