Microsoft patches actively exploited Desktop Window Manager flaw

Microsoft has a critical vulnerability in Windows Desktop Manager that’s been actively exploited by cyber criminals as part of its latest Patch Tuesday wave of fixes.

The vulnerability tracked as CVE-2021-28310 is an escalation of privilege exploit in the Desktop Window Manager component of Windows 10 that’s likely being used in a chain alongside other exploits to seize control of victims’ devices.

The flaw is an out-of-bounds write vulnerability in dwmcore.dll, which is part of the Desktop Window Manager executable, according to researchers with Kaspersky’s SecureList.

To exploit the flaw, hackers will need to have already logged into a system, or trick users into running code on their behalf, further fuelling assertions that it’s being used in chain attacks with other known vulnerabilities.

The flaw was patched alongside four other publicly exposed vulnerabilities that haven’t yet been exploited, to the best of Microsoft’s knowledge, including CVE-2021-27091, CVE-2021-28312, CVE-2021-28437 and CVE-2021-28458.

The first of these four is another escalation of privilege vulnerability present in the RPC Endpoint Mapper Service, while the second is a denial of service flaw in Windows NTFS, the primary file service for the Windows operating system. The third vulnerability is an information disclosure vulnerability in Windows Installer while the final flaw is another elevation of privilege vulnerability in the ms-rest-nodeauth component of Azure.

These bugs have been fixed among 114 vulnerabilities, with 19 critical bugs and 88 tagged as being important. These also include four critical Microsoft Exchange Server vulnerabilities discovered by the NSA.

The fixes apply to Exchange Server versions 2013, 2016 and 2019, and are said to be a different set of vulnerabilities to those which were discovered as being actively exploited earlier this year.

The White House has intervened as a result of their discovery, urging all agencies to install the patches immediately as they “pose an unacceptable risk” to the government.

“Two of the four vulnerabilities (CVE-2021-28480, CVE-2021-28481) are pre-authentication, meaning an attacker does not need to authenticate to the vulnerable Exchange server to exploit the flaw,” said staff research engineer with Tenable, Satnam Narang. “With the intense interest in Exchange Server since last month, it is crucial that organizations apply these Exchange Server patches immediately.

"Microsoft also patched CVE-2021-28310, a Win32k Elevation of Privilege vulnerability that was exploited in the wild as a zero-day. Exploitation of this vulnerability would give the attacker elevated privileges on the vulnerable system.

"This would allow an attacker to execute arbitrary code, create new accounts with full privileges, access and/or delete data and install programs. Elevation of Privilege vulnerabilities is leveraged by attackers post-compromise, once they’ve managed to gain access to a system in order to execute code on their target systems with elevated privileges."