Microsoft has fixed dozens of security flaws across its suite of products, including a critical Internet Explorer bug that’s been previously exploited by state-backed North Korean hackers to attack security researchers.
The flaw, tracked as CVE-2021-26411, is a memory corruption vulnerability that’s allowed hackers to run malware on victims’ machines by luring them into accessing a malicious website.
This is the fifth actively exploited Microsoft vulnerability to be patched in recent weeks, after four Microsoft Exchange Server flaws were disclosed last week.
These five fixes were included in the latest Patch Tuesday wave of updates among 89 patches across Microsoft products, including fixes for 14 critically-rated vulnerabilities.
The latest actively-exploited remote code exploitation flaw affects Internet Explorer versions 9 and 11, as well as the HTML-based Microsoft Edge, which itself reached end-of-life today. Internet Explorer will stop being supported with updates from 17 August this year.
The Internet Explorer vulnerability was previously reported as a zero-day by the South Korean security firm Enki in February, which itself was targeted by hackers exploiting the bug.
To trigger the exploit, an attacker would first have to craft a website, or take advantage of a compromised website and convince a user to view it. This would usually be done by undergoing a phishing exercise, either by sending an email or text message or prompting users to download a malicious email attachment.
The discovery of a sixth actively-exploited flaw in recent weeks is sure to raise alarms considering the potentially devastating effects that the recent Microsoft Exchange Server exploitation has rendered.
The White House weighed in over the weekend, advising businesses to patch their systems immediately due to the risk of intrusion, with security researchers warning there could be hundreds of thousands of prospective victims across the world. One organisation that’s among the first confirmed victims of the attacks is the European Banking Authority.
-
Manufacturers report millions in losses as downtime wreaks havoc on operationsNews UK manufacturers are losing up to £736 million every week due to downtime, according to new research, with outages lasting for several days on end.
-
Microsoft gives OpenAI restructuring plans the green lightNews The deal removes fundraising constraints and modifies Microsoft's rights to use OpenAI models and products
-
Critical Dell Storage Manager flaws could let hackers access sensitive data – patch nowNews A trio of flaws in Dell Storage Manager has prompted a customer alert
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
