By Jon Munshaw, with contributions from Jaeson Schultz.
Microsoft released its monthly security update Tuesday, disclosing 117 vulnerabilities across its suite of products, by far the most in a month this year. Today’s Patch Tuesday includes three vulnerabilities that Microsoft states are being exploited in the wild, which we will cover in more detail.
There are 13 critical vulnerabilities patched in this month, and there is one low- and moderate-severity vulnerability each. The remainder are considered “important.”
Most notably, Microsoft has released an update to patch the “PrintNightmare” vulnerability in its print spooler function that could allow an attacker to execute remote code. This vulnerability was first disclosed in April, though security researchers later discovered it could be exploited in a more serious way than initially thought. Microsoft attempted to fix the vulnerability with an out-of-band release earlier this month, though it’s believed the vulnerability could still be exploited.
For more on this, check out Talos’ blog with our associated protections and analysis.
Other products included in this month’s Patch Tuesday include Hyper-V, Microsoft Defender and Windows DNS. For a full rundown of these CVEs, head to Microsoft’s security update page.
Besides the print spooler vulnerability, there is one other issue attackers have exploited in the wild, according to Microsoft. CVE-2021-34448 is a memory corruption vulnerability in the Scripting Engine that is triggered when the user opens a specially crafted file, either attached to an email or a compromised website.
There is another critical vulnerability, CVE-2021-34473, in Microsoft Exchange Server. This vulnerability was already patched in Microsoft’s April security update but was mistakenly not disclosed. Users who already installed the April 2021 update are already protected from this vulnerability, though it is worth noting that this issue was part of a series of zero-days in Exchange Server used in a wide-ranging APT attack.
Microsoft Defender, the company’s built-in anti-virus software to most of its machines, also contains a critical vulnerability: CVE-2021-34464. This issue could allow an attacker to execute remote code on the victim machine. However, users do not need to take any actions to resolve this issue, as the update will automatically install. The company has listed steps in its advisory users can take to ensure the update is properly installed.
We would also like to highlight three vulnerabilities in SharePoint Server that could allow an attacker to execute remote code on the victim machine. CVE-2021-34520, CVE-2021-34467 and CVE-2021-34468 all are “important.” However, Microsoft reports that exploitation is “more likely” in these vulnerabilities.
There are several other important vulnerabilities that are also classified as being “more likely” to be exploited:
A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.
In response to these vulnerability disclosures, Talos is releasing a new SNORTⓇ rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
The rules included in this release that protect against the exploitation of many of these vulnerabilities are 57890, 57891, 57894 - 57897 and 57906 - 57910.