Microsoft has released its monthly batch of security updates for Windows products and components, fixing over 70 vulnerabilities, including a Windows flaw actively exploited in the wild and three bugs that were publicly disclosed earlier, but are not known to be exploited in attacks.
The zero-day vulnerability, tracked as CVE-2021-40449, is a buffer overflow issue affecting the Win32k driver in Microsoft Windows kernel. It allows a local user to execute arbitrary code with elevated privileges using a specially crafted program.
The vulnerability was discovered by Kaspersky security researchers, who revealed that it was used by threat actors in “widespread espionage campaigns against IT companies, military/defense contractors, and diplomatic entities” that installed the MysterySnail RAT on compromised Windows servers.
“Code similarity and re-use of C2 infrastructure we discovered allowed us to connect these attacks with the actor known as IronHusky and Chinese-speaking APT activity dating back to 2012,” the researchers said.
“We discovered that it was using a previously unknown vulnerability in the Win32k driver and exploitation relies heavily on a technique to leak the base addresses of kernel modules. We promptly reported these findings to Microsoft. The information disclosure portion of the exploit chain was identified as not bypassing a security boundary, and was therefore not fixed.”
As part of the October 2021 Patch Tuesday Microsoft also addressed three previously disclosed vulnerabilities:
CVE-2021-40469 - Windows DNS Server Remote Code Execution Vulnerability
CVE-2021-41335 - Windows Kernel Elevation of Privilege Vulnerability
CVE-2021-41338 - Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability
Other notable high-risk bugs fixed with the release of the October 2021 Patch Tuesday include those in Microsoft Excel, Windows Media Audio Decoder, Office Visio, Word, Windows Media Foundation, Microsoft Edge, and other products.