The most recent Patch Tuesday includes a fix for the previously disclosed and actively exploited remote code execution flaw in MSHTML.
The arrival of the second Tuesday of the month can only mean one thing in cybersecurity terms, Microsoft is rolling out patches for security vulnerabilities in Windows and its other offerings. This time round Microsoft’s Patch Tuesday brings fixes to no fewer than 86 security loopholes including one that has been both previously disclosed and actively exploited in the wild. Of the grand total, three security flaws received the highest severity rating of “critical”.
Indexed as CVE-2021-40444, the remote code execution vulnerability holding a rating of ‘critical’ on the CVSS scale, resides in MSHTML, a browser engine for Internet Explorer also commonly referred to as Trident. While Microsoft did release an advisory regarding the actively exploited zero-day, it didn’t provide an out-of-band update and rather opted to fix it as part of this month’s batch of security updates.
“An attacker could craft a malicious ActiveX control to be used by a Microsoft Office document that hosts the browser rendering engine. The attacker would then have to convince the user to open the malicious document. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights,” Microsoft said, describing how an attacker could exploit the vulnerability.
Another critical vulnerability that merits mentioning resides in Open Management Infrastructure (OMI), an open-source project that aims to improve Web-Based Enterprise Management standards. Tracked as CVE-2021-38647, the remote code execution vulnerability earned an ‘almost perfect score’ of 9.8 out of 10 on the CVSS scale. According to the Redmond tech titan, an attacker could exploit the security loophole by sending a specially crafted message through HTTPS to a port listening to OMI on a susceptible system.
Closing up the trio of security flaws with a classification of critical is yet another remote code execution bug. Indexed as CVE-2021-36965, the vulnerability resides in the Windows WLAN AutoConfig Service component, which is responsible for automatically connecting to wireless networks.
Security updates have been released for a wide range of products, including Microsoft Office, Edge, SharePoint, as well as other products in Microsoft’s portfolio.
All updates are available via this Microsoft Update Catalog for all supported versions of Windows. Both regular users and system administrators would be well advised to apply the patches as soon as practicable.