Three Zero-Day Vulnerabilities
Among the three zero-day vulnerabilities, only CVE-2021-36948 was reported to have been exploited in the wild, although Microsoft does not explain how. The other two, CVE-2021-36942 and CVE-2021-36936, were publicly disclosed but not actively exploited.
CVE-2021-36948 — Windows Update Medic Service EPV
This vulnerability affects WaaSMedicSVC.exe, a Windows 10 feature that repairs damaged components in the Windows Update processes, paving the way for future updates. The flaw was reported internally by the Microsoft Threat Intelligent Center and Microsoft Security Response Center, hence the secrecy around its exploit in the wild. Microsoft labeled the CVE Important with a 7.8 CVSSv3 score.
CVE-2021-36942 — Windows LSA Spoofing Vulnerability
CVE-2021-36942 could allow an attacker using New Technology Lan Manager (NTLM) to get a domain controller to authenticate with another server. Last month, Microsoft sent out an advisory relating to the LSA spoofing vulnerability, urging users to protect Windows domain controllers against NTLM Relay Attacks on Active Directory Certificate Services (AD CS), otherwise known as the PetitPotam attacks.
The PetitPotam code could allow an attacker to send requests to a remote system via MS-EFSRPC functions to coerce the victim computer into triggering authentication procedures and sharing authentication information. A French security researcher discovered the issue in July and published its proof-of-concept on GitHub.
CVE-2021-36942 has a 7.5 CVSSv3 score, which goes up to 9.8 when combined with an NTLM Relay Attack. Microsoft recommends prioritizing this patch and taking further action to mitigate the risk.
CVE-2021-36936 — Windows Print Spooler Remote Code Execution Vulnerability
This is yet another publicly disclosed security bug on Windows Print Spooler. CVE-2021-36936 is a separate flaw from the EoP revealed last month and the PrintNightmare RCE Microsoft partially fixed in the last Patch Tuesday. Another Print Spooler RCE vulnerability, CVE-2021-36947, was also included in this month’s Patch Tuesday issues. But CVE-2021-36947 was not publicly disclosed or exploited before the patch release. Both CVEs score an 8.2 CVSSv3 and are rated “Exploitation More Likely.”
Other Notable Patches and Vulnerabilities
The zero-day trio stole the spotlight in this month’s Microsoft Windows Patch Tuesday. But even so, there are still other critical vulnerabilities at a high risk of exploitation, including:
- CVE-2021-34480 — Scripting Engine memory corruption vulnerability: Through this flaw, an attacker could potentially write code to memory outside the context of the script engine.
- CVE-2021-34535 — Remote Desktop Client RCE: Although the flaw is probably not workable, it has an 8.8 severity score and is more likely to be exploited.
- CVE-2021-26424 — Windows TCP/IP RCE Vulnerability: This has a 9.9 CVSSv3 score, and an exploit is more likely. In February, Microsoft patched two equally severe CVEs, CVE-2021-24074 and CVE-2021-24094, but provides no exploitation context on CVE-2021-26424.
Read Microsoft’s Patch Tuesday release notes to get more information about this month’s windows security patch Tuesday, including updating guidance and a complete list of the patches released today.
In addition to Microsoft security updates, this Patch Tuesday also saw Windows 10 KB5005033 & KB5005031 cumulative updates. The Windows 10 update includes this Patch Tuesday’s security fixes and other important improvements. Learn more about these here.
Make sure to patch every vulnerable Windows system as soon as possible. And keep in mind that some fixes may require additional system reconfiguration and workarounds to be effective. The next patch Tuesday falls on September 14. Until then, stay tuned for more Microsoft Patch Tuesday news.
Solve All You Microsoft Patch Tuesday Problems with Action1
Microsoft rolls out dozens of patches on the second Tuesday of every month. And there might even be a couple of out-of-band patch releases in between subsequent Patch Tuesdays. Keeping up with these patches and applying them correctly to multiple systems is tedious, time-consuming work.
But there is an easier and faster way to manage Windows patches and updates — with Automated Patch Management. Action1 automatically tracks and installs Windows patches across multiple local and remote endpoints as soon as new updates become available. Try Action1 RMM for free and sample this extraordinary patching freedom and simplicity.