CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
99.9%
Three bugs under active exploit were squashed by Microsoft Tuesday, part of its July security roundup of fixes for Windows, Microsoft Office, SharePoint Server and Exchange Server. In all, Microsoft patched 116 bugs. Twelve bugs are rated critical, 103 rated important and one classified as moderate in severity.
Bugs under active attack include a critical scripting engine memory corruption (CVE-2021-34448) flaw and two additional Windows kernel elevation-of-privilege vulnerabilities (CVE-2021-31979, CVE-2021-33771), both with a severity rating of important.
The hundred-plus bug fixes add to a rough July for Microsoft, which rolled out an out-of-band fix for a Windows print spooler remote-code-execution vulnerability (CVE-2021-34527), dubbed PrintNightmare, earlier this month. The nightmare bug, first disclosed in April, was later discovered to be more serious than initially thought.
Five of the bugs patched by Microsoft (CVE-2021-34473, CVE-2021-33781, CVE-2021-34523, CVE-2021-33779, CVE-2021-34492) were publicly known, albeit not exploited. Only one of those bugs (CVE-2021-34473), a Microsoft Exchange Server remote code execution (RCE) vulnerability, has a severity rating of critical, with a CVSS score of 9.1. The bug, one of the highest rated in terms of importance to fix this month, was part of Microsoft’s April Patch Tuesday roundup of fixes, according to commentary by Cisco Talos.
“This vulnerability was already patched in Microsoft’s April security update but was mistakenly not disclosed. Users who already installed the April 2021 update are already protected from this vulnerability, though it is worth noting that this issue was part of a series of zero-days in Exchange Server used in a wide-ranging APT attack,” wrote Talos authors Jon Munshaw and Jaeson Schultz.
The most pressing of bugs is a memory corruption vulnerability (CVE-2021-34448) in Windows Server’s scripting engine that is triggered when the user opens a specially crafted file, either attached to an email or a compromised website.
“[This bug] is the most serious vulnerability for me. It is elegant in its simplicity, letting an attacker gain remote code execution just by getting the target to visit a domain,” wrote Kevin Breen, director of cyber threat research with Immersive Labs, in his Patch Tuesday commentary. “With malicious, yet professional looking, domains carrying valid TLS certificates a regular feature nowadays, seamless compromise would be a trivial matter. Victims could even be attacked by sending .js or .hta files in targeted phishing emails.”
Cisco Talos advises system admin to prioritize a patch for a critical bug (CVE-2021-34464) in Microsoft’s free Defender anti-virus software. “This issue could allow an attacker to execute remote code on the victim machine. However, users do not need to take any actions to resolve this issue, as the update will automatically install. The company has listed steps in its advisory users can take to ensure the update is properly installed,” wrote Munshaw and Schultz.
Researchers have also identified three SharePoint Server bugs (CVE-2021-34520, CVE-2021-34467, CVE-2021-34468) as priority patches. Each allow an attacker to execute remote code on the victim machine. All are rated important. However, Microsoft reports that exploitation is “more likely” with these vulnerabilities, Talos said.
Zero Day Initiative’s Dustin Childs recommends tackling (CVE-2021-34458), a Windows kernel vulnerability. “It’s rare to see remote code execution in a kernel bug, but this is that rare exception. This bug impacts systems hosting virtual machines with single root input/output virtualization (SR-IOV) devices,” he wrote.
“It’s not clear how widespread this configuration is, but considering this bug rates as a CVSS 9.9, it’s not one to ignore. If you have virtual machines in your environment, test and patch quickly,” Childs added.
In related news, Adobe’s July patch roundup, also released Tuesday, includes fixes for its ubiquitous and free PDF reader Acrobat 2020 and other software such as Illustrator and Bridge. In all, Adobe patched 20 Acrobat bugs, with nine rated important.
Check out our free upcoming live and on-demand webinar events– unique, dynamic discussions with cybersecurity experts and the Threatpost community.
blog.talosintelligence.com/2021/07/microsoft-patch-tuesday-for-july-2021.html
msrc.microsoft.com/update-guide/releaseNote/2021-Jul
msrc.microsoft.com/update-guide/vulnerability/CVE-2021-31979
msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33771
msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33779
msrc.microsoft.com/update-guide/vulnerability/CVE-2021-33781
msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34448
msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34458
msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34464
msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34467
msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34468
msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473
msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34492
msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34520
msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523
msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527
threatpost.com/adobe-patches-critical-acrobat/167743/
threatpost.com/category/webinars/
threatpost.com/microsoft-emergency-patch-printnightmare/167578/
threatpost.com/newsletter-sign/
www.zerodayinitiative.com/blog/2021/7/13/the-july-2021-security-update-review
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
99.9%