Microsoft released patches for over 100 flaws for the first time this year yesterday, including one being actively exploited in the wild and four new critical Exchange Server bugs reported by the NSA.
The haul of 110 CVEs will keep sysadmins busy, with experts highlighting the zero-day elevation of privilege flaw in Win32k (CVE-2021-28310) as worthy of attention.
Although only rated as important, it may have been exploited in attacks for over a month already, according to Ivanti senior director of product management, Chris Goettl.
“This is a good example of the importance of using a risk-based prioritization approach. If you are basing your prioritization off vendor severity and looking at just the critical CVEs, you may have missed this one,” he explained.
“Fortunately for those organizations, this is part of the Windows 10 cumulative this month — which also includes Critical CVEs — but broadening your prioritization metrics to include risk metadata like exploited, publicly disclosed, and other indicators will help to ensure you prioritize the best possible set of updates to remediate in a timely fashion.”
The four critical Exchange Server flaws should also be a priority for sysadmins. CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, and CVE-2021-28483 are remote code execution bugs that all affect Microsoft Exchange Server versions 2013 to 2019.
Recorded Future senior solutions architect, Allan Liska, flagged elevation of privilege vulnerability CVE-2021-27091 as worthy of attention, as it has been publicly disclosed.
“Microsoft labelled this vulnerability important and it impacts Windows 7 and Windows Server 2008 and 2012,” he explained.
“While RPC vulnerabilities are not usually widely exploited in the wild, this could be an interesting one to watch out for as attackers often use RPC to execute code on remote systems. This vulnerability would allow an attacker to execute remote code at a higher privileged level.”