Security News

Microsoft reported a total of 55 vulnerabilities, six of which are rated critical, with the remaining 49 being rated important. Still, as always, this Patch Tuesday delivers high-priority fixes, the most urgent of which being the duo that are under attack.

It's a light November 2021 Patch Tuesday from Microsoft: 55 fixed CVEs, of which two are zero-days under active exploitation: CVE-2021-42321, a Microsoft Exchange RCE, and CVE-2021-42292, a Microsoft Excel security feature bypass bug.CVE-2021-42321, the remote code execution vulnerability in Microsoft Exchange Server 2016 and 2019, is due to issues with the validation of command-let arguments.

Today is Microsoft's November 2021 Patch Tuesday, and with it comes fixes for six zero-day vulnerabilities and a total of 55 flaws. The actively exploited vulnerabilities are for Microsoft Exchange and Excel, with the Exchange zero-day used as part of the Tianfu hacking contest.

Among Google's November Android security updates is a patch for a zero-day weakness that "May be under limited, targeted exploitation," the company said. In this case, it can be exploited for local escalation of privilege and, when paired with a remote code execution bug, an exploit could allow attackers to gain administrative control over a targeted system.

Google has released Chrome 95.0.4638.69 for Windows, Mac, and Linux to fix two zero-day vulnerabilities that attackers have actively exploited."Google is aware that exploits for CVE-2021-38000 and CVE-2021-38003 exist in the wild," Google disclosed in the list of security fixes in today's Google Chrome release.

A security researcher has disclosed technical details for a Windows zero-day privilege elevation vulnerability and a public proof-of-concept exploit that gives SYSTEM privileges under certain conditions. A public proof-of-concept exploit and technical details for an unpatched Windows zero-day privilege elevation vulnerability has been disclosed that allows users to gain SYSTEM privileges under certain conditions.

An unknown ransomware group is exploiting a critical SQL injection bug found in the BillQuick Web Suite time and billing solution to deploy ransomware on their targets' networks in ongoing attacks. According to the researchers, since the attacks have begun, a U.S. engineering company already had its systems encrypted after a vulnerable BillQuick server was hacked and used as the initial point of access to its network.

In a short tweet today, exploit broker Zerodium said that it is looking to acquire zero-day exploits for vulnerabilities in three popular virtual private network service providers on the market. Zerodium's current interest is in vulnerabilities affecting Windows clients for NordVPN, ExpressVPN, and SurfShark VPN services.

CVE-2021-30663 - Processing maliciously crafted web content may lead to arbitrary code execution. CVE-2021-30665 - Processing maliciously crafted web content may lead to arbitrary code execution.

Apple has silently fixed a 'gamed' zero-day vulnerability with the release of iOS 15.0.2, on Monday, a security flaw that could let attackers gain access to sensitive user information. In July, Apple also silently patched an 'analyticsd' zero-day flaw with the release of 14.7 without crediting Tokarev in the security advisory, instead promising to acknowledge his report in security advisories for an upcoming update.