Hear what Automox Patch Tuesday experts have to say about this month’s Patch Tuesday releases. You can view a full list of the latest patches and updates from Microsoft and other third-party applications in our Patch Tuesday Index.
Overview
Microsoft addressed 49 vulnerabilities in this month’s Patch Tuesday update. While the number of vulnerabilities in June was only 5 fewer than May, it represents 33% fewer vulnerabilities on average for each month so far this year. Of those vulnerabilities, 5 were rated as critical, one more than last month, and 52% lower on average. Unfortunately, 6 vulnerabilities are being actively exploited in the wild, one more than the highest monthly number seen so far this year.
These 6 actively exploited vulnerabilities can enable an attacker to gain control of a system, illegally gain critical information, and compromise the security of infrastructure through a vulnerable system. While Automox recommends that all critical vulnerabilities are patched within a 72 hour window, the fact that many of this month’s critical vulnerabilities have no workarounds raises our recommendation to patching these systems with the highest priority.
Eric Feldman - CVE-2021-31959 Scripting Engine Memory Corruption Vulnerability - Critical
CVE-2021-31959 is a critical remote code execution vulnerability that impacts multiple versions of Microsoft Windows 10, as well as specific versions of Microsoft Windows 8, 7, and Windows Server 2008, 2012, 2016, and 2019. While this is labeled as critical, it will require some user interaction to exploit this vulnerability. A user would need to open a specially crafted file that could be delivered via an email attack or web based attack scenario. In either case, an attacker has no way to force users to click a link or open an email attachment. The attacker would need to entice the user to open the specially crafted file using any one of a number of social engineering techniques. Even though user interaction is required for this exploit, Automox recommends prioritization in applying this patch due to the high quantity of Microsoft Windows versions impacted and the frequency of social engineering attempts.
Jay Goodman - CVE-2021-31963 Microsoft SharePoint Server Remote Code Execution Vulnerability - Critical
CVE-2021-31963 is a critical remote code execution vulnerability in Microsoft SharePoint Server. An attacker exploiting this vulnerability could take control of a system where they would be free to install programs, view or change data, or create new accounts on the target system with full user rights. The vulnerability is less likely to be exploited, according to Microsoft. However, patching critical vulnerabilities in the 72 hour window before attackers can weaponize is an important first step to maintaining a safe and secure infrastructure.
Justin Knapp - CVE-2021-31967 VP9 Video Extensions Remote Code Execution Vulnerability - Critical
CVE-2021-31967 is a remote code execution vulnerability in Microsoft’s VP9 Video Extensions that has the potential to be exploited by a remote, non-authenticated attacker to execute arbitrary code on the target system. Successful exploitation of this vulnerability requires an attacker to send a specially crafted file to bait a user, which could lead to a complete compromise of the vulnerable system. Those affected will automatically receive the necessary update through the Microsoft Store.
Nick Colyer - CVE-2021-31985 Microsoft Defender Remote Code Execution Vulnerability - Critical
CVE-2021-31985 is a remote code execution vulnerability that affects Microsoft Defender, an embedded antivirus solution in Microsoft Windows operating system releases since Vista. Microsoft has advised that devices that have Microsoft Defender disabled are not vulnerable and additionally noted that vulnerability scanners may still falsely flag depending on the scanner testing for running services vs simplifying checking if files exist. Tavis Ormandy and Google Project Zero are acknowledged for discovery but extended details are scant beyond mpengine.dll as an affected library. This vulnerability is addressed in Microsoft Malware Protection Engine 1.1.18200.3 and Automox highly recommends patching as soon as possible to ensure security hygiene.
Chris Hass - CVE-2021-31199 Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability - High (Exploited) & CVE-2021-31201 Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability - High (Exploited)
CVE-2021-31199 and CVE-2021-31201 are a couple of Privilege escalation vulnerabilities found in Microsoft Enhanced Cryptographic Provider, a service typically provides additional functionality leveraged by CyptoAPI, primarily support for longer security keys and cryptographic algorithms. These vulnerabilities are related to a recently released Adobe patch for CVE-2021-28550, which has been exploited in the wild. Attackers have been seen exploiting these vulnerabilities by sending victims specially crafted PDFs, often attached in a phishing email, that when opened on the victim's machine, the attacker is able to gain arbitrary code execution. There are no workarounds for these vulnerabilities, patching as soon as possible is highly recommended.
Justin Knapp - CVE-2021-31955 Windows Kernel Information Disclosure Vulnerability - High (Exploited)
CVE-2021-31955 is an information disclosure vulnerability that exists when the Windows kernel improperly handles objects in memory and it’s one of a handful of zero-day exploits that were just disclosed publicly. An attacker that successfully exploits the vulnerability could obtain information that may help to further compromise the user’s system. This would require the attacker to log on to the affected system and run a specially crafted application. Unfortunately, exploitation has already been detected in the wild, and even though this type of vulnerability would not necessarily allow an attacker to execute code or elevate their privileges, it could be used to obtain critical information that may lead to further compromise. Given that this vulnerability provides an avenue to extract information from the kernel and that it’s currently being exploited, it’s highly recommended to prioritize and patch this zero-day within 24 hours.
Jay Goodman - CVE-2021-31956 Windows NTFS Elevation of Privilege Vulnerability - High (Exploited)
CVE-2021-31956 is a privilege escalation vulnerability in the Windows NTFS file system . This vulnerability is an important rated vulnerability and has been exploited. An attacker would need to first log into a target system or convince a local user to open a malicious application or file to target the vulnerability and take control of the affected system or elevate the privilege of the application or user. This NTFS vulnerability is part of every modern Windows device and is flagged as an important vulnerability in every major Windows build from Windows 7 forward, including both workstation and server operating system builds. Exploited vulnerabilities are critical to address quickly and efficiently to minimize the organizational risks posed by these types of vulnerabilities. Vulnerabilities in such a common and broadly used service or system like NTFS are particularly safe vulnerabilities for attackers to target knowing that the presence is nearly assured and may not be up to date or patched on every system targeted.
Chris Hass - CVE-2021-33739 Microsoft DWM Core Library Elevation of Privilege Vulnerability - High (Exploited & Disclosed)
CVE-2021-33739 is a Privilege escalation vulnerability found in Microsoft DWM Core Library, which enables desktop composition for Windows, and allows for features like glass window frames, 3-D window transition animations, Windows Flip and Windows Flip3D, and high resolution support. CVE-2021-33739 has been exploited in the wild, recently disclosed, and there are currently no workarounds available, so patching is critical to protect yourselves from this vulnerability.
Nick Colyer - Adobe Security Bulletins
APSB21-37
Adobe released a myriad of security updates this month across a variety of its products and utilities. In highlight, several security fixes in APSB21-37 focus on “DC”, “2020”, and “2017” product releases of Acrobat and Reader. These updates resolve critical vulnerabilities that can result in arbitrary code execution on both Windows and macOS if successfully exploited. As portable document files are ubiquitous, Adobe Reader & authoring products are often among the most widely installed software on organizational endpoints. Although not all vulnerabilities present equal risk in and of themselves, Adobe's broader footprint provides a compelling reason for attackers to seek vulnerabilities to chain, which is why Automox recommends prioritizing this update when possible.
About Automox Automated Patch Management
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, macOS, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.