Three bugs under active exploit were squashed by Microsoft Tuesday, part of its July security roundup of fixes for Windows, Microsoft Office, SharePoint Server and Exchange Server. In all, Microsoft patched 116 bugs. Twelve bugs are rated critical, 103 rated important and one classified as moderate in severity.
Bugs under active attack include a critical scripting engine memory corruption (CVE-2021-34448) flaw and two additional Windows kernel elevation-of-privilege vulnerabilities (CVE-2021-31979, CVE-2021-33771), both with a severity rating of important.
The hundred-plus bug fixes add to a rough July for Microsoft, which rolled out an out-of-band fix for a Windows print spooler remote-code-execution vulnerability (CVE-2021-34527), dubbed PrintNightmare, earlier this month. The nightmare bug, first disclosed in April, was later discovered to be more serious than initially thought.
Public, But Not Exploited
Five of the bugs patched by Microsoft (CVE-2021-34473, CVE-2021-33781, CVE-2021-34523, CVE-2021-33779, CVE-2021-34492) were publicly known, albeit not exploited. Only one of those bugs (CVE-2021-34473), a Microsoft Exchange Server remote code execution (RCE) vulnerability, has a severity rating of critical, with a CVSS score of 9.1. The bug, one of the highest rated in terms of importance to fix this month, was part of Microsoft’s April Patch Tuesday roundup of fixes, according to commentary by Cisco Talos.
“This vulnerability was already patched in Microsoft’s April security update but was mistakenly not disclosed. Users who already installed the April 2021 update are already protected from this vulnerability, though it is worth noting that this issue was part of a series of zero-days in Exchange Server used in a wide-ranging APT attack,” wrote Talos authors Jon Munshaw and Jaeson Schultz.
The most pressing of bugs is a memory corruption vulnerability (CVE-2021-34448) in Windows Server’s scripting engine that is triggered when the user opens a specially crafted file, either attached to an email or a compromised website.
“[This bug] is the most serious vulnerability for me. It is elegant in its simplicity, letting an attacker gain remote code execution just by getting the target to visit a domain,” wrote Kevin Breen, director of cyber threat research with Immersive Labs, in his Patch Tuesday commentary. “With malicious, yet professional looking, domains carrying valid TLS certificates a regular feature nowadays, seamless compromise would be a trivial matter. Victims could even be attacked by sending .js or .hta files in targeted phishing emails.”
Cisco Talos advises system admin to prioritize a patch for a critical bug (CVE-2021-34464) in Microsoft’s free Defender anti-virus software. “This issue could allow an attacker to execute remote code on the victim machine. However, users do not need to take any actions to resolve this issue, as the update will automatically install. The company has listed steps in its advisory users can take to ensure the update is properly installed,” wrote Munshaw and Schultz.
Researchers have also identified three SharePoint Server bugs (CVE-2021-34520, CVE-2021-34467, CVE-2021-34468) as priority patches. Each allow an attacker to execute remote code on the victim machine. All are rated important. However, Microsoft reports that exploitation is “more likely” with these vulnerabilities, Talos said.
Zero Day Initiative’s Dustin Childs recommends tackling (CVE-2021-34458), a Windows kernel vulnerability. “It’s rare to see remote code execution in a kernel bug, but this is that rare exception. This bug impacts systems hosting virtual machines with single root input/output virtualization (SR-IOV) devices,” he wrote.
“It’s not clear how widespread this configuration is, but considering this bug rates as a CVSS 9.9, it’s not one to ignore. If you have virtual machines in your environment, test and patch quickly,” Childs added.
In related news, Adobe’s July patch roundup, also released Tuesday, includes fixes for its ubiquitous and free PDF reader Acrobat 2020 and other software such as Illustrator and Bridge. In all, Adobe patched 20 Acrobat bugs, with nine rated important.
Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.