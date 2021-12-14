



Microsoft has released 67 security fixes for its software, including seven critical issues and a zero-day flaw that is being actively exploited by cybercriminals.

Redmond Giant’s latest patch round, typically released on the second Tuesday of every month, on what’s called patch Tuesday, Microsoft has introduced a remote code execution (RCE) vulnerability, a security flaw in elevation of privilege, and a spoofing bug. Fixed software issues such as. The problem of denial of service.

Products affected by Microsoft’s December security update include Microsoft Office, Microsoft PowerShell, Chromium-based Edge browsers, Windows kernels, Print Spooler, and remote desktop clients.

Some of the most serious vulnerabilities resolved in this update are a total of six zero-day attacks, but only one is known to be actually exploited.

CVE-2021-43890: This Windows AppX installer spoofing zero-day vulnerability has issued a CVSS severity score of 7.1, has been rated as critical, is publicly known and has been exploited. Microsoft is “aware of attacks attempting to exploit this vulnerability using specially crafted packages,” saying the bug has been weaponized to spread the Emotet / Trickbot / Bazaloader malware family. I am. CVE-2021-41333: Issue CVSS Score 7.8, this Windows Print Spooler privilege elevation vulnerability has been exposed and the attack complexity is low CVE-2021-43880: This security flaw is local Described as a Windows Mobile Device Management Privilege Elevation (EoP) vulnerability that an attacker can remove Target file on system CVE-2021-43893: James Forshaw of Google Project Zero reported this issue (CVSS 7.5) .. It is described by Microsoft as EoP for the Windows Encrypting File System (EFS). CVE-2021-43240: According to Microsoft, which issued a CVSS score of 7.8, this flaw is an elevation of privilege for the NTFS Set Short Name, and exploit code is available to prove the concept and is generally known. CVE-2021-43883: Last zero-day flaw affects Windows Installer. This issue has been assigned a CVSS score of 7.8, which may allow unauthorized privilege elevation.

The additional 16 CVEs in the Chromium-based Edge browser were patched earlier this month.

According to the Zero Day Initiative (ZDI), Microsoft patched the 887 vulnerability assigned by CVE this year. This number may seem high, but the team points out that it’s down 29% from 2020 (Chromium-based Edge isn’t included).

Last month, Microsoft fixed 55 bugs in a batch of security fixes in November. In total, 6 were assigned critical ratings and 15 were remote code execution issues. The zero-day vulnerability has also been resolved by the technology giant.

A month ago, in a patch on Tuesday October, a tech giant addressed 71 vulnerabilities. It contained four zero-day defects, one of which was actually exploited.

In other Microsoft security news, the company recently found a patched Exchange Server post-authentication flaw tracked as CVE-2021-42321 in addition to last year’s issues surrounding four zero-days on the server. A platform that warned that it was being weaponized by a new attack.

The company also recently released findings on Iran’s threat actors and rankings in the field of cybercrime. Microsoft says Iran-sponsored attacks on IT services have increased significantly this year, even though they were almost non-existent in 2020.

In addition to the Microsoft patch on Tuesday, other vendors have released security updates, which you can access at:

