Hear what Automox Patch Tuesday experts have to say about this month’s Patch Tuesday releases. You can view a full list of the latest patches and updates from Microsoft and other third-party applications in our Patch Tuesday Index.
June 2021 Overview
Justin Knapp - General Overview
Microsoft ushers in the 2nd half of 2021 with a massive Patch Tuesday, releasing fixes for a total of 116 vulnerabilities, 12 of which are critical severity, and 2 that have already been exploited in the wild. July represents a dramatic shift from the relatively light releases we’ve witnessed over previous months and highlights an uptick in zero-day exploits and the urgency needed to keep pace with a growing list of threats. While the critical vulnerability within Windows Print Spooler, better known as PrintNightmare, has been at the center of attention lately due to its scope of impact and extremely high probability of exploitation, there are plenty of other critical security flaws this month that require urgent attention as well. The recent rise of supply chain attacks has put everyone on notice and reinforces the need to be extremely diligent when it comes to best practices around patching and risk assessment to ensure minimal exposure.
Nick Colyer - Adobe Overview
Adobe issued multiple security bulletins this month for Acrobat & Reader, Dimension, Illustrator, Framemaker, and Bridge. In highlight, we note specifically the Acrobat and Reader vulnerabilities affecting both Windows and macOS operating systems. Adobe products are prevalent on most organization’s devices, but this is especially true of Acrobat and Reader given the ubiquity of the PDF format. This also makes a very attractive target for malicious threat actors. When weaponized quickly, it becomes a near-certainty that the clients and systems of organizations with weak security controls and little hygiene will be compromised. The most serious include arbitrary code execution and privilege escalation outlined in APSB21-51 affecting Acrobat DC, Acrobat Reader DC, Acrobat 2020, Acrobat Reader 2020, Acrobat 2017, and Acrobat Reader 2017. Due to the nature of these vulnerabilities and the commonality of this software, Automox recommends prioritizing the patching of these vulnerabilities within a 72 hour period.
Critical Vulnerability Breakdown
Justin Knapp - CVE-2021-34527 Windows Print Spooler RCE Vulnerability (PrintNightmare) - Critical & Exploited
Microsoft released an out-of-band update, CVE-2021-34527, detailing a remote code execution (RCE) vulnerability existing in the Windows Printer Spooler service allowing attackers to execute code remotely when the service improperly performs a privileged file operation. The vulnerability, dubbed “PrintNightmare”, follows the earlier CVE-2021-1675 in June that also fixed a remote code execution vulnerability in the print spooler service. This newer vulnerability is similar and has been demonstrated in a PoC using Mimikatz. The hasty roll-out and subsequent update from Microsoft follows an accidental publication of the PoC exploit code by security researchers, which essentially provided an early how-to guide for exploitation. Given the scope of impact, low level of complexity, and high probability of exploitation, this vulnerability should be immediately prioritized and patched within 24 hours.
Chris Hass - CVE-2021-34473 Microsoft Exchange Server RCE Vulnerability - Critical & Disclosed & CVE-2021-34423 Microsoft Exchange Server Elevation of Privilege Vulnerability - High & Disclosed
CVE-2021-34473 and CVE-2021-34523 are a pair of high-priority vulnerabilities found in Microsoft's Exchange Server solution. CVE-2021-34473, a remote code execution vulnerability found and disclosed via the Zero Day initiative, allows an attacker to execute code on a victim's machine without user interaction over the network. CVE-2021-34523 could be used in conjunction with CVE-2021-34473 to elevate user privileges on the device once compromised. Neither of these attacks has been exploited in the wild. However, admins may be able to breathe a sigh of relief if they have been installing regular updates, as Microsoft claims these vulnerabilities were inadvertently omitted from April's security bulletin and were patched back in April 2021. April was a busy patching month for Exchange due to NSA disclosing four critical RCEs (CVE-2021-28480, CVE-2021-2848, CVE-2021-28482, CVE-2021-28483).
