Exchange admins finally caught a patching break this month, but Windows admins should try to speed up the deployment of security updates to handle six Windows zero-days resolved on June Patch Tuesday.
Microsoft fixed 49 new unique vulnerabilities and updated two previously released patches this month. Of the six zero-days, two had been publicly disclosed. All zero-days affect the Windows desktop and server OSes. Exchange admins, who had been subjected to deploying multiple patches from March through May this year, got a reprieve with no security updates this month for the besieged messaging platform.
An admin can resolve all of this month’s zero-days by applying the Windows OS rollup. Some of the flaws have relatively low Common Vulnerability Scoring System (CVSS) scores in the 5.x range, which many admins use as a guide to determine how quickly they should roll out this month’s patches.
“One thing for companies to keep in mind is vendor severities, and CVSS scores don’t always tell the full story,” said Chris Goettl, senior director of product management for security products at Ivanti. “This month emphasizes the importance of risk-based vulnerability management. We need to look at other indicators and trends to really understand what is at most danger in the environment.”
Multiple Windows zero-days plugged by patches
Goettl said many operations teams and security teams continue to operate in silos. Oftentimes, crucial details, such as information about public disclosures or public exploits, will only be readily available to the security team via its tools. A lack of communication between the groups could put the organization in danger.
Unless they have access to more sophisticated patch management tools to uncover valuable data, such as a zero-day with a relatively low CVSS score, administrators will continue to stumble in the dark because it takes significant effort to find this information via Windows Server Update Services or System Center Configuration Manager, Goettl said.
“On the Microsoft side, they have some capabilities within their broader security suites with dashboards to give you this information about your exposure level, but a lot of times, it’s just the security team, not the operations team, that’s seeing those dashboards,” he said.
A Windows kernel information disclosure vulnerability (CVE-2021-31955 ) rated important has a CVSS score of 5.5 and affects Windows Server 2019 and later versions of Windows 10. Goettl said attackers could use the exploit to set themselves up to look for passwords and other sensitive information.
A Windows NTFS elevation-of-privilege vulnerability (CVE-2021-31956) rated important for supported Windows client and server OSes requires a local user to interact with the malicious content, such as a file or email attachment, to trigger the exploit. Attackers use this type of vulnerability in advanced persistent threat breaches to gain traction and move more freely through the environment, Goettl said.
A Windows MSHTML Platform remote-code execution vulnerability (CVE-2021-33742) rated critical affects all supported versions of Windows and could let an attacker run code on the target system. The exploit requires user interaction, such as opening an email or going to a malicious website. Microsoft noted that information about this zero-day was known before the release of the security update.
Two elevation-of-privilege vulnerabilities rated important in the Microsoft enhanced cryptographic provider (CVE-2021-31199 and CVE-2021-31201) affect both Windows client and server OSes. These fixes relate to an Acrobat Reader zero-day exploit (CVE-2021-28550) that Adobe corrected last month that targeted users on Windows systems.
“The combination of all three patches is required to completely protect the system from the three vulnerabilities,” Goettl said.
Also designated as publicly disclosed, the last zero-day is a Microsoft DWM Core Library elevation-of-privilege vulnerability (CVE-2021-33739) rated important that affects a limited set of Windows 10 and Windows Server versions. The attacker can gain full control of the system without user interaction.
Admins will get déjà vu with two security updates
Microsoft reissued two earlier patches to cover more affected products.
CVE-2021-28455 is a Microsoft Jet Red Database Engine and Access Connectivity Engine remote-code execution vulnerability rated important that involves a wide range of products, such as Microsoft Office 2019 and the Windows client and server OSes. Microsoft released the security update last month and updated it for June Patch Tuesday to include Microsoft Access 2013 and Microsoft Access 2016.
CVE-2020-0835 is a Windows Defender Antimalware Platform Hard Link elevation-of-privilege vulnerability released on April 14, 2020, and updated for June Patch Tuesday to include more affected systems, specifically Windows 8.1 and Windows 10, version 1507. Unless affected systems are disconnected from the internet, the application should update without intervention from administrators.
Microsoft noted some vulnerability scanners will issue warnings when they find the Microsoft Defender binaries, but organizations that disabled the antimalware platform are not susceptible to the flaw.
Other security updates of note for June Patch Tuesday
The last publicly disclosed vulnerability is a Windows Remote Desktop Services denial-of-service vulnerability (CVE-2021-31968) rated important that affects supported Windows systems.
Rated important, a Microsoft Visual Studio Code Kubernetes Tools Extension elevation-of-privilege vulnerability (CVE-2021-31938) has a base CVSS score of 7.3. Goettl said updates for these developer tools can fall into a gray area.
“In an organization that’s doing its own development, the IT admins probably don’t even have access to those tools, so the patching is entirely up to the developers,” he said.
Microsoft addressed vulnerabilities related to its Office products, including an important remote-code execution flaw in Excel (CVE-2021-31939), two important remote-code execution bugs in Microsoft Office Graphics (CVE-2021-31940 and CVE-2021-31941) rated important, and a Microsoft Outlook remote-code execution vulnerability (CVE-2021-31949) rated important. The preview pane is not an attack vector for any of the vulnerabilities. To trigger the exploit, a user would need to open a specially crafted file either from an email or from a website.
Administrators who manage the SharePoint collaboration platform have seven security updates with one rated critical (CVE-2021-31963) and the remainder rated important (CVE-2021-26420, CVE-2021-31948, CVE-2021-31950, CVE-2021-31964, CVE-2021-31965 and CVE-2021-31966) that Goettl said should also be a priority for the operations team.