Security News > 2021 > September > Microsoft Patches Actively Exploited Windows Zero-Day Bug

In September's Patch Tuesday crop of security fixes, Microsoft released patches for 66 CVEs, three of which are rated critical, and one of which - the Windows MSHTML zero-day - has been under active attack for nearly two weeks.

Microsoft said last week that the flaw could let an attacker "Craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine," after which "The attacker would then have to convince the user to open the malicious document." Unfortunately, malicious macro attacks continue to be prevalent: In July, for example, legacy users of Microsoft Excel were being targeted in a malware campaign that used a novel malware-obfuscation technique to disable malicious macro warnings and deliver the ZLoader trojan.

Microsoft did say that it was aware of targeted attacks trying to exploit it via specially crafted Microsoft Office documents.

"This vulnerability requires no user interaction or privileges, so an attacker can run their code on an affected system just by sending a specially crafted message to an affected system," the Zero Day Initiatve explained.

The three exploits Microsoft patched on Tuesday aren't remote, meaning that attackers need to have achieved code execution by other means.

As the Zero Day Initiative explained, that means an attacker could "Completely take over the target - provided they are on an adjacent network." That would come in quite handy in a coffee-shop attack, where multiple people use an unsecured Wi-Fi network.

News URL

https://threatpost.com/microsoft-patch-tuesday-exploited-windows-zero-day/169459/