Microsoft released fixes for 117 flaws in this July’s Patch Tuesday. Of the 117 vulnerabilities, 13 were marked as Critical, 103 Important, and 1 Moderate; nine were zero-day vulnerabilities, four of which were actively exploited before the patch release. The bugs included the usual blend of RCE, DOS, information disclosure, EoP, spoofing, and security bypass vulnerabilities across Microsoft’s suite of products. The volume of the latest patch release exceeds the combined totals from the last two months, and it’s the second time this year that Microsoft has packed more than 100 fixes in one Patch Tuesday batch.
Besides the triple-digit figure, here are other interesting highlights from this month’s Patch Tuesday:
Nine Zero-Day Vulnerabilities Fixed
CVE-2021-34448 — Scripting Engine Memory Corruption Vulnerability
CVE-2021-34448 was listed under active exploit. The flaw could allow an attacker to execute code on a vulnerable system if the user browsed a specially crated website. Since the attacker has to entice a victim into visiting a malicious site, Microsoft regards the exploit as highly complex, giving it a moderate severity score of only CVSSv3 6.8.
CVE-2021-34527 — PrintNightmare
Earlier this month, Microsoft releases an Out-of-Band patch to fix this CVE following multiple proof-of-concept reports from research communities. The flaw could allow remote exploits when printing capabilities were exposed online. On July 1, Microsoft released an advisory in response to public reports about CVE-2021-1675, a similar bug on Windows Print Spooler. Microsoft updated this advisory about a week later to clear up confusion over the two CVEs and released patches for various Windows versions to address CVE-2021-34527 (nicknamed PrintNightmare).
Although there were many reports that the emergency patch was incomplete and ineffective, Microsoft insisted that it worked fine, but only if registry keys had the right values. Some system admins went as far as disabling Windows Print Spooler service on non-printing workstations and all servers. Hopefully, the new patch does the trick, but it’s still wise to err on the side of caution with this one.
Two more zero-day Windows Kernel EoP Vulnerabilities, CVE-2021-31979 and CVE-2021-33771, were also actively exploited but not publicly disclosed before this patch rollout. Another five zero-day vulnerabilities were publicly disclosed:
- CVE-2021-33781 — AD Security Feature Bypass Vulnerability
- CVE-2021-34473 — Microsoft Exchange Server RCE Vulnerability
- CVE-2021-33779 — Windows ADFS flaw
- CVE-2021-34492 — Windows Certificate Spoofing bug
- CVE-2021-34523 — Microsoft Exchange Server EoP Vulnerability
Other Notable Vulnerabilities Patched Today
CVE-2021-34458 — Windows Kernel RCE Vulnerability
This rare RCE bug affects host virtual machines (VMs) running the single-root input/output virtualization (SR-IOV) configuration. The SR-IOV configuration adds more virtualization definitions to a hosted PCI bus, enabling multiple VMs to share common PCI hardware. CVE-2021-34458 scores a Critical 9.9 CVSSv3 rating.
5 Windows DNS Server RCE Vulnerabilities
CVE-2021-33746 and CVE-2021-33754 have a CVSSv3 score of 8.0, while CVE-2021-33780, CVE-2021-34494, and CVE-2021-34525 score an 8.8 CVSSv3. A hacker would require a low-privilege account to send crafted DNS requests to a vulnerable DNS server to exploit these flaws.
Microsoft Defender RCE Vulnerabilities
CVE-2021-34464 and CVE-2021-34522 are remote code execution vulnerabilities in Microsoft Defender’s Malware Protection Engine. They both score 7.8 on the CVSSv3 severity scale, but Microsoft says exploits based on these two vulnerabilities are less likely. However, any bugs affecting Windows Defender are worth noting and patching.
CVE-2021-34450 – Windows Hyper-V Remote Code Execution Vulnerability
This vulnerability could allow a guest-authenticated attacker to send arbitrary code execution requests to the host machine in a VM environment. But despite the Critical 8.5 CVSSv3, Microsoft says the exploit is “less likely.”
Microsoft Exchange Server EoP Trio
In addition to CVE-2021-34523, CVE-2021-33768 and CVE-2021-34470 are two more elevation of privilege vulnerabilities in the Microsoft Exchange Server. According to Microsoft’s CVE exploitability assessment, all three vulnerabilities are less likely to be exploited in active attacks. An attacker would first have to establish a presence on a vulnerable server before elevating their privilege. Microsoft already patched similar bugs in Windows Exchange Server earlier this year in April.
Microsoft thanked security researchers from Fortinet’s FortiGuard Lab, Google Security, ZDI, and Checkmarx, among other organizations and contributors, for helping to identify many of the now patched bugs in Windows systems.
Read the complete guide to this month’s Patch Tuesday updates in Microsoft’s release notes. And as usual, after every Patch Tuesday, make sure you check and install all the relevant updates on your Windows machines. Until the next updates and patches, stay safe.
Never Miss Updates with Action1 Cloud Patch Management Solutions
New patches and features updates present opportunities to improve your IT performance and safeguard your digital assets against internal and external threats. It’s up to you to ensure that these patches are installed correctly and promptly to avoid compromising your IT security posture and efficiency.
With the Action1 cloud-based patch management solution, you never have to worry about patches or other updates on your Windows systems. Action1 enables automated patching on Windows OS and features while allowing real-time control and visibility into the updates already installed and those that are missing. Our patch manager reinforces your endpoint security by automatically scanning and deploying all the necessary Windows updates as soon as they’re released.
Sign up for Action1 free trial today and sample the freedom, peace of mind, convenience, and reassurance of protecting your software infrastructure using the most robust and dependable automated patch management solution.