image
In September’s Patch Tuesday crop of security fixes, Microsoft released patches for 66 CVEs, three of which are rated critical, and one of which – the Windows MSHTML zero-day – has been under active attack for nearly two weeks. One other bug is listed as publicly known but isn’t (yet) being exploited. Immersive Labs’ Kevin Breen, director of cyber threat research, observed that with only one CVE under active attack in the wild, it’s “quite a light Patch Tuesday” – at least on the surface, that is. The flaws were found in Microsoft Windows and Windows components, Microsoft Edge (Chromium, iOS, and Android), Azure, Office and Office Components, SharePoint Server, Microsoft Windows DNS and the Windows Subsystem for Linux. Of the 66 new CVEs patched today, three are rated critical, 62 are rated important, and one is rated moderate in severity. Over the past nine months of 2021, this is the seventh month in which Microsoft patched fewer than 100 CVEs, in stark contrast to 2020, when Redmond spent eight months gushing out more than 100 CVE patches per month. But while the overall number of vulnerabilities is lighter, the severity ratings have ticked up, as the Zero Day Initiative noted. Some observers pegged the top patching priority in this month’s batch as being a fix for CVE-2021-40444: An important-rated vulnerability in Microsoft’s MSHTML (Trident) engine that rates 8.8 out of 10 on the CVSS scale. Disclosed on Sept. 7, it’s a painfully throbbing sore thumb, given that…

Source