After Microsoft assigned an "important" rating to a zero-day vulnerability being exploited in the wild as part of this month's Patch Tuesday, security experts are urging security teams to prioritize updates based on risk rather than vendor severity ratings.
Microsoft reported just 56 vulnerabilities this month, nine critical and six already publicly disclosed.
But it is the zero-day, CVE-2021-1732, or rather it's rating, that drew attention. To exploit this Windows Win32k.sys elevation of privilege vulnerability that impacts Windows 10 and Windows Server 2019, Allan Liska, senior security architect at Recorded Future, said, an attacker would have to have access to the target system then gain administrative access.
Although Microsoft rated the flaw as “important,” rather than “critical,” Liska said that because it's exploited in the wild, security teams should prioritize this vulnerability for patching.
The zero-day is a prime example of why it’s so important for security teams to do risk-based prioritization, said Chris Goetll, senior director of product management at Ivanti.
“If you base your prioritization off of vendor severity and focus on only ‘critical’ you could have missed this vulnerability in your prioritization,” Goetll said. “This vulnerability should put Windows 10 and Server 2016 and later editions into your priority bucket for remediation this month.”
Security teams should also focus on CVE-2021-24078, a remote code execution (RCE) vulnerability in Windows DNS Server, Liske said. This critical vulnerability, which Microsoft assigned a CVSS score of 9.8, impacts Windows Server 2008 through 2019. As with SIGRed, which was disclosed last year, attackers can exploit the RCE vulnerability remotely by getting a vulnerable DNS server to query for a domain it has not seen before (e.g., by sending a phishing email with a link to a new domain or even with images embedded that call out to a new domain).