Microsoft Deploys Windows Patch for Actively Exploited Zero-Day, More Bugs
In the latest patch for their operating system released just this week, Microsoft fixed as many as 66 documented bugs. As expected, not all of them are critical but several have received 'critical' ratings on their CVE entries and one of them is actually exploited in the wild by threat actors.
The vulnerability which is reportedly already exploited by bad actors in the wild is codified as CVE-2021-40444 and is a MSHTML remote code execution bug. According to reports by ThreatPost, the 40444 vulnerability has been under active exploitation by hackers for about half a month now, with dark web discussions and tutorials on how exactly to exploit it.
The range of bugs that the mid-September 'Patch Tuesday' covers affect both the Windows OS, as well as a number of Windows components, including the Edge browser, Microsoft's Office package and SharePoint servers.
'Patch Tuesday' is the name given to the second Tuesday of each month, when most companies release patches and security fixes for their popular applications.
Over the course of 2021, Microsoft's average number of issues fixed with each Patch Tuesday has been consistently lower than the same periods over 2020.
While in 2020, the majority of Patch Tuesday reports included well over 100 bugs, the number has dropped to staying under 100 consistently during the first seven months of the year.
As for the CVE-2021-40444 bug, according to Microsoft's own description of the issue, it could allow attackers to create a malicious ActiveX control embedded in MS Office document files, which in turn host the same rendering engine used by the browser. All that would be left for the hackers is to somehow trick the victim into opening the malware-laden document.
This is usually done through various social engineering tricks and malware-laden emails and scams that try to goad users into opening malicious attachments contained in the emails.