Login
Microsoft today released updates to fix more than 50 security holes in its Windows operating systems and other software, including patches for a whopping six βzero-dayβ vulnerabilities that attackers are already exploiting in the wild.
Zero-day #1 this month is CVE-2026-21510, a security feature bypass vulnerability in Windows Shell wherein a single click on a malicious link can quietly bypass Windows protections and run attacker-controlled content without warning or consent dialogs. CVE-2026-21510 affects all currently supported versions of Windows.
The zero-day flawΒ CVE-2026-21513 is aΒ security bypass bug targeting MSHTML, the proprietary engine of the default Web browser in Windows. CVE-2026-21514 is a related security feature bypass in Microsoft Word.
The zero-day CVE-2026-21533 allows local attackers to elevate their user privileges to βSYSTEMβ level access in Windows Remote Desktop Services. CVE-2026-21519 is a zero-day elevation of privilege flaw in the Desktop Window Manager (DWM), a key component of Windows that organizes windows on a userβs screen. Microsoft fixed a different zero-day in DWM just last month.
The sixth zero-day is CVE-2026-21525, a potentially disruptive denial-of-service vulnerability in the Windows Remote Access Connection Manager, the service responsible for maintaining VPN connections to corporate networks.
Chris Goettl at Ivanti reminds us Microsoft has issued several out-of-band security updates since Januaryβs Patch Tuesday. On January 17, Microsoft pushed a fix that resolved a credential prompt failure when attempting remote desktop or remote application connections. On January 26, Microsoft patched a zero-day security feature bypass vulnerability (CVE-2026-21509) in Microsoft Office.
Kev Breen at Immersive notes that this monthβs Patch Tuesday includes several fixes for remote code execution vulnerabilities affecting GitHub Copilot and multiple integrated development environments (IDEs), including VS Code, Visual Studio, and JetBrains products. The relevant CVEs are CVE-2026-21516, CVE-2026-21523, and CVE-2026-21256.
Breen said the AI vulnerabilities Microsoft patched this month stem from a command injection flaw that can be triggered through prompt injection, or tricking the AI agent into doing something it shouldnβt β like executing malicious code or commands.
βDevelopers are high-value targets for threat actors, as they often have access to sensitive data such as API keys and secrets that function as keys to critical infrastructure, including privileged AWS or Azure API keys,β Breen said. βWhen organizations enable developers and automation pipelines to use LLMs and agentic AI, a malicious prompt can have significant impact. This does not mean organizations should stop using AI. It does mean developers should understand the risks, teams should clearly identify which systems and workflows have access to AI agents, and least-privilege principles should be applied to limit the blast radius if developer secrets are compromised.β
TheΒ SANS Internet Storm CenterΒ has aΒ clickable breakdown of each individual fix this month from Microsoft, indexed by severity and CVSS score. Enterprise Windows admins involved in testing patches before rolling them out should keep an eye on askwoody.com, which often has the skinny on wonky updates. Please donβt neglect to back up your data if it has been a while since youβve done that, and feel free to sound off in the comments if you experience problems installing any of these fixes.
Microsoft today released updates to plug at least 121 security holes in its Windows operating systems and software, including one vulnerability that is already being exploited in the wild. Eleven of those flaws earned Microsoftβs most-dire βcriticalβ rating, meaning malware or malcontents could exploit them with little to no interaction from Windows users.
The zero-day flaw already seeing exploitation is CVE-2025-29824, a local elevation of privilege bug in the Windows Common Log File System (CLFS) driver.Β Microsoft rates it as βimportant,β but as Chris Goettl from Ivanti points out, risk-based prioritization warrants treating it as critical.
This CLFS component of Windows is no stranger to Patch Tuesday: According to Tenableβs Satnam Narang, since 2022 Microsoft has patched 32 CLFS vulnerabilities β averaging 10 per year β with six of them exploited in the wild. The last CLFS zero-day was patched in December 2024.
Narang notes that while flaws allowing attackers to install arbitrary code are consistently top overall Patch Tuesday features, the data is reversed for zero-day exploitation.
βFor the past two years, elevation of privilege flaws have led the pack and, so far in 2025, account for over half of all zero-days exploited,β Narang wrote.
Rapid7βs Adam Barnett warns that any Windows defenders responsible for an LDAP server β which means almost any organization with a non-trivial Microsoft footprint β should add patching for the critical flaw CVE-2025-26663Β to their to-do list.
βWith no privileges required, no need for user interaction, and code execution presumably in the context of the LDAP server itself, successful exploitation would be an attractive shortcut to any attacker,β Barnett said. βAnyone wondering if today is a re-run of December 2024 PatchΒ TuesdayΒ can take some small solace in the fact that the worst of theΒ trio of LDAP critical RCEs published at the end of last yearΒ was likely easier to exploit than todayβs example, since todayβsΒ CVE-2025-26663 requires that an attacker win a race condition. Despite that, Microsoft still expects that exploitation is more likely.β
Among the critical updates Microsoft patched this month are remote code execution flaws in Windows Remote Desktop servicesΒ (RDP), including CVE-2025-26671, CVE-2025-27480 and CVE-2025-27482; only the latter two are rated βcritical,β and Microsoft marked both of them as βExploitation More Likely.β
Perhaps the most widespread vulnerabilities fixed this month were in web browsers. Google Chrome updated to fix 13 flaws this week, and Mozilla Firefox fixed eight bugs, with possibly more updates coming later this week for Microsoft Edge.
