Microsoft released an XL-sized bundle of security fixes for its products for this month's Patch Tuesday, and other vendors are close behind in issuing updates.
The Windows goliath's batch for July has 117 patches, 13 for what's said to be critical bugs, 103 important, and one moderate. Normally, we'd encourage you to install these updates, testing them as appropriate prior to deployment, before miscreants develop exploits for them. However, four of these holes are already being exploited in the wild, according to Microsoft, so you best get your skates on.
Here's a run down of those four:
- CVE-2021-34527: Also known as Printnightmare, this is the remote-code execution hole in the Windows Print Spooler for which exploit code is floating around the web and is being used, Redmond said. Some infosec bods claimed they can bypass the patch, though Microsoft said that isn't possible provided your Registry keys are certain values. Microsoft said a system with this patch installed is, by default, not vulnerable to Printnightmare though it's been suggested there are a number of ways to make a box vulnerable. Review your Registry keys, install the patch, and only allow administrators to install printer drivers. To be totally safe, disable the print spooler service entirely.
- CVE-2021-34448: A maliciously crafted webpage can achieve remote code execution via Microsoft's Scripting Engine. Exploitation in the wild was detected and that's about all Microsoft has said on the matter. Exploit code isn't said to be public. Researchers at Chinese outfit Qihoo 360 ATA were credited with the find.
- CVE-2021-31979 and CVE-2021-33771: Privilege escalation flaws in the Windows kernel, which can be, and apparently are being, exploited by malware and/or malicious users to gain admin access. Exploit code isn't said to be public.
Note that the Printnightmare fix was also expanded to Windows 10 version 1607, Server 2016, and Server 2012.
Meanwhile, exploit code is said to have been developed for CVE-2021-34473 (Exchange Server RCE), CVE-2021-33781 (Active Directory security feature bypass), CVE-2021-34523 (Exchange Server privilege escalation), CVE-2021-33779 (Windows ADFS security bypass), and CVE-2021-34492 (Windows certificate spoofing), though no one has been spotted abusing them in the wild yet.
Trend Micro's Zero-Day Initiative has a terrific summary of the patches here. It called out CVE-2021-34494, an RCE in Windows DNS Server, as particularly bad and in need of patching before it's exploited, and CVE-2021-34458 that's a Windows Kernel RCE that affects virtualization host servers, depending on the configuration.
There are also critical bugs in Windows Defender, Dynamics Business Central, Windows Media Foundation, Hyper-V, and the Windows MSHTML Platform. There are then notable patches for HEVC Video Extensions, Microsoft Excel and SharePoint Server, Word, Power BI... the list is huge.
"This volume of fixes is more than the last two months combined and on par with the monthly totals from 2020," said the Zero-Day Initiative's Dustin Childs. "Perhaps the lowered rate seen in the prior months was an aberration."
- Microsoft struggles to wake from PrintNightmare: Latest print spooler patch can be bypassed, researchers say
- Security warning deluge from 'npm audit' is driving developers to distraction
- Microsoft to beef up security portfolio with reported half-billion-dollar RiskIQ buyout
- SolarWinds issues software update – one it wrote for a change – to patch hole exploited in the wild
Other vendors are riding the Patch Tuesday train with Microsoft. Adobe released its usual bunch of security updates, this month addressing 29 CVE-listed bugs for Acrobat and Reader (19 fixes of the total and ten of them critical), as well as Dimension, Illustrator, Framemaker, and Adobe Bridge.
Meanwhile, Intel warned us to look out for a firmware update from system manufacturers to fix a local escalation-of-privilege flaw on machines mainly powered by its Xeon processors. VMware has a couple of patches out – one squashing an authentication bypass flaw with ESXi and the other fixing a DLL hijacking vulnerability in ThinApp. SAP has addressed a "critical authentication-based vulnerability in LM Configuration Wizard of SAP NetWeaver AS Java."
And who could forget the July edition of Android security updates. Check your systems, great and small, for updates and apply as soon as you can. ®