Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

End of Bibblio RCM includes -->
05:25 PM
Connect Directly

Microsoft Patches 3 Windows Zero-Days Amid 117 CVEs

The July Patch Tuesday release also includes the out-of-band fix for the Windows Print Spooler remote code execution flaw under attack.

Microsoft today issued patches for 117 CVEs, four of which it reports are under active attack and six of which are publicly known at the time fixes were released.

Related Content:

Kaseya Releases Security Patch as Companies Continue to Recover

Special Report: Building the SOC of the Future

New From The Edge: Navigating Active Directory Security: Dangers and Defenses

The products and services affected include Microsoft Windows, Exchange Server, Microsoft Office, Dynamics, SharePoint Server, Internet Explorer, Bing, Visual Studio, OpenEnclave, and Windows Storage Spaces Controller. Thirteen are classified as Critical, 103 are Important, and one is ranked Moderate in severity.

This month's Patch Tuesday is larger than those of previous months — May and June brought 55 and 50 patches, respectively — and reminiscent of the larger rollouts Microsoft had throughout 2020. Last year's monthly patch count consistently topped 100; this year, they've been smaller.

July's rollout is not only larger, but it has several CVEs that merit a closer look. One of these, CVE-2021-34527, is an out-of-band patch released July 1 to address a remote code execution vulnerability in the Windows Print Spooler serviced. Dubbed "PrintNightmare," the flaw is similar to, but distinct from, another critical bug (CVE-2021-1675) that Microsoft patched on June 8.

A successful attacker could exploit PrintNightmare to gain system-level access on vulnerable systems, which include core domain controllers and Active Directory admin servers. Attackers could run malicious code; download malware; create new user accounts; or view, change, and delete data. Microsoft has provided workarounds for the vulnerability, advising organizations to either disable the Print Spooler service or disable inbound remote printing using Group Policy.

PrintNightmare has already generated a wealth of attention: The Cybersecurity and Infrastructure Security Agency (CISA), CERT Coordination Center (Cert CC), and others have advised urgent action against it.

On July 13, the Department of Homeland Security issued Emergency Directive 21-04 mandating all Federal Civilian Executive Branch agencies to stop and disable the Print Spooler service on all Microsoft Active Directory Domain Controllers by 11:59 p.m. on Wednesday, July 14. By 11:59 p.m. on Tuesday, July 20, they must apply the July 2021 cumulative updates to all Windows Servers and Workstations. Officials also provide additional guidance for hosts running Microsoft Windows.

Another flaw under attack is CVE-2021-34448, a critical memory corruption vulnerability in the Windows Scripting Engine. Microsoft notes the attack complexity is high but does not provide detail on how widespread the active attacks are. An attacker could execute code on a target system by getting a victim to visit a specially crafted website, which Kevin Breen, the director of research at Immersive Labs, says makes this the most seriously vulnerability to him.

"With malicious, yet professional looking, domains carrying valid TLS certificates a regular feature nowadays, seamless compromise would be a trivial matter," he says.

Two Windows kernel privilege escalation vulnerabilities (CVE-2021-31979 and CVE-2021-33771) are under active attack. Both are classified as Important and have a CVSS score of 7.8. They require low attack complexity, low privileges, and no user interaction to successfully exploit.

"These are exactly the type of vulnerabilities in the ransomware attack toolkit, allowing threat actors to boost their user level from user to admin, for greater control over the environment," Breen adds. "Admins should keep an eye on existing and new accounts for suspicious activity."

In addition to the vulnerabilities under active attack, there are several that are publicly known and should be prioritized. These include critical Microsoft Exchange Server RCE vulnerability CVE-2021-34473, Active Directory security feature bypass vulnerability CVE-2021-33781, Exchange Server elevation of privilege flaw CVE-2021-34523, Windows ADFS security feature bypass vulnerability CVE-2021-33779, and Windows Certificate spoofing flaw CVE-2021-34492.

Many of the CVEs patched this month involve remote code execution, and there are several that are not under attack or publicly known but also merit prioritization. CVE-2021-34494 is a critical RCE flaw in the Windows DNS Server that could enable an attacker to conduct remote code execution at a privileged level on a listening network port without user interaction, Dustin Childs of Trend Micro's Zero-Day Initiative noted in a blog post.

"You would be correct in thinking that equates to a wormable bug," he wrote. "This is restricted to DNS Servers only, but if there's one system you don't want wormed, it's probably your DNS server." He urged businesses to patch quickly, as the severity of this bug will prove appealing to attackers.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file