As it tends to do on Patch Tuesdays, Adobe has released 12 updates resolving 54 security holes across a range of products, including ColdFusion, Adobe Commerce, Experience Manager Forms, After Effects, Media Encoder, Bridge,Β Premiere Pro, Photoshop, Animate, AEM Screens, and FrameMaker.
Apple users may need to patch as well. On March 31, Apple released a huge security update (more than three gigabytes in size) to fix issues in a range of their products, including at least one zero-day flaw.
And in case you missed it, on March 31, 2025 Apple released a rather large batch of security updates for a wide range of their products, from macOS to the iOS operating systems on iPhones and iPads.
Earlier today, Microsoft included a note saying Windows 10 security updates werenβt available but would be released as soon as possible. It appears from browsing askwoody.com that this snafu has since been rectified. Either way, if you run into complications applying any of these updates please leave a note about it in the comments below, because the chances are good that someone else had the same problem.
As ever, please consider backing up your data and or devices prior to updating, which makes it far less complicated to undo a software update gone awry. For more granular details on todayβs Patch Tuesday, check out the SANS Internet Storm Centerβs roundup. Microsoftβs update guide for April 2025 is here.
For more details on Patch Tuesday, check out the write-ups from Action1 andΒ Automox.
So you suddenly have a lot of staff working remotely. Telework is not new and a good percentage of the workforce already does so. But the companies who have a distributed workforce had time to plan for it, and to plan for it securely.
A Lot of New Teleworkers All At Once
This event canβt be treated like a quick rollout of an application: there are business, infrastructure, and customer security impacts. There will be an increase of work for help desks as new teleworkers wrestle with remote working.
Additionally, donβt compound the problem. There is advice circulating to reset all passwords for remote workers. This opens the door for increased social engineering to attempt to lure overworked help desk staff into doing password resets that donβt comply with policy. Set expectations for staff that policy must be complied with, and to expect some delays while the help desk is overloaded.
Business continuity issues will arise as limited planning for remote workers could max out VPN licenses, firewall capacity, and application timeouts as many people attempt to use the same apps through a narrower network pipe.
Help Staff Make A Secure Home Office
In the best of times, remote workers are often left to their own devices (pun intended) for securing their work at home experience. Home offices are already usually much less secure than corporate offices: weak routers, unmanaged PCs, and multiple users means home offices become an easier attack path into the enterprise.
It doesnβt make sense to have workers operate in a less secure environment in this context. Give them the necessary security tools and operational tools to do their business. Teleworkers, even with a company-issued device, are likely to work on multiple home devices. Make available enterprise licensed storage and sharing tools, so employees donβt have to resort to βsketchyβ or weak options when they exceed the limits for free storage on Dropbox or related services.
A Secure Web Gateway as a service is a useful option considering that teleworkers using a VPN will still likely be split tunneling (i.e. not going through corporate security devices when browsing to non-corporate sites, etc.), unlike when they are in the corporate office and all connections are sanitized. That is especially important in cases where a weak home router gets compromised and any exfiltration or other βphone homeβ traffic from malware needs to be spotted.
A simple way to get this information out to employees is to add remote working security tips to any regularly occurring executive outreach.
Operational Issues
With a large majority of businesses switching to a work-from-home model with less emphasis on in-person meetings, we also anticipate that malicious actors will start to impersonate digital tools, such as βfreeβ remote conferencing services and other cloud computing software.
Having a policy on respecting telework privacy is a good preventative step to minimize the risk of this type of attack being successful. Remote workers may be concerned about their digital privacy when working from home, so any way to inform them about likely attack methods can help.
Any steps to prevent staff trying to evade security measures out of a concern over privacy are likely a good investment.
Crisis Specific Risks
During any major event or crisis, socially engineered attacks and phishing will increase. Human engineering means using any lever to make it a little bit easier for targets to click on a link.
Weβre seeing targeted email attacks taking advantage of this. Some will likely use tactics such as attachments named βattached is your Work At Home Allowance Voucher,β spoofed corporate guidelines, or HR documents.
Sadly, we expect hospitals and local governments will see increased targeting by ransomware due the expectation that payouts are likelier during an emergency.
But Hang On β It Is Not All Bad News
The good news is that none of these attacks areΒ new and we already have playbooks to defend against them. Give a reminder to all staff during this period to be more wary of phishing, but donβt overly depend on user education β back it up with security technology measures. Here are a few ways to do that.
|
|
The post Suddenly Teleworking, Securely appeared first on .
FreshRSS