Microsoft today issued patches for 117 CVEs, four of which it reports are under active attack and six of which are publicly known at the time fixes were released.
The products and services affected include Microsoft Windows, Exchange Server, Microsoft Office, Dynamics, SharePoint Server, Internet Explorer, Bing, Visual Studio, OpenEnclave, and Windows Storage Spaces Controller. Thirteen are classified as Critical, 103 are Important, and one is ranked Moderate in severity.
This month's Patch Tuesday is larger than those of previous months — May and June brought 55 and 50 patches, respectively — and reminiscent of the larger rollouts Microsoft had throughout 2020. Last year's monthly patch count consistently topped 100; this year, they've been smaller.
July's rollout is not only larger, but it has several CVEs that merit a closer look. One of these, CVE-2021-34527, is an out-of-band patch released July 1 to address a remote code execution vulnerability in the Windows Print Spooler serviced. Dubbed "PrintNightmare," the flaw is similar to, but distinct from, another critical bug (CVE-2021-1675) that Microsoft patched on June 8.
A successful attacker could exploit PrintNightmare to gain system-level access on vulnerable systems, which include core domain controllers and Active Directory admin servers. Attackers could run malicious code; download malware; create new user accounts; or view, change, and delete data. Microsoft has provided workarounds for the vulnerability, advising organizations to either disable the Print Spooler service or disable inbound remote printing using Group Policy.
PrintNightmare has already generated a wealth of attention: The Cybersecurity and Infrastructure Security Agency (CISA), CERT Coordination Center (Cert CC), and others have advised urgent action against it.
On July 13, the Department of Homeland Security issued Emergency Directive 21-04 mandating all Federal Civilian Executive Branch agencies to stop and disable the Print Spooler service on all Microsoft Active Directory Domain Controllers by 11:59 p.m. on Wednesday, July 14. By 11:59 p.m. on Tuesday, July 20, they must apply the July 2021 cumulative updates to all Windows Servers and Workstations. Officials also provide additional guidance for hosts running Microsoft Windows.
Another flaw under attack is CVE-2021-34448, a critical memory corruption vulnerability in the Windows Scripting Engine. Microsoft notes the attack complexity is high but does not provide detail on how widespread the active attacks are. An attacker could execute code on a target system by getting a victim to visit a specially crafted website, which Kevin Breen, the director of research at Immersive Labs, says makes this the most seriously vulnerability to him.
"With malicious, yet professional looking, domains carrying valid TLS certificates a regular feature nowadays, seamless compromise would be a trivial matter," he says.
Two Windows kernel privilege escalation vulnerabilities (CVE-2021-31979 and CVE-2021-33771) are under active attack. Both are classified as Important and have a CVSS score of 7.8. They require low attack complexity, low privileges, and no user interaction to successfully exploit.
"These are exactly the type of vulnerabilities in the ransomware attack toolkit, allowing threat actors to boost their user level from user to admin, for greater control over the environment," Breen adds. "Admins should keep an eye on existing and new accounts for suspicious activity."
In addition to the vulnerabilities under active attack, there are several that are publicly known and should be prioritized. These include critical Microsoft Exchange Server RCE vulnerability CVE-2021-34473, Active Directory security feature bypass vulnerability CVE-2021-33781, Exchange Server elevation of privilege flaw CVE-2021-34523, Windows ADFS security feature bypass vulnerability CVE-2021-33779, and Windows Certificate spoofing flaw CVE-2021-34492.
Many of the CVEs patched this month involve remote code execution, and there are several that are not under attack or publicly known but also merit prioritization. CVE-2021-34494 is a critical RCE flaw in the Windows DNS Server that could enable an attacker to conduct remote code execution at a privileged level on a listening network port without user interaction, Dustin Childs of Trend Micro's Zero-Day Initiative noted in a blog post.
"You would be correct in thinking that equates to a wormable bug," he wrote. "This is restricted to DNS Servers only, but if there's one system you don't want wormed, it's probably your DNS server." He urged businesses to patch quickly, as the severity of this bug will prove appealing to attackers.