For Patchday, Microsoft has identified a vulnerability in the Desktop Window Manager in Win 10 & Fixed server counterpart which is currently actively exploited.
On yesterday’s Patch Tuesday – the most extensive since the beginning of the year – Microsoft fixed 108 vulnerabilities from various products. 19 vulnerabilities were classified as critical. 88 other vulnerability fixes are considered “Important”, one as “Moderate”. Users of Windows and other Microsoft software should ensure that their systems receive the necessary updates. By default, Windows updates are automatically downloaded via active Windows Update.
Four of the critical vulnerabilities affect the Exchange Server e-mail and groupware system, which has been under increasing attack from attackers for the past month. Users should update here particularly conscientiously and as quickly as possible – especially since the gaps that have now been closed can enable attacks from afar with subsequent code execution (remote code execution).
A separate heise online message goes into more detail about the Exchange vulnerabilities and the backgrounds. The following advisories also provide details on the available Exchange updates:
- CVE-2021-28480: Exchange Server RCE Vulnerability
- CVE- 2021-28481: Exchange Server RCE Vulnerability
- CVE-2021-28482: Exchange Server RCE Vulnerability
- CVE-2021-28483: Exchange Server RCE Vulnerability
CVE-2021-28310: Exploit in the wild
Among the fixed “Important” vulnerabilities is one that Microsoft says is currently used for attacks in abused in the wild: CVE-2021-28310 makes the window manager (Desktop Window Manager, DWM) of several Windows 10 and server versions a potential gateway for attackers who extend existing privileges and, in the worst case, execute arbitrary (malicious) code on the target system could. According to Microsoft’s advisory on CVE-2021-28310, an attack requires at least low system privileges and is only possible locally (or via an SSH connection, for example).
How exactly such an attack works is not yet clear. The Kaspersky team, which discovered CVE-2021-28310 while analyzing a previous vulnerability (CVE-2021-1732, patched in February) that was also actively exploited, stated: “This exploit is likely to be bundled with browser Exploits used to evade detection within a sandbox and to gain system permissions for further access. The first analysis by Kaspersky could not determine the entire chain of infection. Therefore, it is not yet known whether the exploit is used with another zero-day system or with known, patched vulnerabilities.” According to the AV software manufacturer, several independent actors are currently using the exploit.
Microsoft’s advisory on CVE-2021-28310 (Win32k Elevation of Privilege Vulnerability ). A recent blog entry by Kaspersky provides technical details on the vulnerability.
All vulnerabilities at a glance
In addition to the critical vulnerabilities already mentioned, stuck in Exchange Server two in Windows Media Decoder and another in Azure Sphere. The rest pertain to various operating system components and editions. According to Trend Micro’s Zero Day Initiative (ZDI), none of the vulnerabilities demonstrated by researchers last week in the Pwn2Own contest have been patched. Exchange Server, Windows 10 and Teams were also successfully hacked there. Updates should therefore follow later.
A blog entry by Trend Micro’s Zero Day Initiative provides a clear listing of all security gaps closed in April. Summary information can also be found in Microsoft’s release notes for the April 2021 security updates.