Security News > 2021 > September > Microsoft Patches Actively Exploited Windows Zero-Day Bug

In September's Patch Tuesday crop of security fixes, Microsoft released patches for 66 CVEs, three of which are rated critical, and one of which - the Windows MSHTML zero-day - has been under active attack for nearly two weeks.
Microsoft said last week that the flaw could let an attacker "Craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine," after which "The attacker would then have to convince the user to open the malicious document." Unfortunately, malicious macro attacks continue to be prevalent: In July, for example, legacy users of Microsoft Excel were being targeted in a malware campaign that used a novel malware-obfuscation technique to disable malicious macro warnings and deliver the ZLoader trojan.
Microsoft did say that it was aware of targeted attacks trying to exploit it via specially crafted Microsoft Office documents.
"This vulnerability requires no user interaction or privileges, so an attacker can run their code on an affected system just by sending a specially crafted message to an affected system," the Zero Day Initiatve explained.
The three exploits Microsoft patched on Tuesday aren't remote, meaning that attackers need to have achieved code execution by other means.
As the Zero Day Initiative explained, that means an attacker could "Completely take over the target - provided they are on an adjacent network." That would come in quite handy in a coffee-shop attack, where multiple people use an unsecured Wi-Fi network.
News URL
https://threatpost.com/microsoft-patch-tuesday-exploited-windows-zero-day/169459/
Related news
- Microsoft patches Windows Kernel zero-day exploited since 2023 (source)
- New Microsoft script updates Windows media with bootkit malware fixes (source)
- Microsoft has finally fixed Date & Time bug in Windows 11 (source)
- Microsoft shares workaround for Windows security update issues (source)
- Microsoft February 2025 Patch Tuesday fixes 4 zero-days, 55 flaws (source)
- Windows 10 KB5051974 update force installs new Microsoft Outlook app (source)
- Microsoft fixes two actively exploited zero-days (CVE-2025-21418, CVE-2025-21391) (source)
- Patch Tuesday: Microsoft Patches Two Actively Exploited Zero-Day Flaws (source)
- FINALDRAFT Malware Exploits Microsoft Graph API for Espionage on Windows and Linux (source)
- Microsoft fixes bug causing Windows Server 2025 boot errors (source)