Zero-Day and Six Publicly Disclosed CVEs Fixed by Microsoft

Microsoft has fixed 56 CVEs as part of this month’s Patch Tuesday, including several already publicly disclosed and one zero-day being actively exploited in the wild.

Although the workload is relatively light for sysadmins this month, there’s plenty to be concerned about.

The zero-day is CVE-2021-1732, a Windows Win32k.sys elevation of privilege vulnerability affecting Windows 10 and Windows Server 2019. Although rated as “important” rather than critical by Microsoft, its active exploitation should push it up to the top of the priority list.

Windows DNS Server remote code execution (RCE) vulnerability CVE-2021-24078 should be second on the to-do list, according to Recorded Future senior security architect, Allan Liska.

“This vulnerability impacts Windows Server 2008 through 2019. This is a critical vulnerability to which Microsoft has assigned a CVSS score of 9.8,” he added.

“Similar to SIGRed, which was disclosed last year, this vulnerability can be exploited remotely by getting a vulnerable DNS server to query for a domain it has not seen before — e.g. by sending a phishing email with a link to a new domain or even with images embedded that call out to a new domain.”

There are six additional CVEs in total for which proof-of-concept code or other information has been publicly released which could help attackers develop an exploit.

CVE-2021-1733 is a bug in Sysinternals PsExec which could allow an attacker to elevate their privileges. PSExec is commonly used in " ..

Support the originator by clicking the read the rest link below.