The list of July 2021 Patch Tuesday updates looks endless. 117 patches with no less than 42 CVEs assigned to them that have FAQs, mitigations details or workarounds listed for them. Looking at the urgency levels Microsoft has assigned to them, system administrators have their work cut out for them once again:
- 13 criticial patches
- 103 important patches
You can find the list of CVEs that have FAQs, mitigations, or workarounds on the Microsoft July release notes page.
Six vulnerabilities were previously disclosed and four are being exploited in-the-wild, according to Microsoft. One of those CVE’s is a familiar one, 2021-34527 aka the anyone-can-run-code-as-domain-admin RCE known as PrintNightmare. Microsoft issued out-of-band patches for that vulnerability a week ago, but those were not as comprehensive as one might have hoped.
Since then, the Cybersecurity and Infrastructure Security Agency’s (CISA) has issued Emergency Directive 21-04, “Mitigate Windows Print Spooler Service Vulnerability” because it is aware of active exploitation, by multiple threat actors, of the PrintNightmare vulnerability. These directive list required actions for all Federal Civilian Executive Branch agencies.
Besides the ongoing PrintNightmare, er, nightmare, there are some others that deserve your undivided attention. Vulnerabilities being exploited in the wild, besides PrintNightmare, are:
- CVE-2021-34448 Scripting Engine Memory Corruption Vulnerability for Windows Server 2012 R2 and Windows 10.
- CVE-2021-33771 Windows Kernel Elevation of Privilege Vulnerability for Windows Server 2012, Server 2016, Windows 8.1, and Windows 10.
- CVE-2021-31979 Windows Kernel Elevation of Privilege Vulnerability for Windows 7, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2012, Windows Server 2016, and Windows Server 2019.
Other vulnerabilities that are not seen exploited in the wild yet, but are likely candidates to make that list soon:
- CVE-2021-34458 Windows Kernel Remote Code Execution Vulnerability for some Windows Server versions, if the system is hosting virtual machines, or the Server includes hardware with SR-IOV devices.
- CVE-2021-34494 Windows DNS Server Remote Code Execution Vulnerability for Windows Server versions if the server is configured to be a DNS server.
Another ongoing effort to patch vulnerable systems has to do with Microsoft Exchange Server. Flaws that were actually already patched in April have now been assigned new CVE numbers CVE-2021-34473 (Microsoft Exchange Server Remote Code Execution Vulnerability) and CVE-2021-34523 (Microsoft Exchange Server Elevation of Privilege Vulnerability). As you may remember this combo of elevation of privilege (EOP) and remote code execution (RCE) caused quite the panic when attackers started using the Exchange bugs to access vulnerable servers before establishing web shells to gain persistence and steal information.
If you applied the patches in April, you are already protected. If you didn’t, move them to the top of your to-do-list.
Windows Media Foundation
Two other critical vulnerabilities, and one considered important, were found in Microsoft Windows Media Foundation. Microsoft Media Foundation enables the development of applications and components for using digital media on Windows Vista and later. If you do have this multimedia platform installed on your system you are advised to apply the patches, but note that many of them include the Flash Removal Package. So do the patches for CVE-2021-34497 a critical Windows MSHTML Platform RCE vulnerability.
Stay safe, everyone!