Patch Tuesday update fixes several vulnerabilities

Microsoft fixes seven zero-days, including two PuzzleMaker targets, Google fixes serious Android flaw

This patch Tuesday harvest was another big one. The Windows updates alone included seven zero-day vulnerability updates, two of them are actively being used in the wild by a group called PuzzleMaker, four others that have also been seen in the wild, plus one other zero-day vulnerability not known to have been actively exploited. Add to that 45 vulnerabilities that were labelled important, and security updates for Android, Adobe, SAP, and Cisco. You can practically see the IT staff scrambling to figure out what to do first and what needs to be checked before applying the patches.

PuzzleMaker

Security researchers have discovered a new threat actor dubbed PuzzleMaker, that was found using a chain of Google Chrome and Windows 10 zero-day exploits in highly targeted attacks against multiple companies worldwide. Unfortunately the researchers were unable to conclusively identify the Chrome vulnerability that was used (but they do have a suspect). The good news is that the two Windows vulnerabilities in the attack chain were included in the Windows 10 KB5003637 & KB5003635 cumulative updates. These vulnerabilities are listed as CVE-2021-31955, a Windows kernel information disclosure vulnerability, and CVE-2021-31956, a Windows NTFS elevation of privilege vulnerability.

Other critical issues

The other critical patches made available by Microsoft this June include these actively exploited vulnerabilities:

  • CVE-2021-33739, a Microsoft DWM Core Library Elevation of Privilege Vulnerability.
  • CVE-2021-33742 Windows MSHTML Platform Remote Code Execution Vulnerability.
  • CVE-2021-31199 Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability.
  • CVE-2021-31201 another Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability.

Not (yet) actively exploited zero day vulnerability:

  • CVE-2021-31968 Windows Remote Desktop Services Denial of Service Vulnerability.

Other critical updates:

  • CVE-2021-31963 Microsoft SharePoint Server Remote Code Execution Vulnerability.
  • CVE-2021-31959 Scripting Engine Memory Corruption Vulnerability.
  • CVE-2021-31967 VP9 Video Extensions Remote Code Execution Vulnerability.
  • CVE-2021-31985 Microsoft Defender Remote Code Execution Vulnerability.
  • CVE-2021-33742 Windows MSHTML Platform Remote Code Execution Vulnerability.

Android

The Android Security Bulletin of June 7 mentions a critical security vulnerability in the System component that “could enable a remote attacker using a specially crafted transmission to execute arbitrary code within the context of a privileged process”, which is as bad as it sounds. That vulnerability, listed as CVE-2021-0507, could allow an attacker to take control of a targeted Android device unless it’s patched.

Cisco

Cisco has issued a patch for a vulnerability in the software-based SSL/TLS message handler of Cisco Firepower Threat Defense (FTD) Software, that could allow an unauthenticated, remote attacker to trigger a reload of an affected device, resulting in a denial of service (DoS) condition. An attacker could exploit this vulnerability by sending a crafted SSL/TLS message through an affected device. SSL/TLS messages sent to an affected device do not trigger this vulnerability. Cisco informs us that there is no workaround for this issue. Patching is the only solution.

SAP

In the SAP advisory for Security Patch Day – June 2021 we can find two issues that are labelled as “Hot News”:

  • CVE-2021-27602 SAP Commerce, versions – 1808, 1811, 1905, 2005, 2011, Backoffice application allows certain authorized users to create source rules which are translated to drools rule when published to certain modules within the application. An attacker with this authorization can inject malicious code in the source rules and perform remote code execution enabling them to compromise the confidentiality, integrity and availability of the application.
  • CVE-2021-27610 Improper Authentication in SAP NetWeaver ABAP Server and ABAP Platform.

Adobe

To top things off, Adobe has released a giant Patch Tuesday security update release that fixes vulnerabilities in ten applications, including Adobe Acrobat (of course), Reader, and Photoshop. Notably five vulnerabilities in Adobe Acrobat and Reader were fixed that address multiple critical vulnerabilities. Acrobat’s determination to cement its place as the new Flash shows no sign of dimming.

Successful exploitation could lead to arbitrary code execution in the context of the current user on both Windows and macOS. The same is true for two critical vulnerabilities in Photoshop that could lead to arbitrary code execution in the context of the current user.

CVE

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Which is why we try and link you to the Mitre list of CVE’s where possible. It allows interested parties to find and compare vulnerabilities.

Happy patching, everyone!

ABOUT THE AUTHOR

Pieter Arntz

Malware Intelligence Researcher

Was a Microsoft MVP in consumer security for 12 years running. Can speak four languages. Smells of rich mahogany and leather-bound books.