Microsoft on Tuesday picked up the pace on patching for July and released fixes for 117 vulnerabilities, four of which are being actively exploited in the wild.
July represents a dramatic shift from the relatively light releases security researchers have seen over previous months, highlighting an uptick in zero-day exploits and the urgency needed to keep pace with a growing list of threats, said Justin Knapp, senior product marketing manager at Automox.
The most critical vulnerabilities to prioritize for patching affect the Exchange server, DNS server, Sharepoint server and Windows Kernel, said Bharat Jogi, senior manager, vulnerability and threat research at Qualys.
“Given the criticality and the fact that some of these vulnerabilities have already been exploited in the wild, we encourages all users to patch for these vulnerabilities,” Jogi said.
This month’s Patch Tuesday comes just days after out-of-band updates were released to address PrintNightmare -- the critical flaw in the Windows Print Spooler service that was found in all versions of Windows.
Although Microsoft has released updates to fix the vulnerability, Jogi said users must still ensure that necessary configurations are set up correctly. He said systems with misconfigurations will continue to be at risk of exploitation, even after the latest patch has been applied. “PrintNightmare was a highly serious issue that further underscores the importance of marrying detection and remediation,” Jogi said.
In response to this threat, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) today issued Emergency Directive (ED) 21-04, mandating that within one week all federal civilian agencies immediately "stop and disable the Print Spooler service on all Microsoft Active Directory (AD) Domain Controllers (DC)," "apply the July 2021 cumulative updates to all Windows servers and workstations," and make additional necessary configuration changes.
The four Microsoft patches for exploits in the wild consist of the following:
- CVE-2021-34527: Windows Print Spooler RCE Vulnerability (PrintNightmare)
Automox’s Knapp said this out-of-band update vulnerability, dubbed “PrintNightmare,” follows the earlier CVE-2021-1675 in June that also fixed a remote code execution (RCE) vulnerability in Microsoft’s Print Spooler service. This newer vulnerability is similar and has been demonstrated in a Proof of Concept (PoC) using Mimikatz. Knapp said the hasty roll-out last week and subsequent update from Microsoft follows an accidental publication of the PoC exploit code by security researchers, which essentially offered an early how-to guide for exploitation. Given the scope of impact, low level of complexity, and high probability of exploitation, Knapp said this vulnerability should be prioritized and patched within 24 hours.
- CVE-2021-34448: Scripting Engine Memory Corruption Vulnerability
Jay Goodman, director of product marketing at Automox said this vulnerability is a critical RCE vulnerability identified in Windows 7 and newer Microsoft operating systems, including server flavors. Using a web-based attack or a malicious file, Goodman said attackers can use this vulnerability to take control of an affected system, install programs, view or change data, or create new user accounts with full user rights. RCEs are particularly nefarious given that they enable attackers to directly run malicious code on the exploited systems. Microsoft has detected CVE-2021-34448 as being exploited in the wild, making this an absolutely critical vulnerability to patch to minimize exposure, said Goodman.
These are two vulnerabilities in the Windows kernal. Both have been exploited in the wild as zero-days, according to Microsoft's Security Response Center. A local, authenticated attacker could exploit these vulnerabilities to run processes with elevated permissions. Similar zero-day vulnerabilities were patched in April 2020, which were observed under active exploitation by Google Project Zero.