Microsoft today deployed patches for 50 vulnerabilities, including six zero-days under active attack, the company reports.
Fifty is a relatively small number for Microsoft's monthly security releases – most of its 2020 rollouts exceeded 100 – but this Patch Tuesday packs a punch. The CVEs that were addressed affect Microsoft Windows, Office, Edge browser, SharePoint Server, .NET Core and Visual Studio, Hyper-V, Visual Studio Code – Kubernetes Tools, Windows HTML Platform, and Windows Remote Desktop.
The six flaws being exploited in the wild include one remote code execution bug, an information disclosure vulnerability, and four elevation-of-privilege flaws. One of these is classified as Critical; the other five are categorized Important. Two zero-days were publicly known at the time of disclosure; one vulnerability patched today is publicly known but not under attack.
Critical zero-day CVE-2021-33742, a remote code execution bug in the Windows MSHTML platform, has a CVSS score of 7.5 and was publicly known at the time it was patched. Attackers could successfully exploit this and execute code on a target system if they can convince a victim to view specially crafted Web content. Microsoft notes an attack requires some user interaction, though an attacker does not require access to files or settings in order to succeed.
"Since the vulnerability is in the Trident (MSHTML) engine itself, many different applications are impacted – not just Internet Explorer," writes Dustin Childs of the Zero-Day Initiative in a blog post. "It's not clear how widespread the active attacks are, but considering the vulnerability impacts all supported Windows versions, this should be at the top of your test and deploy list."
Microsoft credits Clément Lecigne of Google's Threat Analysis Group for discovering the flaw.
CVE-2021-33739, another publicly known zero-day, is considered Important with a CVSS score of 8.4. This is an elevation-of-privilege vulnerability in Microsoft's DWM Core Library that requires low attack complexity, no privileges, and no user interaction to successfully exploit.
"The attacker would most likely arrange to run an executable or script on the local computer," Microsoft writes in the disclosure. There are many ways they could do this, it says; for example, a phishing attack in which the victim clicks an executable file attached to an email. Microsoft credits Jinquan (@jq0904) with DBAPPSecurity Lieying Lab with discovering the vulnerability.
Two of the zero-days patched today, CVE-2021-31955 and CVE-2021-31956, were found by Boris Larin (oct0xor) of Kaspersky Lab and used as part of an exploit chain, along with a Chrome zero-day, in active attacks observed on April 14–15 that researchers say were "highly targeted."
CVE-2021-31955 is an information disclosure vulnerability in the Windows kernel with a CVSS score of 5.5. Exploitation of this would review low complexity, low privileges, and no user interaction, Microsoft reports. If successful, an attacker could access the contents of kernel memory from a user mode process.
The other flaw used in this chain, CVE-2021-31956, is an elevation of privilege vulnerability in Windows NTFS with a CVSS score of 7.8. Similarly, this also requires low complexity, low privileges, and no user interaction to exploit.
There are a couple of paths an attacker might take with this one, Microsoft says: They could first log on to the target system; from there, they could run a specially crafted application to exploit the flaw and take control. Alternatively, they could use an email or instant message to convince a local user to open a malicious file.
CVE-2021-31199 and CVE-2021-31201, the final two zero-days exploited this month, are elevation of privilege vulnerabilities in the Microsoft Enhanced Cryptographic Provider. Both have a CVSS score of 5.2 and are classified as Important, with low attack complexity, low privileges, and no user interaction required for an exploit. Both vulnerabilities are related to Adobe CVE-2021-28550, a zero-day affecting Windows and macOS patched last month.
"It's common to see privilege escalation paired with code execution bugs, and it seems these two vulnerabilities were the privilege escalation part of those exploits," Childs writes, though he notes it's "a bit unusual" to see a gap between patches for different parts of an active attack.
CVE-2021-31968, a denial-of-service (DoS) vulnerability in Windows Remote Desktop Services, is publicly known but not seen exploited in the wild. This is one of five DoS bugs patched this month; others, which were not previously known, exist in Microsoft Defender, .NET Core and Visual Studio, Server for NFS, and Windows Hyper-V.