Security News > 2021 > October > Microsoft Oct. Patch Tuesday Squashes 4 Zero-Day Bugs

Today is Microsoft's October 2021 Patch Tuesday, and it delivers fixes for four zero-day vulnerabilities, one of which is being exploited in a far-reaching espionage campaign that delivers the new MysterySnail RAT malware to Windows servers.

Bharat Jogi, Qualsys senior manager of vulnerability and threat research, told Threatpost on Tuesday that if left unpatched, "MysterySnail has the potential to collect and exfiltrate system information from compromised hosts, in addition to other malicious users having the ability to gain complete control of the affected system and launch further attacks."

Chris Morgan, senior cyber threat intelligence analyst at Digital Shadows, said that the spoofing vulnerability fix Microsoft put out today is meant to fix the problems that previous patches have introduced.

Another vulnerability worth noting is CVE-2021-40486, a critical RCE affecting Microsoft Word, Microsoft Office and some versions of SharePoint Server that can be exploited via the Preview Pane.

Neither vulnerability has been exploited publicly, and exploitation is less likely, however organizations using Hyper-V should patch these vulnerabilities as soon as possible, Hass recommended.

This isn't the first time that Microsoft has had to stomp on an RCE vulnerability in DNS server this year, including in March's Patch Tuesday updates.

News URL

https://threatpost.com/microsoft-patch-tuesday-bug-exploited-mysterysnail-espionage-campaign/175431/