7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
This patch Tuesday harvest was another big one. The Windows updates alone included seven zero-day vulnerability updates, two of them are actively being used in the wild by a group called PuzzleMaker, four others that have also been seen in the wild, plus one other zero-day vulnerability not known to have been actively exploited. Add to that 45 vulnerabilities that were labelled important, and security updates for Android, Adobe, SAP, and Cisco. You can practically see the IT staff scrambling to figure out what to do first and what needs to be checked before applying the patches.
Security researchers have discovered a new threat actor dubbed PuzzleMaker, that was found using a chain of Google Chrome and Windows 10 zero-day exploits in highly targeted attacks against multiple companies worldwide. Unfortunately the researchers were unable to conclusively identify the Chrome vulnerability that was used (but they do have a suspect). The good news is that the two Windows vulnerabilities in the attack chain were included in the Windows 10 KB5003637 & KB5003635 cumulative updates. These vulnerabilities are listed as CVE-2021-31955, a Windows kernel information disclosure vulnerability, and CVE-2021-31956, a Windows NTFS elevation of privilege vulnerability.
The other critical patches made available by Microsoft this June include these actively exploited vulnerabilities:
Not (yet) actively exploited zero day vulnerability:
Other critical updates:
The Android Security Bulletin of June 7 mentions a critical security vulnerability in the System component that "could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process", which is as bad as it sounds. That vulnerability, listed as CVE-2021-0507, could allow an attacker to take control of a targeted Android device unless it's patched.
Cisco has issued a patch for a vulnerability in the software-based SSL/TLS message handler of Cisco Firepower Threat Defense (FTD) Software, that could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition. An attacker could exploit this vulnerability by sending a crafted SSL/TLS message through an affected device. SSL/TLS messages sentto an affected device do not trigger this vulnerability. Cisco informs us that there is no workaround for this issue. Patching is the only solution.
In the SAP advisory for Security Patch Day – June 2021 we can find two issues that are labelled as “Hot News”:
To top things off, Adobe has released a giant Patch Tuesday security update release that fixes vulnerabilities in ten applications, including Adobe Acrobat (of course), Reader, and Photoshop. Notably five vulnerabilities in Adobe Acrobat and Reader were fixed that address multiple critical vulnerabilities. Acrobat's determination to cement its place as the new Flash shows no sign of dimming.
Successful exploitation could lead to arbitrary code execution in the context of the current user on both Windows and macOS. The same is true for two critical vulnerabilities in Photoshop that could lead to arbitrary code execution in the context of the current user.
Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Which is why we try and link you to the Mitre list of CVE’s where possible. It allows interested parties to find and compare vulnerabilities.
Happy patching, everyone!
The post Microsoft fixes seven zero-days, including two PuzzleMaker targets, Google fixes serious Android flaw appeared first on Malwarebytes Labs.
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C