Microsoft rolled out Patch Tuesday updates for the month of July with fixes for a total of 117 security vulnerabilities, including nine zero-day flaws, of which four are said to be under active attacks in the wild, potentially enabling an adversary to take control of affected systems.
Of the 117 issues, 13 are rated Critical, 103 are rated Important, and one is rated as Moderate in severity, with six of these bugs publicly known at the time of release.
The updates span across several of Microsoft’s products, including Windows, Bing, Dynamics, Exchange Server, Office, Scripting Engine, Windows DNS, and Visual Studio Code.
Chief among the security flaws actively exploited are as follows —
- CVE-2021-34527 (CVSS score: 8.8) – Windows Print Spooler Remote Code Execution Vulnerability (publicly disclosed as “PrintNightmare“)
- CVE-2021-31979 (CVSS score: 7.8) – Windows Kernel Elevation of Privilege Vulnerability
- CVE-2021-33771 (CVSS score: 7.8) – Windows Kernel Elevation of Privilege Vulnerability
- CVE-2021-34448 (CVSS score: 6.8) – Scripting Engine Memory Corruption Vulnerability
Microsoft also stressed the high attack complexity of CVE-2021-34448, specifically stating that the attacks hinge on the possibility of luring an unsuspecting user into clicking on a link that leads to a malicious website hosted by the adversary and contains a specially-crafted file that’s engineered to trigger the vulnerability.
The other five publicly disclosed, but not exploited, zero-day vulnerabilities are listed below —
- CVE-2021-34473 (CVSS score: 9.1) – Microsoft Exchange Server Remote Code Execution Vulnerability
- CVE-2021-34523 (CVSS score: 9.0) – Microsoft Exchange Server Elevation of Privilege Vulnerability
- CVE-2021-33781 (CVSS score: 8.1) – Active Directory Security Feature Bypass Vulnerability
- CVE-2021-33779 (CVSS score: 8.1) – Windows ADFS Security Feature Bypass Vulnerability
- CVE-2021-34492 (CVSS score: 8.1) – Windows Certificate Spoofing Vulnerability
“This Patch Tuesday comes just days after out-of-band updates were released to address PrintNightmare — the critical flaw in the Windows Print Spooler service that was found in all versions of Windows,” Bharat Jogi, senior manager of vulnerability and threat research at Qualys, told The Hacker News.
“While MSFT has released updates to fix the vulnerability, users must still ensure that necessary configurations are set up correctly. Systems with misconfigurations will continue to be at risk of exploitation, even after the latest patch has been applied. PrintNightmare was a highly serious issue that further underscores the importance of marrying detection and remediation,” Jogi added.
The PrintNightmare vulnerability has also prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to release an emergency directive, urging federal departments and agencies to apply the latest security updates immediately and disable the print spooler service on servers on Microsoft Active Directory Domain Controllers.
Additionally, Microsoft also rectified a security bypass vulnerability in Windows Hello biometrics-based authentication solution (CVE-2021-34466, CVSS score: 5.7) that could permit an adversary to spoof a target’s face and get around the login screen.
Other critical flaws remediated by Microsoft include remote code execution vulnerabilities affecting Windows DNS Server (CVE-2021-34494, CVSS score 8.8) and Windows Kernel (CVE-2021-34458), the latter of which is rated 9.9 on the CVSS severity scale.
“This issue allows a single root input/output virtualization (SR-IOV) device which is assigned to a guest to potentially interfere with its Peripheral Component Interface Express (PCIe) siblings which are attached to other guests or to the root,” Microsoft noted in its advisory for CVE-2021-34458, adding Windows instances hosting virtual machines are vulnerable to this flaw.
To install the latest security updates, Windows users can head to Start > Settings > Update & Security > Windows Update or by selecting Check for Windows updates.
Software Patches From Other Vendors
Alongside Microsoft, patches have also been released by a number of other vendors to address several vulnerabilities, including —