对于微软每月发布的安全版本来说,50个是一个相对较小的数字——其2020年的大部分发布量都超过了100个——但本周二发布的这个补丁给微软带来了巨大的冲击。那些解决了Microsoft Windows、Office、Edge browser、SharePoint Server、.NET Core和Visual Studio、Hyper-V、Visual Studio代码–Kubernetes工具、Windows HTML平台和Windows远程桌面的问题




对于微软每月发布的安全版本来说,50个是一个相对较小的数字——其2020年的大部分发布量都超过了100个——但本周二发布的这个补丁给微软带来了巨大的冲击。那些 解决了Microsoft Windows、Office、Edge browser、SharePoint Server、.NET Core和Visual Studio、Hyper-V、Visual Studio代码–Kubernetes工具、Windows HTML平台和Windows远程桌面的问题


临界零日 CVE-2021-33742,Windows MSHTML平台中的一个远程代码执行错误,其CVSS得分为7.5,修补时为公众所知。如果攻击者能够说服受害者查看巧尽心思构建的Web内容,则攻击者可以成功利用此漏洞并目标系统上执行代码。Microsoft指出,攻击需要一些用户交互,但攻击者不需要访问文件或设置才能成功

“由于漏洞存于Trident(MSHTML)引擎本身,许多不同的应用程序都会受到影响——不仅仅是Internet Explorer,”Zero Day Initiative的Dustin Childs一篇文章中写道 博客帖子”目前尚不清楚主动攻击的范围有多广,但考虑到该漏洞会影响所有受支持的Windows版本,这应该列测试和部署列表的顶部。”




Microsoft on June 8 deployed patches for 50 vulnerabilities, including six zero-days under active attack, the company reports.

Fifty is a relatively small number for Microsoft’s monthly security releases – most of its 2020 rollouts exceeded 100 – but this Patch Tuesday packs a punch. The CVEs that were addressed affect Microsoft Windows, Office, Edge browser, SharePoint Server, .NET Core and Visual Studio, Hyper-V, Visual Studio Code – Kubernetes Tools, Windows HTML Platform, and Windows Remote Desktop.

The six flaws being exploited in the wild include one remote code execution bug, an information disclosure vulnerability, and four elevation-of-privilege flaws. One of these is classified as Critical; the other five are categorized Important. Two zero-days were publicly known at the time of disclosure; one vulnerability patched today is publicly known but not under attack.

Critical zero-day CVE-2021-33742, a remote code execution bug in the Windows MSHTML platform, has a CVSS score of 7.5 and was publicly known at the time it was patched. Attackers could successfully exploit this and execute code on a target system if they can convince a victim to view specially crafted Web content. Microsoft notes an attack requires some user interaction, though an attacker does not require access to files or settings in order to succeed.

“Since the vulnerability is in the Trident (MSHTML) engine itself, many different applications are impacted – not just Internet Explorer,” writes Dustin Childs of the Zero-Day Initiative in a blog post. “It’s not clear how widespread the active attacks are, but considering the vulnerability impacts all supported Windows versions, this should be at the top of your test and deploy list.”


Share this Post: