A zero day being abused in the wild, and a brace of critical Exchange bugs among Microsoft’s Patch Tuesday fixes.
An out-of-bounds (OOB) write vulnerability in dwmcore.dll — part of Desktop Window Manager (dwm.exe) — being actively abused in the wild and a brace of critical new bugs in Exchange Server reported by the NSA were among the 114 vulnerabilities patched by Microsoft today (April 13) in this year’s most substantial Patch Tuesday.
Arguably the most critical are CVE-2021-28480/28481: two Microsoft Exchange Server Remote Code Execution (RCE) vulnerabilities with a CVSS rating of 9.8. Both were reported by the NSA. As the ZDI notes: “Since the attack vector is listed as ‘network’, it is likely these bugs are wormable – at least between Exchange servers.”
Get patching. And perhaps consider an alternative to Microsoft Exchange…
Spotted and reported by Kaspersky, which posted a detailed writeup on the bug, CVE-2021-28310 meanwhile lets attackers “create a situation that allows them to write controlled data at a controlled offset using [the] DirectComposition API” — a Windows component introduced in Windows 8 to enable bitmap composition.
As the ZDI’s Dustin Child notes: “The bug allows an attacker to escalate privileges by running a specially crafted program on a target system. This does mean that they will either need to log on to a system or trick a legitimate user into running the code on their behalf. Considering who is listed as discovering this bug, it is probably being used in malware. Bugs of this nature are typically combined with other bugs, such as a browser bug or PDF exploit, to take over a system.” (Kaspersky was unable to get a full killchain.)
See also — One to watch #5: Element. Introducing the encrypted messenger & Matrix host.
Microsoft also identified 12 individual CVEs in Microsoft Windows Remote Procedure Call (RPC) — a protocol used to request a service from a programme located on another computer/device on the same network. The vulnerabilities allow an authenticated attacker to gain RCE on the target system by sending a specially crafted RPC request.
As Automox’s Jay Goodman notes: “Depending on the user privileges, an attacker could install programs, change or delete data, or create additional user accounts with full user rights. Microsoft marks the vulnerability as “exploitation less likely”, however… leaving latent vulnerabilities with RCE exploits can easily lead to a faster-spreading attack.”
See Microsoft’s full list here. Writeups here from Automox and the ZDI.
Adobe meanwhile reported four critical bugs that could allow arbitrary code execution if exploited, including two in Photoshop (buffer overflows that could allow arbitrary code execution); a Digital Editions update that fixes a critical privilege escalation bug.
None are believed to be under attack