Microsoft today released patches for 66 CVEs, two of which are publicly known and one of which is under attack, the company reports.
This month’s Patch Tuesday release addresses 66 vulnerabilities in Microsoft Windows, the Edge browser, Azure, Office, SharePoint Server, Microsoft Windows DNS, and the Windows Subsystem for Linux. Three are classified as Critical, 62 as Important, and one as Moderate.
The vulnerability under active attack is remote code execution flaw CVE-2021-40444, which exists in Microsoft MSHTML, the browser engine built into Windows that allows the operating system to read and display HTML files. Microsoft disclosed the CVE last week in an advisory that warned it was being exploited in targeted attacks, along with mitigations and workarounds.
An attacker could exploit this vulnerability by embedding a specially crafted ActiveX control in an Office file and sending it to a victim. If opened, the malicious code would execute at the level of the logged-in victim, meaning people with fewer user rights on the system may be less affected than those within administrative user right, Microsoft says. An attack would require low complexity and no privileges, but a successful exploit does require user interaction.
This flaw affects Windows 7 through Windows 10, and Windows Server 2008 to Windows Server 2019. While there have been no reports of active attacks beyond the targeted exploits Microsoft mentioned, organizations should update their systems now that a patch is available.
Security teams should also note CVE-2021-36965, a remote code execution vulnerability in the Windows WLAN AutoConfig Service. If exploited, this flaw could allow attackers on the same network as their victims to run their code on target machines at a system level. It’s labeled Critical, with a CVSS 3.0 score of 8.8 and no privileges or user interaction required to exploit.
“It specifically relies on the attacker being located in the same network, so it would not be surprising to see this vulnerability used in combination with another CVE/attack to achieve an attacker’s end goal,” says Danny Kim, principal architect at Virsec.
The highest-rated patch this month is CVE-2021-38647, an Open Management Infrastructure (OMI) remote code execution bug with a CVSS 3.0 score of 9.8. An attacker could exploit this by sending a specially crafted message via HTTPS to port 5986, also known as WinRMport, on a vulnerable system.
Microsoft notes that “some Azure products, such as Configuration Management, expose an HTTP/S port for interacting with OMI,” or port 5986. “The configuration where the HTTP/S listener is enabled could allow remote code execution. It is important to mention that most Azure services that use OMI deploy it without exposing the HTTP/S port.”
Another patch to prioritize is CVE-2021-36968, an elevation of privilege vulnerability in Windows DNS that is publicly known and has a CVSS 3.0 score of 7.8. Microsoft provided few details but noted an attack requires low attack complexity, low privileges, and no user interaction. This one affects Windows 7, Windows Server 2008, and Windows Server 2008 R2.
The lack of executive summaries, which Microsoft removed from its vulnerability disclosures last year, is frustrating for security teams seeking more details.
“The executive summaries were a critical part of vulnerability and patch management and, across the board, the pain of their removal is still felt,” says Tyler Reguly, manager of security R&D at Tripwire. While this flaw has a high CVSS score, “there are absolutely no details to help admins understand what they are dealing with or where the risk is.”
And finally, today’s rollout brought three additional patches for Windows Print Spooler: CVE-2021-38667, CVE-2021-38671, and CVE-2021-40447. Print Spooler vulnerabilities have been regular following the July 2021 disclosure of PrintNightmare. Security researchers continue to find new ways to target the service, and it’s expected they will continue exploring this area.