13 October 2021

Microsoft fixes actively exploited Windows zero-day


Microsoft fixes actively exploited Windows zero-day

Microsoft has released its monthly batch of security updates for Windows products and components, fixing over 70 vulnerabilities, including a Windows flaw actively exploited in the wild and three bugs that were publicly disclosed earlier, but are not known to be exploited in attacks.

The zero-day vulnerability, tracked as CVE-2021-40449, is a buffer overflow issue affecting the Win32k driver in Microsoft Windows kernel. It allows a local user to execute arbitrary code with elevated privileges using a specially crafted program.

The vulnerability was discovered by Kaspersky security researchers, who revealed that it was used by threat actors in “widespread espionage campaigns against IT companies, military/defense contractors, and diplomatic entities” that installed the MysterySnail RAT on compromised Windows servers.

“Code similarity and re-use of C2 infrastructure we discovered allowed us to connect these attacks with the actor known as IronHusky and Chinese-speaking APT activity dating back to 2012,” the researchers said.

“We discovered that it was using a previously unknown vulnerability in the Win32k driver and exploitation relies heavily on a technique to leak the base addresses of kernel modules. We promptly reported these findings to Microsoft. The information disclosure portion of the exploit chain was identified as not bypassing a security boundary, and was therefore not fixed.”

As part of the October 2021 Patch Tuesday Microsoft also addressed three previously disclosed vulnerabilities:

CVE-2021-40469 - Windows DNS Server Remote Code Execution Vulnerability

CVE-2021-41335 - Windows Kernel Elevation of Privilege Vulnerability

CVE-2021-41338 - Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability

Other notable high-risk bugs fixed with the release of the October 2021 Patch Tuesday include those in Microsoft Excel, Windows Media Audio Decoder, Office Visio, Word, Windows Media Foundation, Microsoft Edge, and other products.

Back to the list

Latest Posts

LightBasin hackers compromised 13 global telecoms in just two years

LightBasin hackers compromised 13 global telecoms in just two years

LightBasin is active since at least 2016 and is focused on Linux and Solaris servers, only interacting with Windows systems as needed.
20 October 2021
Suspected Chinese hackers reportedly hit 9 Israeli hospitals

Suspected Chinese hackers reportedly hit 9 Israeli hospitals

Attempted attacks come days after a massive ransomware attack on Hillel Yaffe Medical Center, attributed to the DeepBlueMagic group.
19 October 2021
State-sponsored hackers target orgs in South Asia with custom backdoor

State-sponsored hackers target orgs in South Asia with custom backdoor

Harvester has been observed using both custom malware and publicly available tools, such as Cobalt Strike Beacon and Metasploit, in their attacks.
19 October 2021