Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

End of Bibblio RCM includes -->
05:42 PM
Connect Directly

Microsoft Patches 6 Zero-Days Under Active Attack

The June 2021 Patch Tuesday fixes 50 vulnerabilities, six of which are under attack and three of which were publicly known at the time of disclosure.

Microsoft today deployed patches for 50 vulnerabilities, including six zero-days under active attack, the company reports.

Related Content:

Microsoft CISO Shares Remote Work Obstacles & Lessons Learned

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How Can I Test the Security of My Home-Office Employees' Routers?

Fifty is a relatively small number for Microsoft's monthly security releases – most of its 2020 rollouts exceeded 100 – but this Patch Tuesday packs a punch. The CVEs that were addressed affect Microsoft Windows, Office, Edge browser, SharePoint Server, .NET Core and Visual Studio, Hyper-V, Visual Studio Code – Kubernetes Tools, Windows HTML Platform, and Windows Remote Desktop.

The six flaws being exploited in the wild include one remote code execution bug, an information disclosure vulnerability, and four elevation-of-privilege flaws. One of these is classified as Critical; the other five are categorized Important. Two zero-days were publicly known at the time of disclosure; one vulnerability patched today is publicly known but not under attack.

Critical zero-day CVE-2021-33742, a remote code execution bug in the Windows MSHTML platform, has a CVSS score of 7.5 and was publicly known at the time it was patched. Attackers could successfully exploit this and execute code on a target system if they can convince a victim to view specially crafted Web content. Microsoft notes an attack requires some user interaction, though an attacker does not require access to files or settings in order to succeed.

"Since the vulnerability is in the Trident (MSHTML) engine itself, many different applications are impacted – not just Internet Explorer," writes Dustin Childs of the Zero-Day Initiative in a blog post. "It's not clear how widespread the active attacks are, but considering the vulnerability impacts all supported Windows versions, this should be at the top of your test and deploy list."

Microsoft credits Clément Lecigne of Google's Threat Analysis Group for discovering the flaw.

CVE-2021-33739, another publicly known zero-day, is considered Important with a CVSS score of 8.4. This is an elevation-of-privilege vulnerability in Microsoft's DWM Core Library that requires low attack complexity, no privileges, and no user interaction to successfully exploit.

"The attacker would most likely arrange to run an executable or script on the local computer," Microsoft writes in the disclosure. There are many ways they could do this, it says; for example, a phishing attack in which the victim clicks an executable file attached to an email. Microsoft credits Jinquan (@jq0904) with DBAPPSecurity Lieying Lab with discovering the vulnerability.

Two of the zero-days patched today, CVE-2021-31955 and CVE-2021-31956, were found by Boris Larin (oct0xor) of Kaspersky Lab and used as part of an exploit chain, along with a Chrome zero-day, in active attacks observed on April 14–15 that researchers say were "highly targeted."

CVE-2021-31955 is an information disclosure vulnerability in the Windows kernel with a CVSS score of 5.5. Exploitation of this would review low complexity, low privileges, and no user interaction, Microsoft reports. If successful, an attacker could access the contents of kernel memory from a user mode process.

The other flaw used in this chain, CVE-2021-31956, is an elevation of privilege vulnerability in Windows NTFS with a CVSS score of 7.8. Similarly, this also requires low complexity, low privileges, and no user interaction to exploit.

There are a couple of paths an attacker might take with this one, Microsoft says: They could first log on to the target system; from there, they could run a specially crafted application to exploit the flaw and take control. Alternatively, they could use an email or instant message to convince a local user to open a malicious file.

CVE-2021-31199 and CVE-2021-31201, the final two zero-days exploited this month, are elevation of privilege vulnerabilities in the Microsoft Enhanced Cryptographic Provider. Both have a CVSS score of 5.2 and are classified as Important, with low attack complexity, low privileges, and no user interaction required for an exploit. Both vulnerabilities are related to Adobe CVE-2021-28550, a zero-day affecting Windows and macOS patched last month.

"It's common to see privilege escalation paired with code execution bugs, and it seems these two vulnerabilities were the privilege escalation part of those exploits," Childs writes, though he notes it's "a bit unusual" to see a gap between patches for different parts of an active attack.

CVE-2021-31968, a denial-of-service (DoS) vulnerability in Windows Remote Desktop Services, is publicly known but not seen exploited in the wild. This is one of five DoS bugs patched this month; others, which were not previously known, exist in Microsoft Defender, .NET Core and Visual Studio, Server for NFS, and Windows Hyper-V.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file