Jay Goodman - CVE-2021-34448 Scripting Engine Memory Corruption Vulnerability - Critical & Exploited
CVE-2021-34448 is a critical remote code execution vulnerability identified in Windows 7 and newer Microsoft operating systems, including server flavors. The vulnerability is in how Microsoft’s scripting engine handles objects in memory and can lead to remote code execution. Using a web-based attack or a malicious file, attackers can use this vulnerability to take control of an affected system, install programs, view or change data, or create new user accounts with full user rights. Remote code execution vulnerabilities are particularly nefarious given that they enable attackers to directly run malicious code on the exploited systems. When combined with other vulnerabilities allowing escalation of privileges, attackers can quickly and easily take full control of the target system and use it to either exfiltrate data or move laterally within the organization’s infrastructure. Microsoft has detected CVE-2021-34448 being exploited in the wild making this an absolutely critical vulnerability to patch to minimize exposure.
Eric Feldman - CVE-2021-34464 & CVE-2021-34522 Microsoft Defender RCE Vulnerability - Critical
CVE-2021-34464 and CVE-2021-34522 are both critical remote code execution vulnerabilities that affect Microsoft Defender, an embedded antivirus solution in every Microsoft Windows operating system release since Microsoft Vista. Microsoft has advised that devices that have Microsoft Defender disabled are not vulnerable as these systems are not in an exploitable state. Microsoft additionally noted that vulnerability scanners may still falsely flag as they are looking for specific binaries and version numbers on devices, and Microsoft Defender files are still on disk even when disabled. As Microsoft typically releases an update for the Microsoft Malware Protection Engine used by Microsoft Defender once a month, or as needed to protect against new threats, Microsoft advises that no immediate action is required to install an update. Customers should however, verify that the latest version of the Microsoft Malware Protection Engine and definition updates are being actively downloaded and installed for their Microsoft anti-malware products, and that the Microsoft Malware Protection Engine version is 1.1.18242.0 or later.
Peter Pflaster - CVE-2021-34494 Microsoft DNS Server RCE Vulnerability - Critical
CVE-2021-34494 is a critical remote code execution (RCE) vulnerability affecting Windows Domain Name System (DNS) Servers (CVSSv3 9.8/8.5). Both core and full installations are affected back to Windows Server 2008, including versions 2004 and 20H2. DNS is used to translate IP addresses to more human-friendly names, so you don’t have to remember the jumble of numbers that represents your favorite social media site. In a Windows Domain environment, Windows DNS Server is critical to business operations and often installed on the domain controller. Windows DNS server has been vulnerable before; just last year Microsoft released a patch for a 17 year-old RCE vulnerability dubbed “SIGred” that warranted a CVSS score of 10. This vulnerability could be particularly dangerous if not patched promptly.
Chad McNaughton - CVE-2021-34458 Windows Kernel RCE Vulnerability - Critical
A network-level, low-complexity vulnerability requiring low privileges and no user interaction, CVE-2021-34458 has been deemed critical due to its ability to execute remote code. This issue allows an SR-IOV device which is assigned to a guest to potentially interfere with its PCIe siblings which are attached to other guests or to the root. In short, SR-IOV devices allow your virtual machines to share resources on a single, physical interface on your server. Those that host virtual machines from a Windows instance or manage a server that includes the required hardware with SR-IOV devices could be affected by this vulnerability and should deploy the security update within 72 hours.
Aleks Haugom - CVE-2021-34497 Windows MSHTML Platform RCE Vulnerability - Critical
CVE-2021-34497 is a critical remote code execution vulnerability impacting the Windows MSHTML Platform. Successful exploitation requires the attacker to trick a victim into opening a link to a specially crafted website or server share. Since there is no way for the attacker to force a victim to take this action, they need to entice them with an email, chat message, or other method. Once a link is opened, an attacker can run any command on the target system allowing them to view, delete, or steal data. As this vulnerability results in the loss of system confidentiality, patching should be prioritized.
About Automox Automated Patch Management
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, macOS, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.