Microsoft releases fix for zero-day vulnerability in Microsoft Office via MShtml

Spread the love

Microsoft has identified a total of 86 vulnerabilities, including an actively exploited zeroday in MSHTML that affected Office users, a zeroday in Windows DNS, and patched 28 bugs in Microsoft Edge during Patch Tuesday. The vulnerabilities range from minor to critical.

During the monthly Patch Tuesday, Microsoft has patched 60 vulnerabilities in, among others, different versions of Windows, Windows Server, Excel, Microsoft 365, Office, Sharepoint and HEVC Video Extensions. In addition, it has released a patch for a critical vulnerability in Azure and a patch for two zero days in MShtml and Windows DNS. Microsoft also closed 28 vulnerabilities in the browser Edge.

The most serious vulnerability patched concerns a zero-day in the Mshtml Internet Explorer browser rendering engine, which is used in Microsoft Office Docs. Microsoft says this zero day has been actively abused. Microsoft warned about this vulnerability a week ago. The vulnerability affects Windows 8.1, Windows 10 and Windows Servers versions from 2008 to 2019. Custom Office documents allow hackers to perform remote code execution if users open the documents without security features. Expmon security researchers discovered the vulnerability after a zero-day attack targeting Office users.

Another zeroday, which gives attackers the ability to escalate privileges through Windows DNS, Microsoft knows has not been actively exploited. This vulnerability is registered as CVE-2021-36968 and mainly affects older Windows systems. Microsoft also closed a vulnerability that enabled remote code execution via Windows Print Spooler. This vulnerability was reported August 11. Microsoft already had a temporary solution for that; this fix replaces that fix, explains The Register.

During Patch Tuesday, Microsoft usually fixes a number of bugs and vulnerabilities in one go. Critical vulnerabilities are patched as quickly as possible in between. In addition to the above, Microsoft also closed 28 vulnerabilities in Microsoft Edge, Bleeping Computer writes, which made possible spoofing on Android and iOS, as well as the escalation of privileges and a critical vulnerability in Windows WLAN AutoConfig Service that made RCE possible and with which via a public Wi-Fi network a system can be taken over. Finally, Microsoft fixed an RCE vulnerability in Open Management Infrastructure for Azure.

AndroidAzureBrowserBugsDNSDocumentsEngineExcelExplorerHackersHEVCiOSManagementMicrosoftMicrosoft OfficePublicRegisterRemoteResearchersSecurityWi-FiWindowsWindows 10Windows 8Windows Server