Summer in the northern hemisphere may have only just begun, but in many parts of the U.S., we already see temperatures in the 90s (F). It looks to be a long, hot one. While the warm weather might make most of us want to take off from our jobs and go lie on the beach, it won’t keep the attackers and malicious code distributors from doing their dirty work.
According to a paper from Imperva Security Labs, there were more data records compromised in January 2021 than in the entire year 2017, and they forecast that more than 40 billion records will be compromised by the end of this year.
To prevent your organization from being included in those statistics, you need a multilayered approach to security. One of the first and most important steps you can take is to keep all systems up to date by applying security patches in a timely manner.
Despite the overwhelming popularity of mobile devices and the increasing number of people who use their phones or tablets instead of computers, Windows still holds an operating system market share that is second only to Android, and when we look only at desktop computers, Microsoft is the clear winner with 73.54% as of the end of May.
That’s why Microsoft products are still a favorite target for those who exploit software vulnerabilities, and the worst kind of exploit is the zero-day attack because it is already being exploited in the wild before a security fix is available. This month’s Patch Tuesday addresses six zero-day issues, along with 44 other vulnerabilities, for a total of 50. This is slightly fewer than last month (55). Four of the June vulnerabilities are rated critical.
Now, let’s take a closer look at some of this month’s updates.
As usual, you can download the Excel spreadsheet from the Microsoft Security Update Guide website for a full list of the June releases. You’ll find that this month’s fixes apply to the following products and features:
.NET Core & Visual Studio, 3D Viewer, Microsoft DWM Core Library, Microsoft Intune, Microsoft Office, Microsoft Office Excel, Microsoft Office Outlook, Microsoft Office SharePoint, Microsoft Scripting Engine, Microsoft Windows Codecs Library, Paint 3D, Role: Hyper-V, Visual Studio Code – Kubernetes Tools, Windows Bind Filter Driver, Windows Common Log File System Driver, Windows Cryptographic Services, Windows DCOM Server, Windows Defender, Windows Drivers, Windows Event Logging Service, Windows Filter Manager, Windows HTML Platform, Windows Installer, Windows Kerberos, Windows Kernel, Windows Kernel-Mode Drivers, Windows Network File System, Windows NTFS, Windows NTLM, Windows Print Spooler Components, Windows Remote Desktop, Windows TCP/IP.
If you’re running any of these software products, you might want to check the updates page for more information about each, including mitigations for those who can’t install the updates and any known issues with the patches.
Also be sure to check out the list of vulnerabilities that have mitigations, workarounds, or FAQs, which you can find in the release notes.
As usual, there are some known issues with some of these patches, affecting various versions of Windows Server and client and SharePoint Server. You can find out more about those in the following KB articles:
5001944 – SharePoint Server 2019
5001946 – SharePoint Enterprise Server 2016
5001962 – SharePoint Foundation 2013
5003635 – Windows 10 version 1909
5003637 – Windows 10 version 21H1, Windows 10, Version 2004, Windows Server, Version 2004, Windows 10, Version 20H2, Windows Server, Version 20H2
5003646 – Windows 10 version 1809, Windows Server 2019
5003661 – Windows Server 2008 Service Pack 2 (Monthly Rollup)
5003667 – Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Monthly Rollup)
5003671 – Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)
5003681 – Windows 8.1, Windows Server 2012 R2 (Security-only update)
5003694 – Windows 7 Service Pack 1, Windows Server 2008 R2 Service Pack 1 (Security-only update)
5003695 – Windows Server 2008 Service Pack 2 (Security-only update)
5003696 – Windows Server 2012 (Security-only update)
5003697 – Windows Server 2012 (Monthly Rollup)
Zero-day and critical vulnerabilities
We’ll focus on the most serious vulnerabilities that were patched this month: those that were publicly disclosed before the release of their updates (zero-day vulnerabilities) and others rated critical.
A critical rating pertains to a vulnerability whose exploitation could allow code execution without user interaction. These scenarios include self-propagating malware (for example. network worms) or unavoidable common-use scenarios where code execution occurs without warnings or prompts. This could mean browsing to a web page or opening email.
Microsoft recommends that customers apply Critical updates immediately.
Zero-day vulnerabilities patched
The following six zero-day vulnerabilities were patched:
- CVE-2021-33742 – Windows MSHTML Platform Remote Code Execution Vulnerability, CVSS 7.5 – This vulnerability is rated critical. It impacts supported versions of Windows client and server operating systems. Exploitation in the wild has been detected. The attacker does not require privileges prior to the attack, but user interaction is required for a successful attack. Impact on confidentiality, integrity, and availability is high, with potential total loss of all three.
- CVE-2021-33739 – Microsoft DWM Core Library Elevation of Privilege Vulnerability, CVSS 8.4 – this vulnerability is rated important, but its impact on confidentiality, integrity, and availability are high, with potential total loss of all three, and it has been publicly disclosed prior to patch release and exploitation in the wild has been detected. No privileges and no user interaction are required. The attacker could gain access to the computer through a variety of methods, such as via a phishing attack where a user clicks an executable file that is attached to an email.
- CVE-2021-31199 – Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability, CVSS 5.2 – This vulnerability is rated Important. It impacts Windows Windows 7, RT 8.1, Windows 8.1, and Windows Server 2008, 2008 R2, 2012, and 2012 R2. It was not publicly disclosed but exploitation in the wild has been detected. Impact on confidentiality and integrity are low and there is no impact on availability, but no user interaction is required for a successful attack. The vulnerability addressed is related to Adobe’s CVE-2021-28550, released in Adobe Security Bulletin ID APSB21-29.
