Microsoft's July Patch Rollout Bigger than Last Two Months Combined
Microsoft's latest monthly patch tally is back in the three digits.
On Tuesday, the company released its July security patches, addressing 117 common vulnerabilities and exposures (CVEs). That high number is more in line with Microsoft's hefty patch rollouts of last year. As noted by Dustin Childs, a security researcher with Trend Micro's Zero Day Initiative (ZDI), July's bundle contained more patches than the last two months combined.
"Perhaps the lowered rate seen in the prior months was an aberration," Childs said in a patch Tuesday ZDI analysis.
Per the ZDI count, 13 of the 117 vulnerabilities are rated "Critical," while 103 vulnerabilities are deemed "Important," plus there's one vulnerability ranked "Moderate."
Microsoft's official patch publication, which just uses Common Vulnerability Scoring System (CVSS) numbered rankings from 1 to 10, is its voluminous "Security Update Guide." It just contains boilerplate descriptions of the July fixes. It's the non-Microsoft security researchers that often fill out the missing details.
Microsoft also published its "Release Notes" for July, which describes the affected products. The "Release Notes" include links to "relevant information," workarounds and "known issues" that may be helpful.
Four July vulnerabilities are labeled as "exploited," per ZDI's count, and are also deemed to be "zero-day" vulnerabilities (unknown beforehand by Microsoft).
One of the publicly known and exploited vulnerabilities is CVE-2021-34527, a Critical Windows print spooler flaw dubbed "PrintNightmare" (CVSS 8.8). Microsoft earlier this month released a so-called "out-of-band" fix for this vulnerability because proof-of-concept code had been published (but later deleted) by security researchers. The CVE-2021-34527 patch will address the PrintNightmare exploit, Microsoft recently asserted, although IT pros will need to check the settings of certain registry configurations to confirm protection.
"It seems like the PrintNightmare is nearly over," said Adam Bunn, lead software engineer at Rapid7, in a released comment. "While the past two weeks have been a frenzy for the security community there has been no new information since the end of last week when Microsoft made a final revision to their guidance on CVE-2021-34527."
Another exploited vulnerability is a Critical Windows scripting engine memory corruption flaw (CVE-2021-34448). The attack method associated with it is apparently complex, and so Microsoft assessed it at the CVSS 6.8 level, but that lower score may not matter because it's under active attack, Childs noted. He advised IT pros to "treat this as critical since it could allow code execution on every supported version of Windows." An attacker exploiting CVE-2021-34448 could gain full user rights, noted Jay Goodman, director of product marketing at security solutions company Automox, in patch Tuesday commentary by Automox experts.
Also under active attack are two Important Windows kernel elevation-of-privilege vulnerabilities (CVE-2021-31979 and CVE-2021-33771), rated at CVSS 7.8.
Publicly Known CVEs
Six July vulnerabilities are labeled as publicly known before Microsoft's patch Tuesday release. Since they are known exploits, risks may be greater for organizations going unpatched.
The Windows print spooler vulnerability (CVE-2021-34527) is publicly known. Here are the others, per ZDI's count:
- CVE-2021-34473, a Critical (CVSS 9.1) Microsoft Exchange Server vulnerability that could enable remote code execution
- CVE-2021-33781, an Important (CVSS 8.1) Active Directory bypass vulnerability
- CVE-2021-34523, an Important (CVSS 9) Microsoft Exchange Server vulnerability that could enable elevation-of-privilege
- CVE-2021-33779, an Important Windows Active Directory Federation Services bypass vulnerability
- CVE-2021-34492, an Important (CVSS 8.1) Windows certificate spoofing flaw
Exchange Server Patches...from April
Security researchers are noting that the July bundle has seven Exchange Server patches, but just four of them are for new vulnerabilities. Microsoft had released Exchange Server patches back in April that apparently weren't documented and are now showing up again in the July bundle.
Undocumented patches can be problematic for organizations, Childs noted:
Silent patches have caused many problems in the past and represent significant risks to enterprises. While the goal should be for administrators to install every patch, this is simply not feasible for most networks. Network defenders need as much information as possible to prioritize their resources. If they are not provided guidance on installing the patch, or information from the vendor on the severity of the patch, their uninformed decision could have negative consequences.
Microsoft seems to have a different view, and recently moved to providing less descriptive Knowledge Base articles in its "Security Update Guide." However, it's also possible that Microsoft may have been too busy trying to patch Exchange back in April.
Back then, Microsoft was patching Exchange Server flaws uncovered by the U.S. National Security Agency, noted Satnam Narang, staff research engineer at security solutions firm Tenable.
"In the April 2021 Patch Tuesday release, Microsoft patched four other critical Exchange Server vulnerabilities that were credited to the NSA, which followed an out-of-band patch in March that addressed four zero-days in Exchange Server that had been exploited in the wild, including ProxyLogon," Narang noted via e-mail.
Security researchers pointed to a few other noteworthy security vulnerabilities in this month's patch bundle.
The Domain Name System (DNS) server for Windows systems has 11 vulnerabilities getting patched this month, according to Bunn. He noted that two of them could become problems should active exploits be created because of the "network exposure of DNS servers":
Administrators should focus their efforts on the 11 vulnerabilities in Windows DNS server to reduce the most risk. The two most important of these vulnerabilities are CVE-2021-34494 and CVE-2021-33780. Exploitation of either of these vulnerabilities would result in Remote Code Execution with SYSTEM privileges without any user interaction via the network.
Another vulnerability called out by security researchers is CVE-2021-34458, a Critical Windows kernel vulnerability that could enable remote code execution. It's associated with use of the single root I/O virtualization (SR-IOV) interface, a PCI Express configuration.
The use of SR-IOV is associated virtual machine hosting, according to a description by Chad McNaughton, technical community manager at Automox:
This issue [CVE-2021-34458] allows an SR-IOV device which is assigned to a guest to potentially interfere with its PCIe siblings which are attached to other guests or to the root. In short, SR-IOV devices allow your virtual machines to share resources on a single, physical interface on your server. Those that host virtual machines from a Windows instance or manage a server that includes the required hardware with SR-IOV devices could be affected by this vulnerability and should deploy the security update within 72 hours.
McNaughton described the exploit of CVE-2021-34458 as "requiring low privileges and no user interaction."
About the Author
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.