Microsoft has issued a new set of security updates for Windows operating systems and related software, including patches for 6 zero-day security vulnerabilities that malicious hackers are already exploiting in active attacks.
Patch Tuesday for June only resolves 49 security flaws, which is nearly half the number of vulnerabilities seen in recent months. However, what this month lacks in volume, it more than makes up for in urgency.
Microsoft warned that malicious elements are using a half-dozen of those flaws to break into computers in targeted attacks.
The 6 zero-days vulnerabilities are:
* CVE-2021-33742, a remote code execution bug in a Windows HTML component,
* CVE-2021-31955, an information disclosure bug in the Windows Kernel,
* CVE-2021-31956, an elevation of privilege flaw in Windows NTFS,
* CVE-2021-33739, an elevation of privilege flaw in the Microsoft Desktop Window Manager,
* CVE-2021-31201, an elevation of privilege flaw in the Microsoft Enhanced Cryptographic Provider,
* CVE-2021-31199, an elevation of privilege flaw in the Microsoft Enhanced Cryptographic Provider.
Kevin Breen, Director of Cyber Threat Research at Immersive Labs said elevation of privilege flaws are just as valuable to attackers as remote code execution bugs. After gaining a foothold, the hacker can move laterally across the network, uncovering more avenues to escalate to system or domain-level access.
Commenting on the development, Kevin Breen, said “This can be hugely damaging in the event of ransomware attacks, where high privileges can enable the attackers to stop or destroy backups and other security tools,”
“The ‘exploit detected’ tag means attackers are actively using them, so for me, it’s the most important piece of information we need to prioritize the patches.”
Microsoft also fixed five crucial vulnerabilities, which can be remotely exploited to take control of a Windows computer without any user’s intervention. CVE-2021-31959 affects all versions of Windows from Windows 7 to Windows 10, as well as Server 2008, 2012, 2016, and 2019.