[BreachExchange] Patch Tuesday: Microsoft Plugs Exploited MSHTML Zero-Day Hole

[Sophia Kingsbury]

https://www.securityweek.com/patch-tuesday-microsoft-plugs-exploited-mshtml-zero-day-hole

The patch comes exactly one week after the Redmond, Wash. software giant
acknowledged the CVE-2021-40444 security defect and confirmed the existence
of in-the-wild exploitation via booby-trapped Microsoft Office documents.

Microsoft did not provide additional details of the live attacks or any
indicators of compromise to help defenders hunt for signs of malicious
activity.  However, there are enough clues in the attribution section of
Microsoft’s bulletin to suggest this is the work of nation-state APT actors.

Microsoft credited four different external researchers with reporting this
exploit. Three of the four are affiliated with Mandiant, an anti-malware
forensics firm that regularly documents high-end targeted attacks.

Counting this MSHTML vulnerability, there have been 66 documented zero-day
attacks so far in 2021. According to data tracked by SecurityWeek, 20 of
the 66 zero-days targeted code from Microsoft.

The September batch of patches from Microsoft covers at least 66 documented
vulnerabilities in a range of Windows, Office, Edge (Chromium), Windows
DNS, SharePoint Server and the Windows Subsystem for Linux.

Microsoft slapped its highest “critical” severity rating on three of the 66
bulletins, urging Windows fleet administrators to prioritize the testing
and deployment of those updates.

Security professionals are also calling attention to CVE-2021-36965, a
remote code execution issue in the Windows WLAN AutoConfig service.
According to ZDI’s Dustin Childs, this flaw could allow network adjacent
attackers to run their code on affected systems at SYSTEM level.

“This means an attacker could completely take over the target – provided
they are on an adjacent network. This would be highly useful in a coffee
shop scenario where multiple people are using an unsecured WiFi network.
Still, this requires no privileges or user interaction, so don’t let the
adjacent aspect of this bug diminish the severity. Definitely test and
deploy this patch quickly,” Childs said in a blog post summarizing the
Patch Tuesday bulletins.

Microsoft’s Patch Tuesday comes on the heels of Google and Apple responding
separately to zero-day exploitation on its iOS, macOS and Chrome platforms.

On Monday this week, Apple pushed out an iOS and macOS patch to address
gaping security holes, which Google shipped an advisory of its own to warn
of a pair of already-exploited flaws in its desktop Chrome browser.

The new Google Chrome 93.0.4577.82, available for Windows, macOS and Linux
users, fixes at least nine documented security defects, all carrying a
“high-severity” rating.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210915/ad634a13/attachment.html>