Microsoft has a critical vulnerability in Windows Desktop Manager that’s been actively exploited by cyber criminals as part of its latest Patch Tuesday wave of fixes.
The vulnerability tracked as CVE-2021-28310 is an escalation of privilege exploit in the Desktop Window Manager component of Windows 10 that’s likely being used in a chain alongside other exploits to seize control of victims’ devices.
The flaw is an out-of-bounds write vulnerability in dwmcore.dll, which is part of the Desktop Window Manager executable, according to researchers with Kaspersky’s SecureList.
To exploit the flaw, hackers will need to have already logged into a system, or trick users into running code on their behalf, further fuelling assertions that it’s being used in chain attacks with other known vulnerabilities.
The flaw was patched alongside four other publicly exposed vulnerabilities that haven’t yet been exploited, to the best of Microsoft’s knowledge, including CVE-2021-27091, CVE-2021-28312, CVE-2021-28437 and CVE-2021-28458.
The first of these four is another escalation of privilege vulnerability present in the RPC Endpoint Mapper Service, while the second is a denial of service flaw in Windows NTFS, the primary file service for the Windows operating system. The third vulnerability is an information disclosure vulnerability in Windows Installer while the final flaw is another elevation of privilege vulnerability in the ms-rest-nodeauth component of Azure.
These bugs have been fixed among 114 vulnerabilities, with 19 critical bugs and 88 tagged as being important. These also include four critical Microsoft Exchange Server vulnerabilities discovered by the NSA.
The fixes apply to Exchange Server versions 2013, 2016 and 2019, and are said to be a different set of vulnerabilities to those which were discovered as being actively exploited earlier this year.
The White House has intervened as a result of their discovery, urging all agencies to install the patches immediately as they “pose an unacceptable risk” to the government.
“Two of the four vulnerabilities (CVE-2021-28480, CVE-2021-28481) are pre-authentication, meaning an attacker does not need to authenticate to the vulnerable Exchange server to exploit the flaw,” said staff research engineer with Tenable, Satnam Narang. “With the intense interest in Exchange Server since last month, it is crucial that organizations apply these Exchange Server patches immediately.
RELATED RESOURCE
IT Pro 20/20: Meet the companies leaving the office for good
The 15th issue of IT Pro 20/20 looks at the nature of operating a business in 2021
"Microsoft also patched CVE-2021-28310, a Win32k Elevation of Privilege vulnerability that was exploited in the wild as a zero-day. Exploitation of this vulnerability would give the attacker elevated privileges on the vulnerable system.
"This would allow an attacker to execute arbitrary code, create new accounts with full privileges, access and/or delete data and install programs. Elevation of Privilege vulnerabilities is leveraged by attackers post-compromise, once they’ve managed to gain access to a system in order to execute code on their target systems with elevated privileges."
-
What does modern security success look like for financial services?Sponsored As financial institutions grapple with evolving cyber threats, intensifying regulations, and the limitations of ageing IT infrastructure, the need for a resilient and forward-thinking security strategy has never been greater
-
Yes, legal AI. But what can you actually do with it? Let’s take a look…Sponsored Legal AI is a knowledge multiplier that can accelerate research, sharpen insights, and organize information, provided legal teams have confidence in its transparent and auditable application
-
Critical Dell Storage Manager flaws could let hackers access sensitive data – patch nowNews A trio of flaws in Dell Storage Manager has prompted a customer alert
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