- CVE-2021-31201 – Microsoft Enhanced Cryptographic Provider Elevation of Privilege -Vulnerability, CVSS 5.2 – This vulnerability is rated Important. It impacts Windows Windows 7, RT 8.1, Windows 8.1, and Windows Server 2008, 2008 R2, 2012, and 2012 R2. It was not publicly disclosed but exploitation in the wild has been detected. Impact on confidentiality and integrity are low and there is no impact on availability, but no user interaction is required for a successful attack. As with 31199 above, the vulnerability addressed is related to Adobe’s CVE-2021-28550, released in Adobe Security Bulletin ID APSB21-29.
- CVE-2021-31955 – Windows Kernel Information Disclosure Vulnerability, CVSS 5.5 – This vulnerability is rated important. It impacts Windows 10 and Windows Server 2019, including server core installations. It was not publicly disclosed but exploitation in the wild has been detected. There is no impact on integrity or availability, but impact on confidentiality is high, with potential total loss resulting in all resources within the impacted component being divulged to the attacker. No user interaction is required for a successful attack.
- CVE-2021-31956 – Windows NTFS Elevation of Privilege Vulnerability, CVSS 7.8 – This vulnerability is rated important. It affects all supported versions of Windows client and server operating systems, including server core installations. It was not publicly disclosed but exploitation in the wild has been detected. Impact is high on confidentiality, integrity, and availability, with potential total loss of all three. No user interaction is required for a successful attack.
Ryan Naraine reported that according to Kaspersky zero-day hunter Boris Larin, the last two of these attacks were part of a sophisticated cross-browser exploit chain that also hit flaws in Google’s flagship Chrome browser.
Other critical vulnerabilities patched
The following additional critical vulnerabilities were patched:
CVE-2021-31959 – Scripting Engine Memory Corruption Vulnerability. This vulnerability affects Windows RT 8.1, Windows 7, 8.1, and 10, and Windows Server 2008 R2, 2012, 2012 R2, 2016, and 2019. It has not been publicly disclosed or exploited in the wild, but exploitation is rated more likely. Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited. Impact on confidentiality and availability is low, but there is a total loss of integrity or complete loss of protection.
CVE-2021-31967 – VP9 Video Extensions Remote Code Execution Vulnerability. This vulnerability affects the VP9 Video Extensions. It has not been publicly disclosed or exploited in the wild, and exploitation is rated less likely. However, impact on confidentiality, integrity, and availability are all high, with a total loss of all three. The attacker is unauthorized before an attack and therefore does not require any access to settings or files to carry out an attack, but user interaction is required for a successful attack.
CVE-2021-31963 – Microsoft SharePoint Server Remote Code Execution Vulnerability. This vulnerability affects Microsoft SharePoint Foundation 2013 SP1, SharePoint Server 2019, SharePoint Enterprise Server 2013 SP1, and SharePoint Enterprise Server 2016. It has not been publicly disclosed or exploited in the wild, and exploitation is rated less likely. Impact on confidentiality and integrity is high, with total loss of both. Impact on availability is low. The attacker requires privileges that provide basic user capabilities that could normally affect only settings and files owned by a user. No user interaction is required.
Other important vulnerabilities
In addition to the zero-day and critical vulnerabilities discussed above, Patch Tuesday brings us fixes for additional issues that are rated Important. These cover a broad base and include spoofing vulnerabilities, security features bypasses, information disclosure, denial of service, remote code execution, and elevation of privilege issues in an array of Windows components and in Microsoft SharePoint, Office applications, and Intune.
Per Microsoft guidance, a rating of Important pertains to a vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data or the integrity or availability of processing resources. These scenarios include common use scenarios where the client is compromised with warnings or prompts regardless of the prompt’s provenance, quality, or usability. Sequences of user actions that do not generate prompts or warnings are also covered.
Microsoft recommends that customers apply Important updates at the earliest opportunity.
Applying the updates
Most organizations will automatically deploy Microsoft and third-party software updates to their servers and managed client systems using a patch management system of their choice, such as GFI’s LanGuard. Automated patch management saves time and reduces the risk of botched installations.
Most home users will receive the updates via the Windows Update service built into the operating system. Cumulative and security-only updates are available for supported versions of Windows client and server. Microsoft provides direct downloads for those who need to install the updates manually. You can download these from the Microsoft Update Catalog.
Here are the links to the updates for the latest versions of Windows:
KB5003173 – Windows 10 versions 21H1, 20H1, and 2004
KB5003637 – Windows 10 version 1909
KB5003671 – Windows 8.1 and Server 2012 R2
KB5003667 – Windows 7 SP1 and Server 2008 R2
Before installing updates, you should always research whether there are known issues that could affect your particular machines and configurations before rolling out an update to your production systems. There are a large number of such known issues that impact this month’s updates. A full list of links to the KB articles detailing these issues can be found in the release notes.
Malicious Software Removal Tool (MSRT) update
The MSRT is used to find and remove malicious software from Windows systems, and its definitions are updated regularly. The updates are normally installed via Windows Update but if you need to download and install them manually, you’ll find the links for the 32- and 64-bit versions in the Microsoft Download Center.
In addition to Microsoft’s security updates, this month’s Patch Tuesday brought an unusually large number of updates from Adobe: 12 patches for various Adobe products. We will cover these in detail in our Third Party Patch Roundup in a few days.