■■■■■ Microsoft today issued fixes for 114 vulnerabilities as part of its monthly security update release, which this month addressed 19 critical flaws, four critical Microsoft Exchange Server bugs found by the National Security Agency (NSA), and one zero-day bug in Desktop Window Manager.
CVE-2021-28310, a Win32k elevation of privilege vulnerability, is the only CVE under active attack patched this month.
Yesterday’s patches also addressed four critical remote code execution vulnerabilities in Microsoft Exchange Server: CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, and CVE-2021-28483. All of these were discovered by the NSA and affect Exchange Server versions 2013 through 2019.
CVE-2021-28480 and CVE-2021-28481 have a CVSS score of 9.8 and require no authorization or user interaction to exploit.