The most malicious of these (catalog number CVE-2021-33742) allows malicious web pages to enter PCs via Internet Explorer and other Microsoft programs According to Microsoft, Microsoft Edge is also affected if it is in "Internet Explorer mode"
Google's Threat Analysis Group only discovered the flaw last week Yesterday (June 8), Google's Shane Huntley tweeted that the attack using the flaw appears to have been developed by a commercial hacking group targeting states in the Middle East or Eastern Europe
Speaking of Google, two other zero-day flaws (CVE-2021-31955 and 31956) were used in conjunction with the Chrome flaw as part of a "wave of highly targeted attacks against multiple companies" in April, according to Kaspersky researchers the Chrome flaw, fixed when a security update for the browser was issued later that month
According to a Kaspersky press release, the company "has not yet found a link between these attacks and known threat actors Kaspersky calls this unknown group the "Puzzle Makers"
Two more of the patched zero-day (CVE-2021-31199 and 31201) appear to have been used in conjunction with a flaw in Adobe Reader that was fixed last month; like the Chrome attack, the Reader flaw allowed attackers to enter the system, Microsoft's flaw allowed "privilege escalation" to give the attacker complete control
The sixth zero-day (CVE-2021-33739) is also a privilege escalation flaw Although Microsoft's note does not provide many details, the flaw could be exploited if an attacker gains a foothold on the machine through phishing attacks or other means
The fact that the patch is being applied to Windows 7 as well as Windows 81 and Windows 10 indicates that Microsoft is taking these zero-day flaws very seriously
Windows 7 was officially out of support in January 2020 and was not supposed to be patched after that date However, Microsoft has quietly fixed the worst of Windows 7's flaws in several recent Patch Tuesday updates
Comments