Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

05:15 PM
Connect Directly

Microsoft Fixes Windows Zero-Day in Patch Tuesday Rollout

Microsoft's monthly security fixes addressed a Win32k zero-day, six publicly known flaws, and three bugs in the Windows TCP/IP stack.

Microsoft today patched a Windows zero-day vulnerability as a part of its monthly Patch Tuesday rollout, which fixed a relatively low number of Common Vulnerabilities and Exposures (CVEs) but a high number of publicly known bugs. 

Related Content:

How to Better Secure Your Microsoft 365 Environment

Special Report: How IT Security Organizations are Attacking the Cybersecurity Problem

New From The Edge: Fighting Fileless Malware, Part 2: Countermeasures

The 56 vulnerabilities patched today exist in Microsoft Windows, .NET framework, Windows Defender, Azure IoT, Azure Kubernetes Service, Exchange Server, Skype for Business and Lync, Office and Office Services and Web Apps, and Microsoft Edge for Android. Eleven of these flaws are classified as critical in severity, 43 are important, and two are moderate. 

Under active attack is CVE-2021-1732, an important local privilege escalation flaw in Windows Win32k. If exploited, this vulnerability would allow a logged-on attacker to execute their code with higher privileges. Microsoft reports this flaw requires low attack complexity, low privileges, and no user interaction to exploit. However, the threat to confidentiality, integrity, and availability is high.

"The exploitation of this vulnerability would allow an attacker to execute code in the context of the kernel and gain system privileges, essentially giving the attacker free rein to do whatever they wanted with the compromised machine," says Chris Hass, director of information security and research at Automox.

Microsoft did not share details of how this flaw has been exploited in the wild. It credits three researchers with DBAPPSecurity, a Chinese security company, with finding the vulnerability.

CVE-2021-1732 is "a prime example" of why organizations should prioritize patching based on risk and not necessarily by Microsoft's severity rating, says Chris Goettl, senior director of product management and security at Ivanti.

"If you base your prioritization off of vendor severity and focus on critical, you could have missed this vulnerability in your prioritization," Goettl explains. "This vulnerability should put Windows 10 and Server 2016 and later editions into your priority bucket for remediation this month." 

The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) published an alert to spread awareness of the patch and is urging users and administrators to apply the fix to Windows 10 and Windows 2019 servers.

In addition to the zero-day, Microsoft issued fixes for an unusually high number of publicly known vulnerabilities. The details of six flaws were shared online before patches were released for CVE-2021-26701 in .NET Core and Visual Studio, CVE-2021-1721 in .NET Core and Visual Studio, CVE-2021-1733 in Sysinternals PsExec, CVE-2021-24098 in Windows Console Driver, CVE-2021-24106 in Windows DirectX, and CVE-2021-1727 in Windows Installer.

So far there is no indication these vulnerabilities have been exploited, despite the details shared ahead of patches being released.

Warning for Windows TCP/IP Stack Vulnerabilities
Microsoft published a blog post to warn of three vulnerabilities in the Windows TCP/IP stack, all of which are patched today: two critical remote code execution (RCE) vulnerabilities (CVE-2021-24074 and CVE-2021-24094) and one important denial-of-service (DoS) flaw (CVE-2021-24086).

"The two RCE vulnerabilities are complex which make it difficult to create functional exploits, so they are not likely in the short term," the Microsoft Security Response Center wrote. "We believe attackers will be able to create DoS exploits much more quickly and expect all three issues might be exploited with a DoS attack shortly after release." 

Experts elaborate on how the two are different. CVE-2021-24074 exists in IPv4 source routing, which should be disabled by default, said Dustin Childs of Trend Micro's Zero-Day Initiative, in a blog post.

"You can also block source routing at firewalls or other perimeter devices," he wrote

CVE-2021-24094 affects IPv6 and would require an attacker to already have a foothold in the network, explains Kevin Breen, director of cyber threat research at Immersive Labs. However, it could ultimately give an attacker a high level of access on domain controllers, for example.

"This vulnerability would be most dangerous to those who operate a flat network," Breen says. "Segmentation will help with mitigation."

Users are urged to patch the vulnerabilities as soon as possible. If patching quickly is not practical, Microsoft details workarounds in the CVEs that don't require restarting a server.

Despite the workaround guidance, Hass emphasizes the importance of patching.

"Because these affect the network stack, require zero interaction from a user, and [can] be exploited by sending malicious network traffic to a device, it's only a matter of time before we see attackers leveraging these vulnerabilities to carry out cyberattacks," he says.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This gives a new meaning to blind leading the blind.
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
Insecure storage of sensitive information has been reported to affect QNAP NAS running myQNAPcloud Link. If exploited, this vulnerability allows remote attackers to read sensitive information by accessing the unrestricted storage mechanism. This issue affects: QNAP Systems Inc. myQNAPcloud Link vers...
PUBLISHED: 2021-06-16
Rapid7 Nexpose is vulnerable to a non-persistent cross-site scripting vulnerability affecting the Security Console's Filtered Asset Search feature. A specific search criterion and operator combination in Filtered Asset Search could have allowed a user to pass code through the provided search field. ...
PUBLISHED: 2021-06-16
tEnvoy contains the PGP, NaCl, and PBKDF2 in node.js and the browser (hashing, random, encryption, decryption, signatures, conversions), used by TogaTech.org. In versions prior to 7.0.3, the `verifyWithMessage` method of `tEnvoyNaClSigningKey` always returns `true` for any signature that has a SHA-5...
PUBLISHED: 2021-06-16
Opencast is a free and open source solution for automated video capture and distribution. Versions of Opencast prior to 9.6 are vulnerable to the billion laughs attack, which allows an attacker to easily execute a (seemingly permanent) denial of service attack, essentially taking down Opencast using...
PUBLISHED: 2021-06-16
Nextcloud Talk is a fully on-premises audio/video and chat communication service. Password protected shared chats in Talk before version 9.0.10, 10.0.8 and 11.2.2 did not rotate the session cookie after a successful authentication event. It is recommended that the Nextcloud Talk App is upgraded to 9...