Microsoft has five zero-day vulnerabilities which is a flaw under the active attack. It is applying many more patches to its problem: the plagued Microsoft Exchange Server Software. It released patches for 110 security holes, 19 classified critical in severity and 88 which are considered important. The most severe among these flaws is the Win32k elevation of privilege vulnerability which is being exploited in the wild by BITTER APT, the cybercriminal group.
Due to the lack of bounds checking, attackers can create a situation that allows them to write controlled data at a controlled offset using DirectComposition API. The US National Security Agency released information on four critical Exchange Server vulnerabilities which impact the versions of 2013 to 2019.
The company says that two out of four Exchange bugs reported by NSA were found internally by their research team. Microsoft included the patches for its Chromium-based Edge web browser, Azure DevOps Server, Hyper-V, Visual Studio, SharePoint Server, and Team Foundation Server. Knapp pointed out that the patching practices are best only when vitally important to companies as they are workforce challenged. It is still largely remote and forced to socially distance because of the coronavirus pandemic.