It has been a relatively quiet Patch Tuesday for Microsoft, with patches released to correct just 55 vulnerabilities across its product suite. None of the four critical flaws are believed to have been exploited in in the wild; however, patches should be applied as soon as possible to prevent exploitation, especially since three of the vulnerabilities have been publicly disclosed.
The four critical flaws affect Windows 10, Internet Explorer, Microsoft Windows Object Linking and Embedding (OLE) Automation, and Microsoft Windows Hyper-V.
CVE-2021-31166 is of particular concern as it is a potentially wormable flaw in the HTTP protocol stack in Windows 10 and Windows Server versions which could allow remote code execution with kernel-level privileges. The flaw could also be exploited in a denial-of-service (DoS) attack. The flaw could be exploited by sending a specially crafted packet to a targeted server utilizing the HTTP protocol stack (http.sys) to process packets, which would ultimately allow the execution of arbitrary code and could lead to a full system takeover. The flaw is wormable, so an attacker could replicate exploitation across an internal network and attack other internal services that may not otherwise be exposed. This would be an ideal vulnerability to be targeted by ransomware gangs.
CVE-2021-26419 is a scripting engine memory corruption vulnerability in Internet Explorer 11 and 9, which could be exploited remotely to execute arbitrary code. The flaw could be exploited by tricking a user into visiting a specially crafted website. The flaw could also be exploited by an attacker via an embedded ActiveX control marked safe for initialization in a Microsoft Office document that hosts the IE rendering engine.
CVE-2021-31194 is a remote code execution vulnerability in Microsoft Windows Object Linking and Embedding (OLE) Automation. The flaw could be exploited by convincing a user to visit a website that has been designed to invoke OLE automation through the web browser.
CVE-2021-28476 is a remote code execution flaw in Microsoft Windows Hyper-V. An attacker could exploit the flaw by running a specially crafted application on a Hyper-V guest, which could allow the Hyper-V host operating system to execute arbitrary code when vSMB packet data is not properly validated. While the flaw could be exploited for RCE, Microsoft says the bug is most likely to be exploited in a DoS attack.
Three of the vulnerabilities have been publicly disclosed but have not been exploited in the wild. They are:
- CVE-2021-31204 – .NET and Visual Studio Elevation of Privilege Vulnerability
- CVE-2021-31207 – Microsoft Exchange Server Security Feature Bypass Vulnerability
- CVE-2021-31200 – Common Utilities Remote Code Execution Vulnerability
50 of the vulnerabilities have been rated important and one has been rated moderate. The Important and moderate vulnerabilities affect the following Microsoft products and services:
.NET Core & Visual Studio, Jet Red and Access Connectivity, Microsoft Accessibility Insights for Web, Microsoft Bluetooth Driver, Microsoft Dynamics Finance & Operations, Microsoft Exchange Server, Microsoft Graphics Component, Microsoft Office, Microsoft Office Excel, Microsoft Office SharePoint, Microsoft Office Word, Microsoft Windows Codecs Library, Microsoft Windows IrDA, Open Source Software, Skype for Business and Microsoft Lync, Visual Studio, Windows Container Isolation FS Filter Driver, Windows Container Manager Service, Windows CSC Service, Windows Desktop Bridge, Windows Projected File System FS Filter, Windows RDP Client, Windows SMB, Windows SSDP Service, Windows WalletService, and Windows Wireless Networking