Days after Apple and Google rolled out urgent security updates, Microsoft provided software fixes as part of its monthly release cycle to fill 66 vulnerabilities affecting Windows and other components such as Azure, Office, BitLocker and Visual Studio, including one that is actively exploited in the MSHTML platform.
Of the 66 vulnerabilities, three are rated critical, 62 are rated important, and one is rated moderate.
And that’s apart from the 20 vulnerabilities in Microsoft’s Chromium-based Edge browser that the company has addressed since the beginning of the month.
The most significant update relates to the patch CVE-2021-40444, an actively exploited vulnerability for remote code execution in MSHTML that enhances Office documents containing malicious ActiveX controls.
A few days ago, the company issued a warning about the flaw after notifying security researchers who discovered it was being exploited by malicious actors by tricking potential victims into opening malicious Office files.
When the file is opened, it automatically launches a page via Internet Explorer, which contains an ActiveX control that downloads malware into the victim’s computer.
And when the company posted the warning, it didn’t have a fix, and asked users to make sure Microsoft Defender Antivirus or Microsoft Defender for Endpoint was running. Both programs can detect attempts to exploit the vulnerability.
It also advised users to disable all ActiveX controls in Internet Explorer. The vulnerability known as CVE-2021-40444 affects Windows servers from version 2008 and Windows 7 through Windows 10.
Another publicly disclosed flaw, CVE-2021-36968, was also addressed. But it is not actively exploited, in Windows DNS.
Other flaws include a number of remote code execution errors in the Open Management Infrastructure CVE-2021-38647. and Windows WLAN AutoConfig (CVE-2021-36965) service. and Office (CVE-2021-38659). and Visual Studio (CVE-2021-36952). WordPress (CVE-2021-38656). In addition to a memory bug in the Windows scripting engine (CVE-2021-26435).
Furthermore, the company corrected three deficiencies in the concession escalation. newly disclosed Print Spooler service (CVE-2021-38667, CVE-2021-38671, and CVE-2021-40447).
While CVE-2021-36975 and CVE-2021-38639 are listed, both of which are related to privilege increase vulnerabilities in Win32k. They are considered a more likely exploit, making it imperative that users move quickly to apply security updates.