Microsoft fixes 55 vulnerabilities on Patch Tuesday, including two actively exploited – Computer – News

Microsoft fixed 55 vulnerabilities in Windows and Office programs during Patch Tuesday. Six of the vulnerabilities were zero days. 15 cases involved vulnerabilities where code could be run on a machine.

From release for Windows 10 and 11 contains bug fixes for 55 vulnerabilities. In addition to Windows, Office, Azure and Edge have also been fixed. Information was already known about six vulnerabilities. Two of those vulnerabilities were actually attacked in the wild, Microsoft says. Those are CVE-2021-42292 on CVE-2021-42321. These are a circumvention of security preview in Excel and remote code execution in Exchange. For the Exchange RCE, an attacker also needs authentication first. It therefore receives a CVSS score of 7.7. It is striking that details about that vulnerability were also invented on the Chinese Tianfu Hacking Competition in October. Those details had not been made public at the time.

Other notable bugs include CVE-2021-42298, a remote code execution bug in Microsoft Defender that allowed an attacker to execute code just by sending a file to a system. Two vulnerabilities in the Remote Desktop Protocol had already been pointed out by security researchers, CVE-2021-38631 on CVE-2021-41371. These are classified as ‘Important’, because they made it possible to read RDP passwords from a system. RDP is a popular target for ransomware criminals.

In total, 15 of the Patch Tuesday fixes are for remote code executions. In 20 cases, local privilege escalations repaired, and in another 10 cases an information-discovery leak. Spoofing vulnerabilities and denial-of-service vulnerabilities were also fixed. The number of 55 repaired leaks is relatively low for a Patch Tuesday.

–