Products affected by the Microsoft vulnerabilities include Hyper-V, Internet Explorer, Windows Server, and Windows 10. (Microsoft)

Microsoft fixed four critical vulnerabilities Tuesday, none of which to date are being exploited in the wild.

Products affected by the Microsoft vulnerabilities include Hyper-V, Internet Explorer, Windows Server, and Windows 10. All four critical vulnerabilities announced by Microsoft are new, and security pros are advised to patch in the first 72 hours to reduce risk in safeguarding both data and infrastructure.

Here’s a breakdown of the four Microsoft vulnerabilities:

According to Eric Feldman, senior product marketing manager at Automox, this one operates as a critical remote code execution (RCE) vulnerability that impacts Internet Explorer 11 and 9 running on multiple versions of Microsoft Windows and Windows Server. In a web-based attack scenario, an attacker could host a specially crafted website designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. The attacker could also take advantage of compromised websites and other websites that accept or host user-provided content or advertisements. These websites could contain specially-crafted content that could exploit the vulnerability. Feldman recommends that security pros prioritize this patch, or upgrade to a more modern browser if possible.

  • CVE-2021-31166: HTTP Protocol Stack remote code execution vulnerability

Automox’s Feldman said this RCE vulnerability impacts some versions of Windows 10 32-bit and 64-bit, and some versions of Windows Server. The HTTP Protocol Stack lets the Windows OS and applications communicate with other devices. If exploited, this vulnerability could let an unauthenticated attacker send a specially-crafted packet to a targeted server uses the HTTP Protocol Stack (http.sys) to process packets and ultimately, execute arbitrary code and take control of the affected system. Feldman said there’s no workaround, so he also recommends prioritizing this patch on affected servers.

Justin Knapp, senior product marketing manager at Automox, said this functions as a vulnerability in Microsoft Windows Object Linking and Embedding (OLE) Automation that could lead to an RCE on the victim’s system if exploited successfully. To exploit this vulnerability, an attacker could host a specially-crafted website designed to invoke OLE automation through a web browser. However, this approach requires that the attacker bait a user into visiting the maliciously crafted website. OLE has frequently been used in the past by hackers for multiple reasons, including masking malicious code within documents and linking to external files that infect systems with malware. Considering the prevalent exploitation of OLE vulnerabilities, including those that had been flagged years ago, Knapp recommended that companies should immediately prioritize patching all outstanding OLE vulnerabilities.

Automox’s Knapp said this critical RCE vulnerability exists within Microsoft Windows Hyper-V, a native hypervisor that creates and runs virtual machines on x86-64 systems running Windows. To exploit this vulnerability, an attacker could run a specially-crafted application on a Hyper-V guest that could cause the Hyper-V host operating system to execute arbitrary code when it fails to properly validate vSMB (server message block) packet data. Successful exploitation could let  attackers run malicious binaries on Hyper-V virtual machines or execute arbitrary code on the host system itself. Knapp said because the security flaw affects an extensive list of Windows and Windows Server versions, security pros should prioritize it to account for the critical severity rating and low attack complexity.