Security News > 2021 > September > Microsoft Patches Actively Exploited Windows Zero-Day Bug
In September's Patch Tuesday crop of security fixes, Microsoft released patches for 66 CVEs, three of which are rated critical, and one of which - the Windows MSHTML zero-day - has been under active attack for nearly two weeks.
Microsoft said last week that the flaw could let an attacker "Craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine," after which "The attacker would then have to convince the user to open the malicious document." Unfortunately, malicious macro attacks continue to be prevalent: In July, for example, legacy users of Microsoft Excel were being targeted in a malware campaign that used a novel malware-obfuscation technique to disable malicious macro warnings and deliver the ZLoader trojan.
Microsoft did say that it was aware of targeted attacks trying to exploit it via specially crafted Microsoft Office documents.
"This vulnerability requires no user interaction or privileges, so an attacker can run their code on an affected system just by sending a specially crafted message to an affected system," the Zero Day Initiatve explained.
The three exploits Microsoft patched on Tuesday aren't remote, meaning that attackers need to have achieved code execution by other means.
As the Zero Day Initiative explained, that means an attacker could "Completely take over the target - provided they are on an adjacent network." That would come in quite handy in a coffee-shop attack, where multiple people use an unsecured Wi-Fi network.
- Microsoft confirms another Windows print spooler zero-day bug (source)
- Microsoft, CISA Urge Mitigations for Zero-Day RCE Flaw in Windows (source)
- Microsoft fixes Windows CVE-2021-40444 MSHTML zero-day bug (source)
- Microsoft Releases Patch for Actively Exploited Windows Zero-Day Vulnerability (source)
- Microsoft's Windows 365 Cloud PC service is live - Costs from $24 to $162 (source)
- Microsoft halts Windows 365 trials after running out of servers (source)
- Black Hat: Microsoft’s Patch for Windows Hello Bypass Bug is Faulty, Researchers Say (source)
- New Windows PrintNightmare zero-days get free unofficial patch (source)
- Microsoft fixes Windows Print Spooler PrintNightmare vulnerability (source)
- Microsoft August 2021 Patch Tuesday fixes 3 zero-days, 44 flaws (source)