Newest Microsoft Home windows Updates Patch Dozens of Safety Flaws


Microsoft on Tuesday rolled out its scheduled monthly security update with patches for 55 safety flaws affecting Home windows, Trade Server, Web Explorer, Workplace, Hyper-V, Visible Studio, and Skype for Enterprise.

Of those 55 bugs, 4 are rated as Vital, 50 are rated as Necessary, and one is listed as Average in severity. Three of the vulnerabilities are publicly recognized, though, in contrast to last month, none of them are beneath energetic exploitation on the time of launch.

password auditor

Probably the most crucial of the issues addressed is CVE-2021-31166, a wormable distant code execution vulnerability within the HTTP protocol stack. The problem, which might permit an unauthenticated attacker to ship a specifically crafted packet to a focused server, is rated 9.8 out of a most of 10 on the CVSS scale.

One other vulnerability of be aware is a distant code execution flaw in Hyper-V (CVE-2021-28476), which also scores the best severity amongst all flaws patched this month with a CVSS ranking of 9.9.

“This difficulty permits a visitor VM to pressure the Hyper-V host’s kernel to learn from an arbitrary, probably invalid tackle,” Microsoft mentioned in its advisory. “The contents of the tackle learn wouldn’t be returned to the visitor VM. In most circumstances, this could lead to a denial of service of the Hyper-V host (bugcheck) as a consequence of studying an unmapped tackle.”

“It’s doable to learn from a reminiscence mapped gadget register similar to a {hardware} gadget hooked up to the Hyper-V host which can set off extra, {hardware} gadget particular unwanted effects that might compromise the Hyper-V host’s safety,” the Home windows maker famous.

As well as, the Patch Tuesday replace addresses a scripting engine reminiscence corruption flaw in Web Explorer (CVE-2021-26419) and 4 weaknesses in Microsoft Trade Server, marking the third consecutive month Microsoft has shipped fixes for the product since ProxyLogon exploits got here to gentle in March —

  • CVE-2021-31207 (CVSS rating: 6.6) – Safety Function Bypass Vulnerability (publicly recognized)
  • CVE-2021-31195 (CVSS rating: 6.5) – Distant Code Execution Vulnerability
  • CVE-2021-31198 (CVSS rating: 7.8) – Distant Code Execution Vulnerability
  • CVE-2021-31209 (CVSS rating: 6.5) – Spoofing Vulnerability

Whereas CVE-2021-31207 and CVE-2021-31209 had been demonstrated on the 2021 Pwn2Own contest, Orange Tsai from DEVCORE, who disclosed the ProxyLogon Trade Server vulnerability, is credited with reporting CVE-2021-31195.

Elsewhere, the replace addresses a slew of privilege escalation bugs in Home windows Container Supervisor Service, an data disclosure vulnerability in Home windows Wi-fi Networking, and several other distant code execution flaws in Microsoft Workplace, Microsoft SharePoint Server, Skype for Enterprise, and Lync, Visible Studio, and Home windows Media Basis Core.

To put in the newest safety updates, Home windows customers can head to Begin > Settings > Replace & Safety > Home windows Replace, or by choosing Examine for Home windows updates.


Source link