Keeping with its Patch Tuesday tradition, Microsoft has just released 50 security patches for a host of software products and services, including .NET Core and Visual Studio, Microsoft Office, Windows Defender, Windows Codecs Library, 3D Viewer, and Windows HTML Platform. Today’s release included patches for RCE, Elevation of Privilege, DoS, Spoofing, Information Disclosure, and Security Feature Bypass vulnerabilities.
In terms of severity, 45 of the 50 CVEs were marked “Important” and five “Critical.” Among these were seven zero-day vulnerabilities, six of which had already been exploited in the wild. Eight of the security flaws fixed today were reported by the Zero-Day Initiative (ZDI). Additionally, Microsoft acknowledged reports from Google Project Zero, Google’s Threat Analysis Group, Check Point Research, Kaspersky, and FireEye, among other contributors.
Here’s an overview of the seven zero-day vulnerabilities and other noteworthy flaws fixed in June’s patch rollout:
This is an RCE vulnerability discovered in Windows Remote MSHTML Platform — a component of Internet Explorer used to fetch and display content from web pages. It scores a 7.5 CVSSv3 and is marked as Critical. The vulnerability was discovered and reported by Clément Lecigne of Google’s Threat Analysis Group (TAG). An active exploit requires user interaction; the attacker has to entice a victim to visit a malicious website or open a crafted file using a flawed application. That’s all we know for now, but TAG plans to share more details about this exploit in the future.
CVE-2021-31955 is an Information Disclosure Vulnerability affecting file ntoskrnl.exe in Windows Kernel. CVE-2021-31956 is a critical Windows NTFS Elevation of Privilege flaw. Both bugs were first discovered and reported by security researchers at Kaspersky Labs. They were exploited together with an unidentified Google Chrome zero-day vulnerability in a chain of highly targeted attacks by a group of hackers known only as PuzzleMaker. CVE-2021-31955 and CVE-2021-31956 affect all supported versions of Windows and could allow attackers to elevate their privileges and take over control of an affected system.
These are two important Microsoft Enhanced Cryptographic Provider Elevation of Privilege CVEs associated with an Adobe Reader RCE bug addressed last month. Through these flaws, attackers could target Adobe Reader users on Windows through downloadable PDF vectors and use them to run various applications on the affected system.
This Microsoft EoP Vulnerability affects the core library file dwmcore.dll in the Desktop Window Manager. The discovery of this CVE is credited to researchers at DBAPPSecurity Threat Intelligence Center. Earlier in February, the same researchers discovered and reported a similar EoP vulnerability in Win32K linked to a threat actor identified as BITTER APT. Although it’s not yet confirmed, BITTER APT might be responsible for this zero-day exploit as well.
The seventh zero-day vulnerability fixed today is CVE-2021-31968— a Windows Remote Desktop Services Denial of Service Vulnerability. The flaw was publicly disclosed but not reported in any active exploits, at least not yet.
Other Critical and Important CVEs
CVE-2021-31963— Microsoft SharePoint Server RCE Vulnerability: Although it has a “Critical” severity rating, Microsoft says the flaw is less likely to be exploited.
CVE-2021-31959—Critical RCE Flaw: This is a scripting engine memory corruption flaw affecting Windows versions: 7,8,10, Server 2008/2012 R2, and Server 2016. To exploit the vulnerability, an attacker must engage the user and get them to open a malicious file.
CVE-2021-31985— Microsoft Defender’s critical RCE Vulnerability: Microsoft rates this at a 7.8 CVSSv3 score and warns that an attack is more likely to happen.
CVE-2021-31983, CVE-2021-31946, CVE-2021-31945 Multiple Vulnerabilities in Paint 3D: All three score a 7.8 CVSSv3 but are marked as “Exploit Less Likely.” The trio required user interaction during an exploit and were all interestingly discovered by several researchers at around the same time.
In addition to the 50 security patches, Microsoft also released Windows 10 KB5003637 & KB5003635 cumulative updates today.
We recommend installing these updates and patches as soon as possible and scanning your Windows environment for outdated or unpatched systems, especially those marked “Critical” and “Exploit More Likely.” Please stay tuned for next month’s Patch Tuesday and more news and updates from Microsoft.