This Patch Tuesday -- the second Tuesday of February, yesterday -- Microsoft released fixes for a slew of Windows 10 flaws. Included among a total of 56 vulnerabilities is a critical zero-day which was being actively exploited to gain admin privileges on victims' systems.
But the fix for CVE-2021-1732 (Windows Win32k Elevation of Privilege Vulnerability) is just one of 11 fixes for critical bugs this month. In addition, Microsoft has fixed two Moderate vulnerabilities, as well as 43 that are marked as Important.
This month's Patch Tuesday releases cover a range of components for Windows 10 and Microsoft services -- everything from PowerShell and Skype for Business, to Hyper-V and Office. But it is undoubtedly the fix for
CVE-2021-1732 -- brought to light by a security researcher from DBAPPSecurity recently -- which is the highlight.
Said to have a success rate of almost 10 percent, the vulnerability has been actively exploited in the wild since at least December last year. The researchers who discovered it
said:
This zero-day is a new vulnerability caused by win32k callback, it could be used to escape the sandbox of Microsoft IE browser or Adobe Reader on the lasted Windows 10 version. The quality of this vulnerability high and the exploit is sophisticated. The use of this in-the-wild zero-day reflects the organization’s strong vulnerability reserve capability. The threat organization may have recruited members with a certain strength, or buying it from vulnerability brokers.
Microsoft has published details of everything contained in this month's releases on its
security pages, and you can download the updates through all of the usual sources.
source
