The company does not provide any details, except for a mention in the security bulletin that the vulnerabilities are already being exploited by hackers.
On Tuesday, July 13, as part of another Tuesday patch, Microsoft patched three Windows zero-day vulnerabilities that are actively exploited in hacker attacks.
The company does not provide any details about the attacks, other than a mention in a security bulletin that three vulnerabilities are exploited in real attacks. These are the following vulnerabilities:
CVE-2021-31979 – Windows kernel privilege escalation;
CVE-2021-33771 – Windows kernel privilege escalation;
CVE-2021-34448 – Scripting engine memory corruption that puts users at risk of drive-by attacks via web browsers.
In total, Microsoft has documented 117 vulnerabilities in the Windows ecosystem, including vulnerabilities that allow remote code execution. 17 issues were marked as “critical”. Updates released by the company fix vulnerabilities in Microsoft Office, Microsoft Exchange Server, Bing, SharePoint Server, Internet Explorer, Visual Studio, and OpenEnclave.
In addition to already exploited vulnerabilities, Microsoft has warned that five more vulnerabilities have been publicly disclosed. One of the well-known issues affecting Microsoft Exchange Server is classified as critical and allows remote code execution.
The hotfix package was released less than a week after Microsoft released a hotfix for a zero-day vulnerability in the Windows PrintNightmare print spooler. Security experts have noted issues with this patch, but Microsoft insists the patch works as expected.