Microsoft has released today its monthly batch of security updates, known as Patch Tuesday. This month, the OS maker has fixed 56 security vulnerabilities, including a Windows bug that was being exploited in the wild before today's patches.
Tracked as CVE-2021-1732[1], the Windows zero-day is an elevation of privelege bug in Win32k, a core component of the Windows operating system.
The bug was exploited after attackers gained access to a Windows system in order to obtain SYSTEM-level access.
Details about the attacks where this bug was used were not revealed. Microsoft credited three security researchers from Chinese security firm DBAPPSecurity[2] with discovering the attacks where this zero-day was employed.
Many bug details went public
Besides the zero-day, this month's Patch Tuesday also stands out because of the high number of vulnerabilities whose details were made public even before patches were available.
In total, six Microsoft product bugs had their details posted online before today's patches. This included:
- CVE-2021-1721[3] - .NET Core and Visual Studio Denial of Service Vulnerability
- CVE-2021-1733[4] - Sysinternals PsExec Elevation of Privilege Vulnerability
- CVE-2021-26701[5] - .NET Core Remote Code Execution Vulnerability
- CVE-2021-1727[6] - Windows Installer Elevation of Privilege Vulnerability
- CVE-2021-24098[7] - Windows Console Driver Denial of Service Vulnerability
- CVE-2021-24106[8] - Windows DirectX Information Disclosure Vulnerability
The good news is that none of these bugs were exploited by attackers, despite their details being posted online.
Warning about TCP/IP bugs
But that's not all. This month, Microsoft has also released fixes for three vulnerabilities in the Windows TCP/IP stack, which allows the operating system to connect to the internet.
Two of these bugs (CVE-2021-24074[9], CVE-2021-24094[10]) apply fixes for remote code execution vulnerabilities that