What follows Patch Tuesday? Exploit Wednesday. Grab this bumper batch of security updates from Microsoft

Four flaws already being abused in the wild to compromise victims

Microsoft released an XL-sized bundle of security fixes for its products for this month's Patch Tuesday, and other vendors are close behind in issuing updates.

The Windows goliath's batch for July has 117 patches, 13 for what's said to be critical bugs, 103 important, and one moderate. Normally, we'd encourage you to install these updates, testing them as appropriate prior to deployment, before miscreants develop exploits for them. However, four of these holes are already being exploited in the wild, according to Microsoft, so you best get your skates on.

Here's a run down of those four:

  • CVE-2021-34527: Also known as Printnightmare, this is the remote-code execution hole in the Windows Print Spooler for which exploit code is floating around the web and is being used, Redmond said. Some infosec bods claimed they can bypass the patch, though Microsoft said that isn't possible provided your Registry keys are certain values. Microsoft said a system with this patch installed is, by default, not vulnerable to Printnightmare though it's been suggested there are a number of ways to make a box vulnerable. Review your Registry keys, install the patch, and only allow administrators to install printer drivers. To be totally safe, disable the print spooler service entirely.
  • CVE-2021-34448: A maliciously crafted webpage can achieve remote code execution via Microsoft's Scripting Engine. Exploitation in the wild was detected and that's about all Microsoft has said on the matter. Exploit code isn't said to be public. Researchers at Chinese outfit Qihoo 360 ATA were credited with the find.
  • CVE-2021-31979 and CVE-2021-33771: Privilege escalation flaws in the Windows kernel, which can be, and apparently are being, exploited by malware and/or malicious users to gain admin access. Exploit code isn't said to be public.

Note that the Printnightmare fix was also expanded to Windows 10 version 1607, Server 2016, and Server 2012.

Meanwhile, exploit code is said to have been developed for CVE-2021-34473 (Exchange Server RCE), CVE-2021-33781 (Active Directory security feature bypass), CVE-2021-34523 (Exchange Server privilege escalation), CVE-2021-33779 (Windows ADFS security bypass), and CVE-2021-34492 (Windows certificate spoofing), though no one has been spotted abusing them in the wild yet.

Trend Micro's Zero-Day Initiative has a terrific summary of the patches here. It called out CVE-2021-34494, an RCE in Windows DNS Server, as particularly bad and in need of patching before it's exploited, and CVE-2021-34458 that's a Windows Kernel RCE that affects virtualization host servers, depending on the configuration.

There are also critical bugs in Windows Defender, Dynamics Business Central, Windows Media Foundation, Hyper-V, and the Windows MSHTML Platform. There are then notable patches for HEVC Video Extensions, Microsoft Excel and SharePoint Server, Word, Power BI... the list is huge.

"This volume of fixes is more than the last two months combined and on par with the monthly totals from 2020," said the Zero-Day Initiative's Dustin Childs. "Perhaps the lowered rate seen in the prior months was an aberration."

Other vendors are riding the Patch Tuesday train with Microsoft. Adobe released its usual bunch of security updates, this month addressing 29 CVE-listed bugs for Acrobat and Reader (19 fixes of the total and ten of them critical), as well as Dimension, Illustrator, Framemaker, and Adobe Bridge.

Meanwhile, Intel warned us to look out for a firmware update from system manufacturers to fix a local escalation-of-privilege flaw on machines mainly powered by its Xeon processors. VMware has a couple of patches out – one squashing an authentication bypass flaw with ESXi and the other fixing a DLL hijacking vulnerability in ThinApp. SAP has addressed a "critical authentication-based vulnerability in LM Configuration Wizard of SAP NetWeaver AS Java."

And who could forget the July edition of Android security updates. Check your systems, great and small, for updates and apply as soon as you can. ®

Other stories you might like

  • Twitter founder Dorsey beats hasty retweet from the board
    We'll see you around the Block

    Twitter has officially entered the post-Dorsey age: its founder and two-time CEO's board term expired Wednesday, marking the first time the social media company hasn't had him around in some capacity.

    Jack Dorsey announced his resignation as Twitter chief exec in November 2021, and passed the baton to Parag Agrawal while remaining on the board. Now that board term has ended, and Dorsey has stepped down as expected. Agrawal has taken Dorsey's board seat; Salesforce co-CEO Bret Taylor has assumed the role of Twitter's board chair. 

    In his resignation announcement, Dorsey – who co-founded and is CEO of Block (formerly Square) – said having founders leading the companies they created can be severely limiting for an organization and can serve as a single point of failure. "I believe it's critical a company can stand on its own, free of its founder's influence or direction," Dorsey said. He didn't respond to a request for further comment today. 

    Continue reading
  • Snowflake stock drops as some top customers cut usage
    You might say its valuation is melting away

    IPO darling Snowflake's share price took a beating in an already bearish market for tech stocks after filing weaker than expected financial guidance amid a slowdown in orders from some of its largest customers.

    For its first quarter of fiscal 2023, ended April 30, Snowflake's revenue grew 85 percent year-on-year to $422.4 million. The company made an operating loss of $188.8 million, albeit down from $205.6 million a year ago.

    Although surpassing revenue expectations, the cloud-based data warehousing business saw its valuation tumble 16 percent in extended trading on Wednesday. Its stock price dived from $133 apiece to $117 in after-hours trading, and today is cruising back at $127. That stumble arrived amid a general tech stock sell-off some observers said was overdue.

    Continue reading
  • Amazon investors nuke proposed ethics overhaul and say yes to $212m CEO pay
    Workplace safety, labor organizing, sustainability and, um, wage 'fairness' all struck down in vote

    Amazon CEO Andy Jassy's first shareholder meeting was a rousing success for Amazon leadership and Jassy's bank account. But for activist investors intent on making Amazon more open and transparent, it was nothing short of a disaster.

    While actual voting results haven't been released yet, Amazon general counsel David Zapolsky told Reuters that stock owners voted down fifteen shareholder resolutions addressing topics including workplace safety, labor organizing, sustainability, and pay fairness. Amazon's board recommended voting no on all of the proposals.

    Jassy and the board scored additional victories in the form of shareholder approval for board appointments, executive compensation and a 20-for-1 stock split. Jassy's executive compensation package, which is tied to Amazon stock price and mostly delivered as stock awards over a multi-year period, was $212 million in 2021. 

    Continue reading

Biting the hand that feeds IT © 1998–2022