You'd better implement the software patches that Microsoft released yesterday (June 8) if you're running any recent version of Windows, because this month's Patch Tuesday updates include fixes for six different "zero-day" flaws that are already being exploited by attackers in the wild.
The worst of the bunch (assigned the catalogue number CVE-2021-33742) lets malicious web pages hack into PCs via Internet Explorer and other Microsoft programs. Microsoft Edge is also affected when it is in "Internet Explorer mode," according to the Microsoft description of the flaw, which labels it "Critical."
- iOS 15 digital ID can replace your driver's license — is this a good idea?
- The best Windows 10 antivirus software
- Plus: Xbox Series X restock update: Track on Twitter, Walmart and more
Google's Threat Analysis Group discovered that flaw only last week. Yesterday (June 8) Google's Shane Huntley tweeted that the attacks using the flaw seem to have been developed by a commercial hacking group for a nation-state in the Middle East or Eastern Europe.
Another actively exploited vulnerability discovered in the wild by TAG (@_clem1). Great work by @msftsecresponse in patching within 7 days.https://t.co/Z2VXqn5kqKJune 8, 2021
Speaking of Google, two of the other zero-day flaws (CVE-2021-31955 and 31956) were used in conjunction with Chrome flaws as part of "a wave of highly targeted attacks against multiple companies" in April, according to Kaspersky researchers. The Chrome flaws were fixed in a flurry of security updates to that browser later in that month.
A Kaspersky press release said the company had "yet to find any connection between these attacks and any known threat actors." Kaspersky is calling the previously unknown group "Puzzle Maker."
Two more of the patched zero-days (CVE-2021-31199 and 31201) seem to have been used in conjunction with an Adobe Reader flaw that was fixed last month. As with the Chrome attacks, the Reader flaw got the attacker onto the system, and the Microsoft flaws then permitted the attacker to "elevate privileges" to fully take control.
The sixth zero-day (CVE-2021-33739) is also an elevation-of-privileges flaw. Microsoft's notes don't provide many details, but say the flaw could be used once an attacker has gained a foothold on a machine via a phishing attack or other means.
You can tell Microsoft takes these zero-day flaws very seriously because it's patching Windows 7 as well as Windows 8.1 and Windows 10, where applicable.
Windows 7 officially reached the end of support in January 2020 and wasn't supposed to get any more patches after that. But Microsoft has been quietly fixing the worst flaws in Windows 7 in several recent Patch Tuesday updates.