This week, Microsoft has released its scheduled monthly update bundle for April 2021. The April Patch Tuesday from Microsoft is another huge update pack of the year that addressed 110 security vulnerabilities. These even include a zero-day under exploitation and numerous critical severity bugs too.
Microsoft Fixed A Zero-Day Under Attack
A major security fix that Microsoft released this week addresses an actively exploited zero-day vulnerability. This flaw (CVE-2021-28310) is an important-severity privilege escalation flaw affecting the win32k component.
Elaborating more on this vulnerability, Kaspersky researchers described it as an out-of-bounds write vulnerability affecting the Windows dwmcore.dll library of the Desktop Window Manager. As mentioned in their report,
Due to the lack of bounds checking, attackers are able to create a situation that allows them to write controlled data at a controlled offset using DirectComposition API.
Reportedly, the bug is currently under attack by the BITTER APT group.
Other Microsoft April Patch Tuesday Updates
Alongside the zero-day, Microsoft fixed 19 critical-severity flaws, and 88 other important-severity flaws as well.
These 19 critical severity bugs could all lead to remote code execution upon exploitation. From these, 4 of the critical bugs affected (CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, CVE-2021-28483) affected the Microsoft Exchange Server. Exploiting two of these bugs didn’t even require an attacker to undergo user authentication.
Leaving these 7, the rest of the 12 critical vulnerabilities constituted the Remote Procedure Call (RPC) runtime bugs.
Among the important-severity flaws, two noteworthy vulnerabilities include CVE-2021-28458 and CVE-2021-27091. These vulnerabilities, each receiving a CVSS score of 7.8, could also elevation of privilege upon exploitation. Whereas, another important vulnerability CVE-2021-28437, with a CVSS score of 5.5, could allow information disclosure.
These three bugs, together with a moderate-severity dos flaw in Windows NTFS (CVE-2021-28312) underwent public disclosure before the fix. Nonetheless, Microsoft confirmed no active exploitation of the flaws.
Since the updates are now available globally, all Windows users must ensure updating their respective systems at the earliest.