This month’s Patch Wednesday release includes fixes for 55 CVEs — six that are rated critical, including two zero-day vulnerabilities that were exploited in the wild.
Below is a comment from Satnam Narang, staff research engineer, Tenable and further analysis from Tenable here
“This month’s release includes a fix for CVE-2021-42321, a critical remote code execution vulnerability in Microsoft Exchange Server due to issues with the validation of command-let (cmdlet) arguments. In order to exploit this flaw, an attacker would need to be authenticated, which limits some of the impact. Microsoft says they are aware of “limited targeted attacks” using this vulnerability in the wild. Microsoft Exchange Server has been the subject of several notable vulnerabilities throughout 2021, from ProxyLogon and associated vulnerabilities, as well as ProxyShell. Though unconfirmed, this may be similar to an Exchange Server vulnerability that was discovered at the Tianfu Cup hacking competition last month. We strongly encourage organizations to apply these patches as soon as possible.
“Microsoft also patched CVE-2021-42292, a security feature bypass vulnerability in Microsoft Excel. Microsoft’s Security Threat Intelligence Center (MSTIC) is credited with discovering this flaw, and they say that it was exploited in the wild as a zero-day. Microsoft says that the Outlook Preview Pane is not an attack vector for this vulnerability, so a target would need to open the file in order for exploitation to occur. Updates are primarily available for Windows systems, but updates for Office for Mac are not yet published.” – Satnam Narang, Staff Research Engineer, Tenable