Microsoft Patches 3 Windows Zero-Days Amid 117 CVEs

The July Patch Tuesday release also includes the out-of-band fix for the Windows Print Spooler remote code execution flaw under attack.

Microsoft today issued patches for 117 CVEs, four of which it reports are under active attack and six of which are publicly known at the time fixes were released.
The products and services affected include Microsoft Windows, Exchange Server, Microsoft Office, Dynamics, SharePoint Server, Internet Explorer, Bing, Visual Studio, OpenEnclave, and Windows Storage Spaces Controller. Thirteen are classified as Critical, 103 are Important, and one is ranked Moderate in severity.
This months Patch Tuesday is larger than those of previous months —
May
and
June
brought 55 and 50 patches, respectively — and reminiscent of the larger rollouts Microsoft had throughout 2020. Last years monthly patch count consistently topped 100; this year, theyve been smaller.
Julys rollout is not only larger, but it has several CVEs that merit a closer look. One of these,
CVE-2021-34527
, is an out-of-band patch released July 1 to address a remote code execution vulnerability in the Windows Print Spooler serviced. Dubbed
PrintNightmare
, the flaw is similar to, but distinct from, another critical bug (
CVE-2021-1675
) that Microsoft patched on June 8.
A successful attacker could exploit PrintNightmare to gain system-level access on vulnerable systems, which include core domain controllers and Active Directory admin servers. Attackers could run malicious code; download malware; create new user accounts; or view, change, and delete data. Microsoft has provided workarounds for the vulnerability, advising organizations to either disable the Print Spooler service or disable inbound remote printing using Group Policy.
PrintNightmare
has already generated
a wealth of attention: The Cybersecurity and Infrastructure Security Agency (CISA), CERT Coordination Center (Cert CC), and others have advised urgent action against it.
On July 13, the Department of Homeland Security issued
Emergency Directive 21-04
mandating all Federal Civilian Executive Branch agencies to stop and disable the Print Spooler service on all Microsoft Active Directory Domain Controllers by 11:59 p.m. on Wednesday, July 14. By 11:59 p.m. on Tuesday, July 20, they must apply the July 2021 cumulative updates to all Windows Servers and Workstations. Officials also provide additional guidance for hosts running Microsoft Windows.
Another flaw under attack is
CVE-2021-34448
, a critical memory corruption vulnerability in the Windows Scripting Engine. Microsoft notes the attack complexity is high but does not provide detail on how widespread the active attacks are. An attacker could execute code on a target system by getting a victim to visit a specially crafted website, which Kevin Breen, the director of research at Immersive Labs, says makes this the most seriously vulnerability to him.
With malicious, yet professional looking, domains carrying valid TLS certificates a regular feature nowadays, seamless compromise would be a trivial matter, he says.
Two Windows kernel privilege escalation vulnerabilities (
CVE-2021-31979
and
CVE-2021-33771
) are under active attack. Both are classified as Important and have a CVSS score of 7.8. They require low attack complexity, low privileges, and no user interaction to successfully exploit.
These are exactly the type of vulnerabilities in the ransomware attack toolkit, allowing threat actors to boost their user level from user to admin, for greater control over the environment, Breen adds. Admins should keep an eye on existing and new accounts for suspicious activity.
In addition to the vulnerabilities under active attack, there are several that are publicly known and should be prioritized. These include critical Microsoft Exchange Server RCE vulnerability
CVE-2021-34473
, Active Directory security feature bypass vulnerability
CVE-2021-33781
, Exchange Server elevation of privilege flaw
CVE-2021-34523
, Windows ADFS security feature bypass vulnerability
CVE-2021-33779
, and Windows Certificate spoofing flaw
CVE-2021-34492
.
Many of the CVEs patched this month involve remote code execution, and there are several that are not under attack or publicly known but also merit prioritization.
CVE-2021-34494
is a critical RCE flaw in the Windows DNS Server that could enable an attacker to conduct remote code execution at a privileged level on a listening network port without user interaction, Dustin Childs of Trend Micros Zero-Day Initiative noted in a
blog post
.
You would be correct in thinking that equates to a wormable bug, he wrote. This is restricted to DNS Servers only, but if theres one system you dont want wormed, its probably your DNS server. He urged businesses to patch quickly, as the severity of this bug will prove appealing to attackers.

Last News
▸ Anonymous, LulzSec, OpUSA plan to attack gov agencies, banks on Tuesday ◂ Discovered: 26/12/2024 Category: security	▸ 5 ways SMBs can enhance security without increasing expenses ◂ Discovered: 26/12/2024 Category: security	▸ New Metasploit module out for IE zero-day flaw used in Labor attack. ◂ Discovered: 26/12/2024 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Microsoft Patches 3 Windows Zero-Days Amid 117 CVEs