Security News

For its September Patch Tuesday, Microsoft churned out fixes for 66 vulnerabilities, alongside 20 Chromium bugs in Microsoft Edge. Another CVE updates a publicly disclosed patch from August 11 which addressed last month's Print Spooler RCE. "The update has removed the previously defined mitigation as it no longer applies and addresses the additional concerns that were identified by researchers beyond the original fix," explained Chris Goettl, VP of product management at Ivanti, an IT asset management firm, in a statement emailed to The Register.

A day after Apple and Google rolled out urgent security updates, Microsoft has pushed software fixes as part of its monthly Patch Tuesday release cycle to plug 66 security holes affecting Windows and other components such as Azure, Office, BitLocker, and Visual Studio, including an actively exploited zero-day in its MSHTML Platform that came to light last week. Of the 66 flaws, three are rated Critical, 62 are rated Important, and one is rated Moderate in severity.

Microsoft has released a security update to fix the last remaining PrintNightmare zero-day vulnerabilities that allowed attackers to gain administrative privileges on Windows devices quickly. In June, a zero-day Windows print spooler vulnerability dubbed PrintNightmare was accidentally disclosed.

In September's Patch Tuesday crop of security fixes, Microsoft released patches for 66 CVEs, three of which are rated critical, and one of which - the Windows MSHTML zero-day - has been under active attack for nearly two weeks. Microsoft said last week that the flaw could let an attacker "Craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine," after which "The attacker would then have to convince the user to open the malicious document." Unfortunately, malicious macro attacks continue to be prevalent: In July, for example, legacy users of Microsoft Excel were being targeted in a malware campaign that used a novel malware-obfuscation technique to disable malicious macro warnings and deliver the ZLoader trojan.

Microsoft today fixed a high severity zero-day vulnerability actively exploited in targeted attacks against Microsoft Office and Office 365 on Windows 10 computers. According to Microsoft, CVE-2021-40444 impacts Windows Server 2008 through 2019 and Windows 8.1 or later, and it has a severity level of 8.8 out of the maximum 10.

On September 2021 Patch Tuesday, Microsoft has fixed 66 CVE-numbered vulnerabilities in a wide variety of its solutions. Of these, the most crucial to address is CVE-2021-40444, the remote code execution MSHTML vulnerability actively exploited by attackers via malicious MS Office documents.

Today is Microsoft's September 2021 Patch Tuesday, and with it comes fixes for two zero-day vulnerabilities and a total of 60 flaws. Microsoft has fixed 60 vulnerabilities with today's update, with three classified as Critical, one as Moderate, and 56 as Important.

Microsoft has reminded customers today that Windows 10 2004 and Windows Server 2004 will reach the end of servicing on December 14, 2021. Microsoft advises customers still running Windows 10 2004 to install the May 2021 Update that will upgrade their devices to Windows 10, version 21H1, which will reach the end of service next year, on December 13, for all editions.

Microsoft on Wednesday said it remediated a vulnerability in its Azure Container Instances services that could have been exploited by a malicious actor "To access other customers' information" in what the researcher described as the "First cross-account container takeover in the public cloud." Azure Container Instances is a managed service that allows users to run Docker containers directly in a serverless cloud environment, without requiring the use of virtual machines, clusters, or orchestrators.

Microsoft has fixed a vulnerability in Azure Container Instances called Azurescape that allowed a malicious container to take over containers belonging to other customers on the platform.An adversary exploiting Azurescape could execute commands in the other users' containers and gain access to all their data deployed to the platform, the researchers say.