Microsoft Alerts of Critical PowerShell 7 Code Execution Vulnerability

 

Microsoft is alerting customers to upgrade their installations of PowerShell 7 as soon as possible to protect themselves against a.NET remote code execution (RCE) vulnerability. 

PowerShell is a configuration management system that features a command-line shell as well as a task automation scripting language. It runs on.NET, which makes use of a text encoding package that was recently fixed against an RCE flaw. It works with structured data such as JSON, CSV, and XML, and REST APIs and object models, and it operates on all major platforms, including Windows, Linux, and macOS. 

The.NET vulnerability was recognized as a major vulnerability with a score of 9.8 and was patched in April. 

According to the firm, there are no mitigation steps available to prevent the exploitation of the security issue identified as CVE-2021-26701. Customers are encouraged to update to PowerShell 7.0.6 and 7.1.3 as soon as possible in order to safeguard their systems from potential threats. 

In addition, Microsoft's initial advisory instructs developers on how to update their programs to eliminate the risk. 

Microsoft explained in April when the security flaw was patched, "The vulnerable package is System.Text.Encodings.Web. Upgrading your package and redeploying your app should be sufficient to address this vulnerability." 

Any.NET 5,.NET Core, or.NET Framework based application that uses a System. Text.Encodings. The version of the web package indicated below is vulnerable to attacks:
1.System.Text.Encodings.Web: Vulnerable Versions 4.0.0 - 4.5.0 ; Secure Version 4.5.1

2.System.Text.Encodings.Web: Vulnerable Versions 4.6.0-4.7.1; Secure Version 4.7.2

3.System.Text.Encodings.Web: Vulnerable Versions 5.0.0; Secure Version 5.0.1 

According to Microsoft's security alert, Visual Studio consists of the binaries for .NET but it is not vulnerable to this flaw. The update includes the.NET files, ensuring that apps built with Visual Studio that use.NET capabilities are safe from this security flaw. 

"If you have questions, ask them in GitHub, where the Microsoft development team and the community of experts are closely monitoring for new issues and will provide answers as soon as possible," Microsoft added. 

Microsoft has recently mentioned that future PowerShell upgrades will be released through the Microsoft Update service, making it easier to keep PowerShell up to date on Windows 10 and Windows Server.