moroccupy.blogg.se

“In a small sample of Azure tenants we analyzed, over 65% were unknowingly at risk.” “We conservatively estimate that thousands of Azure customers and millions of endpoints are affected,” Wiz.io’s Nir Ohfeld wrote. It was reported and detailed by researchers at Wiz.io, who said CVE-2021-38647 was one of four bugs in Azure OMI they found that Microsoft patched this week. “That being said, the ubiquity of systems deployed with WLAN AutoConfig enabled could make it an attractive target for exploitation.”Īnother critical weakness that enterprises using Azure should prioritize is CVE-2021-38647, which is a remote code execution bug in Azure Open Management Infrastructure (OMI) that has a CVSS Score of 9.8 (10 is the worst). “CVE-2021-28316 was a security bypass vulnerability, not remote code execution, and it has never been reported as publicly exploited,” Liska said. One mitigating factor here is that the attacker and target would have to be on the same network, although many systems are configured to auto-connect to Wi-Fi network names with which they have previously connected.Īllan Liska, senior security architect at Recorded Future, said a similar vulnerability - CVE-2021-28316 - was announced in April. The critical bug CVE-2021-36965 is interesting, as it involves a remote code execution flaw in “WLAN AutoConfig,” the component in Windows 10 and many Server versions that handles auto-connections to Wi-Fi networks. In a security advisory last week, Microsoft warned attackers already are exploiting the flaw through Microsoft Office applications as well as IE.

Top of the critical heap is CVE-2021-40444, which affects the “MSHTML” component of Internet Explorer (IE) on Windows 10 and many Windows Server versions.

Finally, Adobe has released critical security updates for Acrobat, Reader and a slew of other software.įour of the flaws fixed in this patch batch earned Microsoft’s most-dire “critical” rating, meaning they could be exploited by miscreants or malware to remotely compromise a Windows PC with little or no help from the user. Also, Apple has issued an emergency update to fix a flaw that’s reportedly been abused to install spyware on iOS products, and Google‘s got a new version of Chrome that tackles two zero-day flaws. Microsoft today pushed software updates to plug dozens of security holes in Windows and related products, including a vulnerability that is already being exploited in active attacks.