page = krebs on security – in-depth security news and …
url = https://krebsonsecurity.com
Microsoft Corp. today released updates to quash at least 55 security bugs in its Windows operating systems and other software. Two of the patches address vulnerabilities that are already being used in active attacks online, and four of the flaws were disclosed publicly before today — potentially giving adversaries a head start in figuring out how to exploit them.
Among the zero-day bugs is CVE-2021-42292 , a “security feature bypass” problem with Microsoft Excel versions 2013-2021 that could allow attackers to install malicious code just by convincing someone to open a booby-trapped Excel file (Microsoft says Mac versions of Office are also affected, but several places are reporting that Office for Mac security updates aren’t available yet).
Microsoft’s revised, more sparse security advisories don’t offer much detail on what exactly is being bypassed in Excel with this flaw. But Dustin Childs over at Trend Micro’s Zero Day Initiative says the vulnerability is likely due to loading code that should be limited by a user prompt — such as a warning about external content or scripts — but for whatever reason that prompt does not appear, thus bypassing the security feature.
The other critical flaw patched today that’s already being exploited in the wild is CVE-2021-42321 , yet another zero-day in Microsoft Exchange Server . You may recall that earlier this year a majority of the world’s organizations running Microsoft Exchange Servers were hit with four zero-day attacks that let thieves install backdoors and siphon email . Continue reading →