Security News > 2021 > November > Microsoft Issues Patches for Actively Exploited Excel, Exchange Server 0-Day Bugs
Microsoft has released security updates as part of its monthly Patch Tuesday release cycle to address 55 vulnerabilities across Windows, Azure, Visual Studio, Windows Hyper-V, and Office, including fixes for two actively exploited zero-day flaws in Excel and Exchange Server that could be abused to take control of an affected system.
The most critical of the flaws are CVE-2021-42321 and CVE-2021-42292, each concerning a post-authentication remote code execution flaw in Microsoft Exchange Server and a security bypass vulnerability impacting Microsoft Excel versions 2013-2021 respectively.
The Exchange Server issue is also one of the bugs that was demonstrated at the Tianfu Cup held in China last month.
"Earlier this year, Microsoft alerted that APT Group HAFNIUM was exploiting four zero-day vulnerabilities in the Microsoft Exchange server," said Bharat Jogi, director of vulnerability and threat research at Qualys.
"This evolved into exploits of Exchange server vulnerabilities by DearCry Ransomware - including attacks on infectious disease researchers, law firms, universities, defense contractors, policy think tanks and NGOs. Instances such as these further underscore that Microsoft Exchange servers are high-value targets for hackers looking to penetrate critical networks," Jogi added.
Other important remediations include fixes for multiple remote code execution flaws in Chakra Scripting Engine, Microsoft Defender, Microsoft Virtual Machine Bus, Remote Desktop Client, and on-premises versions of Microsoft Dynamics 365.
News URL
https://thehackernews.com/2021/11/microsoft-issues-patches-for-actively.html
Related news
- 17,000+ Microsoft Exchange servers in Germany are vulnerable to attack, BSI warns (source)
- Germany warns of 17K vulnerable Microsoft Exchange servers exposed online (source)
- These 17,000 unpatched Microsoft Exchange servers are a ticking time bomb (source)
- Microsoft confirms Windows Server issue behind domain controller crashes (source)
- Microsoft releases emergency fix for Windows Server crashes (source)
- Microsoft confirms memory leak in March Windows Server security update (source)
- Week in review: Backdoor found in XZ utilities, weaponized iMessages, Exchange servers at risk (source)
- Microsoft slammed for lax security that led to China's cyber-raid on Exchange Online (source)
- Microsoft slammed for lax security that led to China's cyber-raid on Exchange Online (source)
- Microsoft still unsure how hackers stole MSA key in 2023 Exchange attack (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2021-11-10 | CVE-2021-42321 | Unspecified vulnerability in Microsoft Exchange Server 2016/2019 Microsoft Exchange Server Remote Code Execution Vulnerability | 8.8 |
2021-11-10 | CVE-2021-42292 | Unspecified vulnerability in Microsoft products Microsoft Excel Security Feature Bypass Vulnerability | 7.8 |