Microsoft has released 67 security fixes for software including seven critical issues and a zero-day flaw being actively exploited by cybercriminals.
In the Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, Microsoft has fixed problems in software including Remote Code Execution (RCE) vulnerabilities, privilege escalation security flaws, spoofing bugs, and denial-of-service issues.
Products impacted by Microsoft’s December security update include Microsoft Office, Microsoft PowerShell, the Chromium-based Edge browser, the Windows Kernel, Print Spooler, and Remote Desktop Client.
Some of the most severe vulnerabilities resolved in this update are a total of six zero-days, although only one is known to be actively exploited in the wild:
CVE-2021-43890: This Windows AppX Installer Spoofing zero-day vulnerability, issued a CVSS severity score of 7.1 and rated important, is publicly known and under exploitation. Microsoft says that it is “aware of attacks that attempt to exploit this vulnerability by using specially crafted packages” and that the bug is being weaponized to spread the Emotet/Trickbot/Bazaloader malware families. CVE-2021-41333: Issued a CVSS score of 7.8, this Windows Print Spooler Elevation of Privilege vulnerability has been made public and has low attack complexity.
CVE-2021-43880: This security flaw is