By Jon Munshaw, with contributions from Edmund Brumaghin.
Microsoft released its monthly security update Tuesday, disclosing 51 vulnerabilities across its suite of products, breaking last month’s 16-month record of the fewest vulnerabilities disclosed in a month by the company.
There are only four critical vulnerabilities patched in this month, while all the other ones are considered “important.” However, there are several vulnerabilities that Microsoft states are being actively exploited in the wild.
This month’s security update provides updates for several pieces of software and Windows functions, including SharePoint Server, the Windows kernel and Outlook. For a full rundown of these CVEs, head to Microsoft’s security update page. Two of the vulnerabilities Microsoft disclosed today are related to a separate vulnerability in Adobe Acrobat Reader. Microsoft released fixes for CVE-2021-31199 and CVE-2021-31201 in its Enhanced Cryptographic Provider. An attacker could elevate their privileges on the targeted system if they trick a user into opening a specially crafted PDF file in a vulnerable version of Adobe Acrobat or Adobe Reader while the software is running on an affected version of Windows. Microsoft stated in its advisories that it’s seen these vulnerabilities be exploited in the wild.
Adobe also addressed this issue in their monthly security update in May, releasing a patch for CVE-2021-28550. Users are encouraged to update affected versions of Windows and Adobe Acrobat to protect themselves from the exploitation of these vulnerabilities.
One of the critical vulnerabilities this month exists in the Windows Defender anti-malware software. CVE-2021-31985 could allow an attacker to execute remote code on the targeted machine. However, Microsoft stated the vulnerability, along with others identified in Windows Defender this month, will be updated automatically. Users can verify the update was downloaded and installed by verifying steps Microsoft outlined in its advisory.
CVE-2021-31939 is another remote code execution vulnerability. An attacker could exploit this vulnerability in Microsoft Office’s MSGraph component to deliver a malicious payload to the victim machine without any special functions, as this component is embedded in most Microsoft Office documents. Checkpoint first disclosed this vulnerability Tuesday.
Because the component can be embedded in most Office documents, an attacker can use it to deliver a malicious payload without the need for special functions.
Another vulnerability, a privilege escalation flaw in the DWM Core Library, has already been exploited in the wild, according to Microsoft. An attacker could trigger CVE-2021-33739 by running an executable or script on the local machine. Although this vulnerability has a CVSS score of 8.4 out of 10, Microsoft still considers it to be “important.”
Talos would also like to specifically highlight CVE-2021-31955, which an attacker could exploit to read the contents of Kernel memory from a user-mode process. Microsoft stated in its advisory that this vulnerability has also been actively exploited in the wild already.
A complete list of all the vulnerabilities Microsoft disclosed this month is available on its update page.
In response to these vulnerability disclosures, Talos is releasing a new SNORTⓇ rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
The rules included in this release that protect against the exploitation of many of these vulnerabilities are 49388, 49389, 57722 - 57727, 57730 - 57733, 57735 and 57736.