Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

05:25 PM
Connect Directly

Microsoft Patches 3 Windows Zero-Days Amid 117 CVEs

The July Patch Tuesday release also includes the out-of-band fix for the Windows Print Spooler remote code execution flaw under attack.

Microsoft today issued patches for 117 CVEs, four of which it reports are under active attack and six of which are publicly known at the time fixes were released.

Related Content:

Kaseya Releases Security Patch as Companies Continue to Recover

Special Report: Building the SOC of the Future

New From The Edge: Navigating Active Directory Security: Dangers and Defenses

The products and services affected include Microsoft Windows, Exchange Server, Microsoft Office, Dynamics, SharePoint Server, Internet Explorer, Bing, Visual Studio, OpenEnclave, and Windows Storage Spaces Controller. Thirteen are classified as Critical, 103 are Important, and one is ranked Moderate in severity.

This month's Patch Tuesday is larger than those of previous months — May and June brought 55 and 50 patches, respectively — and reminiscent of the larger rollouts Microsoft had throughout 2020. Last year's monthly patch count consistently topped 100; this year, they've been smaller.

July's rollout is not only larger, but it has several CVEs that merit a closer look. One of these, CVE-2021-34527, is an out-of-band patch released July 1 to address a remote code execution vulnerability in the Windows Print Spooler serviced. Dubbed "PrintNightmare," the flaw is similar to, but distinct from, another critical bug (CVE-2021-1675) that Microsoft patched on June 8.

A successful attacker could exploit PrintNightmare to gain system-level access on vulnerable systems, which include core domain controllers and Active Directory admin servers. Attackers could run malicious code; download malware; create new user accounts; or view, change, and delete data. Microsoft has provided workarounds for the vulnerability, advising organizations to either disable the Print Spooler service or disable inbound remote printing using Group Policy.

PrintNightmare has already generated a wealth of attention: The Cybersecurity and Infrastructure Security Agency (CISA), CERT Coordination Center (Cert CC), and others have advised urgent action against it.

On July 13, the Department of Homeland Security issued Emergency Directive 21-04 mandating all Federal Civilian Executive Branch agencies to stop and disable the Print Spooler service on all Microsoft Active Directory Domain Controllers by 11:59 p.m. on Wednesday, July 14. By 11:59 p.m. on Tuesday, July 20, they must apply the July 2021 cumulative updates to all Windows Servers and Workstations. Officials also provide additional guidance for hosts running Microsoft Windows.

Another flaw under attack is CVE-2021-34448, a critical memory corruption vulnerability in the Windows Scripting Engine. Microsoft notes the attack complexity is high but does not provide detail on how widespread the active attacks are. An attacker could execute code on a target system by getting a victim to visit a specially crafted website, which Kevin Breen, the director of research at Immersive Labs, says makes this the most seriously vulnerability to him.

"With malicious, yet professional looking, domains carrying valid TLS certificates a regular feature nowadays, seamless compromise would be a trivial matter," he says.

Two Windows kernel privilege escalation vulnerabilities (CVE-2021-31979 and CVE-2021-33771) are under active attack. Both are classified as Important and have a CVSS score of 7.8. They require low attack complexity, low privileges, and no user interaction to successfully exploit.

"These are exactly the type of vulnerabilities in the ransomware attack toolkit, allowing threat actors to boost their user level from user to admin, for greater control over the environment," Breen adds. "Admins should keep an eye on existing and new accounts for suspicious activity."

In addition to the vulnerabilities under active attack, there are several that are publicly known and should be prioritized. These include critical Microsoft Exchange Server RCE vulnerability CVE-2021-34473, Active Directory security feature bypass vulnerability CVE-2021-33781, Exchange Server elevation of privilege flaw CVE-2021-34523, Windows ADFS security feature bypass vulnerability CVE-2021-33779, and Windows Certificate spoofing flaw CVE-2021-34492.

Many of the CVEs patched this month involve remote code execution, and there are several that are not under attack or publicly known but also merit prioritization. CVE-2021-34494 is a critical RCE flaw in the Windows DNS Server that could enable an attacker to conduct remote code execution at a privileged level on a listening network port without user interaction, Dustin Childs of Trend Micro's Zero-Day Initiative noted in a blog post.

"You would be correct in thinking that equates to a wormable bug," he wrote. "This is restricted to DNS Servers only, but if there's one system you don't want wormed, it's probably your DNS server." He urged businesses to patch quickly, as the severity of this bug will prove appealing to attackers.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Data Breaches Affect the Enterprise
Data breaches continue to cause negative outcomes for companies worldwide. However, many organizations report that major impacts have declined significantly compared with a year ago, suggesting that many have gotten better at containing breach fallout. Download Dark Reading's Report "How Data Breaches Affect the Enterprise" to delve more into this timely topic.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-11-26
This affects all versions of package html-to-csv. When there is a formula embedded in a HTML page, it gets accepted without any validation and the same would be pushed while converting it into a CSV file. Through this a malicious actor can embed or generate a malicious link or execute commands via C...
PUBLISHED: 2021-11-26
@joeattardi/emoji-button is a Vanilla JavaScript emoji picker component. In affected versions there are two vectors for XSS attacks: a URL for a custom emoji, and an i18n string. In both of these cases, a value can be crafted such that it can insert a `script` tag into the page and execute malicious...
PUBLISHED: 2021-11-26
Backstage is an open platform for building developer portals. In affected versions the auth-backend plugin allows a malicious actor to trick another user into visiting a vulnerable URL that executes an XSS attack. This attack can potentially allow the attacker to exfiltrate access tokens or other se...
PUBLISHED: 2021-11-26
There is a Potential Zip Slip Vulnerability and OS Command Injection Vulnerability on the management system of baserCMS. Users with permissions to upload files may upload crafted zip files which may execute arbitrary commands on the host operating system. This is a vulnerability that needs to be add...
PUBLISHED: 2021-11-26
BaserCMS is an open source content management system with a focus on Japanese language support. In affected versions users with upload privilege may upload crafted zip files capable of path traversal on the host operating system. This is a vulnerability that needs to be addressed when the management...