Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

6/8/2021
05:42 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Microsoft Patches 6 Zero-Days Under Active Attack

The June 2021 Patch Tuesday fixes 50 vulnerabilities, six of which are under attack and three of which were publicly known at the time of disclosure.

Microsoft today deployed patches for 50 vulnerabilities, including six zero-days under active attack, the company reports.

Related Content:

Microsoft CISO Shares Remote Work Obstacles & Lessons Learned

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How Can I Test the Security of My Home-Office Employees' Routers?

Fifty is a relatively small number for Microsoft's monthly security releases – most of its 2020 rollouts exceeded 100 – but this Patch Tuesday packs a punch. The CVEs that were addressed affect Microsoft Windows, Office, Edge browser, SharePoint Server, .NET Core and Visual Studio, Hyper-V, Visual Studio Code – Kubernetes Tools, Windows HTML Platform, and Windows Remote Desktop.

The six flaws being exploited in the wild include one remote code execution bug, an information disclosure vulnerability, and four elevation-of-privilege flaws. One of these is classified as Critical; the other five are categorized Important. Two zero-days were publicly known at the time of disclosure; one vulnerability patched today is publicly known but not under attack.

Critical zero-day CVE-2021-33742, a remote code execution bug in the Windows MSHTML platform, has a CVSS score of 7.5 and was publicly known at the time it was patched. Attackers could successfully exploit this and execute code on a target system if they can convince a victim to view specially crafted Web content. Microsoft notes an attack requires some user interaction, though an attacker does not require access to files or settings in order to succeed.

"Since the vulnerability is in the Trident (MSHTML) engine itself, many different applications are impacted – not just Internet Explorer," writes Dustin Childs of the Zero-Day Initiative in a blog post. "It's not clear how widespread the active attacks are, but considering the vulnerability impacts all supported Windows versions, this should be at the top of your test and deploy list."

Microsoft credits Clément Lecigne of Google's Threat Analysis Group for discovering the flaw.

CVE-2021-33739, another publicly known zero-day, is considered Important with a CVSS score of 8.4. This is an elevation-of-privilege vulnerability in Microsoft's DWM Core Library that requires low attack complexity, no privileges, and no user interaction to successfully exploit.

"The attacker would most likely arrange to run an executable or script on the local computer," Microsoft writes in the disclosure. There are many ways they could do this, it says; for example, a phishing attack in which the victim clicks an executable file attached to an email. Microsoft credits Jinquan (@jq0904) with DBAPPSecurity Lieying Lab with discovering the vulnerability.

Two of the zero-days patched today, CVE-2021-31955 and CVE-2021-31956, were found by Boris Larin (oct0xor) of Kaspersky Lab and used as part of an exploit chain, along with a Chrome zero-day, in active attacks observed on April 14–15 that researchers say were "highly targeted."

CVE-2021-31955 is an information disclosure vulnerability in the Windows kernel with a CVSS score of 5.5. Exploitation of this would review low complexity, low privileges, and no user interaction, Microsoft reports. If successful, an attacker could access the contents of kernel memory from a user mode process.

The other flaw used in this chain, CVE-2021-31956, is an elevation of privilege vulnerability in Windows NTFS with a CVSS score of 7.8. Similarly, this also requires low complexity, low privileges, and no user interaction to exploit.

There are a couple of paths an attacker might take with this one, Microsoft says: They could first log on to the target system; from there, they could run a specially crafted application to exploit the flaw and take control. Alternatively, they could use an email or instant message to convince a local user to open a malicious file.

CVE-2021-31199 and CVE-2021-31201, the final two zero-days exploited this month, are elevation of privilege vulnerabilities in the Microsoft Enhanced Cryptographic Provider. Both have a CVSS score of 5.2 and are classified as Important, with low attack complexity, low privileges, and no user interaction required for an exploit. Both vulnerabilities are related to Adobe CVE-2021-28550, a zero-day affecting Windows and macOS patched last month.

"It's common to see privilege escalation paired with code execution bugs, and it seems these two vulnerabilities were the privilege escalation part of those exploits," Childs writes, though he notes it's "a bit unusual" to see a gap between patches for different parts of an active attack.

CVE-2021-31968, a denial-of-service (DoS) vulnerability in Windows Remote Desktop Services, is publicly known but not seen exploited in the wild. This is one of five DoS bugs patched this month; others, which were not previously known, exist in Microsoft Defender, .NET Core and Visual Studio, Server for NFS, and Windows Hyper-V.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27491
PUBLISHED: 2021-07-30
Ypsomed mylife Cloud, mylife Mobile Application:Ypsomed mylife Cloud,All versions prior to 1.7.2,Ypsomed mylife App,All versions prior to 1.7.5,The Ypsomed mylife Cloud discloses password hashes during the registration process.
CVE-2021-27495
PUBLISHED: 2021-07-30
Ypsomed mylife Cloud, mylife Mobile Application:Ypsomed mylife Cloud,All versions prior to 1.7.2,Ypsomed mylife App,All versions prior to 1.7.5,he Ypsomed mylife Cloud reflects the user password during the login process after redirecting the user from a HTTPS endpoint to a HTTP endpoint.
CVE-2021-32807
PUBLISHED: 2021-07-30
The module `AccessControl` defines security policies for Python code used in restricted code within Zope applications. Restricted code is any code that resides in Zope's object database, such as the contents of `Script (Python)` objects. The policies defined in `AccessControl` severely restrict acce...
CVE-2021-22521
PUBLISHED: 2021-07-30
A privileged escalation vulnerability has been identified in Micro Focus ZENworks Configuration Management, affecting version 2020 Update 1 and all prior versions. The vulnerability could be exploited to gain unauthorized system privileges.
CVE-2021-34629
PUBLISHED: 2021-07-30
The SendGrid WordPress plugin is vulnerable to authorization bypass via the get_ajax_statistics function found in the ~/lib/class-sendgrid-statistics.php file which allows authenticated users to export statistic for a WordPress multi-site main site, in versions up to and including 1.11.8.