Microsoft Patches 3 Windows Zero-Days Amid 117 CVEsMicrosoft Patches 3 Windows Zero-Days Amid 117 CVEs
The July Patch Tuesday release also includes the out-of-band fix for the Windows Print Spooler remote code execution flaw under attack.
July 13, 2021
Microsoft today issued patches for 117 CVEs, four of which it reports are under active attack and six of which are publicly known at the time fixes were released.
The products and services affected include Microsoft Windows, Exchange Server, Microsoft Office, Dynamics, SharePoint Server, Internet Explorer, Bing, Visual Studio, OpenEnclave, and Windows Storage Spaces Controller. Thirteen are classified as Critical, 103 are Important, and one is ranked Moderate in severity.
This month's Patch Tuesday is larger than those of previous months — May and June brought 55 and 50 patches, respectively — and reminiscent of the larger rollouts Microsoft had throughout 2020. Last year's monthly patch count consistently topped 100; this year, they've been smaller.
July's rollout is not only larger, but it has several CVEs that merit a closer look. One of these, CVE-2021-34527, is an out-of-band patch released July 1 to address a remote code execution vulnerability in the Windows Print Spooler serviced. Dubbed "PrintNightmare," the flaw is similar to, but distinct from, another critical bug (CVE-2021-1675) that Microsoft patched on June 8.
A successful attacker could exploit PrintNightmare to gain system-level access on vulnerable systems, which include core domain controllers and Active Directory admin servers. Attackers could run malicious code; download malware; create new user accounts; or view, change, and delete data. Microsoft has provided workarounds for the vulnerability, advising organizations to either disable the Print Spooler service or disable inbound remote printing using Group Policy.
PrintNightmare has already generated a wealth of attention: The Cybersecurity and Infrastructure Security Agency (CISA), CERT Coordination Center (Cert CC), and others have advised urgent action against it.
On July 13, the Department of Homeland Security issued Emergency Directive 21-04 mandating all Federal Civilian Executive Branch agencies to stop and disable the Print Spooler service on all Microsoft Active Directory Domain Controllers by 11:59 p.m. on Wednesday, July 14. By 11:59 p.m. on Tuesday, July 20, they must apply the July 2021 cumulative updates to all Windows Servers and Workstations. Officials also provide additional guidance for hosts running Microsoft Windows.
Another flaw under attack is CVE-2021-34448, a critical memory corruption vulnerability in the Windows Scripting Engine. Microsoft notes the attack complexity is high but does not provide detail on how widespread the active attacks are. An attacker could execute code on a target system by getting a victim to visit a specially crafted website, which Kevin Breen, the director of research at Immersive Labs, says makes this the most seriously vulnerability to him.
"With malicious, yet professional looking, domains carrying valid TLS certificates a regular feature nowadays, seamless compromise would be a trivial matter," he says.
Two Windows kernel privilege escalation vulnerabilities (CVE-2021-31979 and CVE-2021-33771) are under active attack. Both are classified as Important and have a CVSS score of 7.8. They require low attack complexity, low privileges, and no user interaction to successfully exploit.
"These are exactly the type of vulnerabilities in the ransomware attack toolkit, allowing threat actors to boost their user level from user to admin, for greater control over the environment," Breen adds. "Admins should keep an eye on existing and new accounts for suspicious activity."
In addition to the vulnerabilities under active attack, there are several that are publicly known and should be prioritized. These include critical Microsoft Exchange Server RCE vulnerability CVE-2021-34473, Active Directory security feature bypass vulnerability CVE-2021-33781, Exchange Server elevation of privilege flaw CVE-2021-34523, Windows ADFS security feature bypass vulnerability CVE-2021-33779, and Windows Certificate spoofing flaw CVE-2021-34492.
Many of the CVEs patched this month involve remote code execution, and there are several that are not under attack or publicly known but also merit prioritization. CVE-2021-34494 is a critical RCE flaw in the Windows DNS Server that could enable an attacker to conduct remote code execution at a privileged level on a listening network port without user interaction, Dustin Childs of Trend Micro's Zero-Day Initiative noted in a blog post.
"You would be correct in thinking that equates to a wormable bug," he wrote. "This is restricted to DNS Servers only, but if there's one system you don't want wormed, it's probably your DNS server." He urged businesses to patch quickly, as the severity of this bug will prove appealing to attackers.
About the Author(s)
You May Also Like
Hacking Your Digital Identity: How Cybercriminals Can and Will Get Around Your Authentication MethodsOct 26, 2023
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
Passwords Are Passe: Next Gen Authentication Addresses Today's Threats
What Ransomware Groups Look for in Enterprise Victims
How to Use Threat Intelligence to Mitigate Third-Party Risk
Concerns Mount Over Ransomware, Zero-Day Bugs, and AI-Enabled Malware
Securing the Remote Worker: How to Mitigate Off-Site Cyberattacks
9 Traits You Need to Succeed as a Cybersecurity Leader
The Ultimate Guide to the CISSP
The Burnout Breach: How employee burnout is emerging as the next frontier in cybersecurity
Protecting Critical Infrastructure: The 2021 Energy, Utilities, and Industrials Cyber Threat Landscape Report
Identity Access Management 101