In its April slate of patches, Microsoft rolled out fixes for a total of 114 security flaws, including an actively exploited zero-day and four remote code execution bugs in Exchange Server.
Of the 114 flaws, 19 are rated as Critical, 88 are rated Important, and one is rated Moderate in severity.
Chief among them is CVE-2021-28310, a privilege escalation vulnerability in Win32k that’s said to be under active exploitation, allowing attackers to elevate privileges by running malicious code on a target system.
Cybersecurity firm Kaspersky, which discovered and reported the flaw to Microsoft in February, linked the zero-day exploit to a threat actor named Bitter APT, which was found exploiting a similar flaw (CVE-2021-1732) in attacks late last year.
“It is an escalation of privilege (EoP) exploit that is likely used together with other browser exploits to escape sandboxes or get system privileges for further access,” Kaspersky researcher Boris Larin said.