June 2021 Patch Tuesday: Microsoft fixes six actively exploited zero-days

On this June 2021 Patch Tuesday:

• Microsoft has fixed 50 security vulnerabilities, six of which are actively exploited zero-days
• Adobe has delivered security updates for Acrobat and Reader, After Effects, Photoshop, and other products
• Intel has patched a flurry of flaws in various solutions, though none are critical
• SAP has released 17 security notes and updated 2

Microsoft’s updates

On this June 2021 Patch Tuesday, Microsoft has splatted 5 critical and 45 important bugs. Three have been previously known, and six are actively exploited by attackers.

“At first glance, I thought this Patch Tuesday was going to be a light one – until I started digging into the technical details and uncovered (with some difficulty) a number of ‘exploitation detected’ vulnerabilities,” said Kevin Breen, Director of Cyber Threat Research at Immersive Labs.

“This tag means attackers are actively using them, so for me, it’s the most important piece of information we need to prioritize the patches. Sure, there are CVEs listed with a score of 9.4 – but a CVE with a score of 5.2 that is being actively exploited must take center stage and be patched as a matter of priority above the rest.”

Among these are:

CVE-2021-33742 – a RCE flaw in Windows Remote MSHTML Platform – a component used by the Internet Explorer engine to read and display content from websites.

“As such, visiting a website in a vulnerable browser is a simple way for attackers to deliver this exploit. As the library is used by other services and applications, emailing HTML files as part of a phishing campaign is also a viable method of delivery,” Breen explained.

Trend Micro Zero Day Initiative’s Dustin Childs agrees about its criticality, especially because it impacts all supported Windows versions.

CVE-2021-31201 and CVE-2021-31199 are two Microsoft Enhanced Cryptographic Provider Elevation of Privilege vulnerabilities linked to an Adobe Reader RCE bug fixed last month.

“Attackers have been targeting Adobe Reader users on Windows, likely in the form of PDF files delivered to targets either as attachments or downloaded directly from websites. Remember that the PDF format can be used to run other applications, so it’s likely that this collection of CVEs is being used as the initial infection point via targeted phishing attacks,” Breen noted.

CVE-2021-31955 and CVE-2021-31956 are a Windows Kernel Information Disclosure vulnerability and a Windows NTFS Elevation of Privilege vulnerability (respectively), which have been discovered by Kaspersky Lab researchers and, according to Bharat Jogi, Senior manager, Vulnerability and Threat Research at Qualys, “were used in conjunction with Google Chrome and were at the root of a chain of exploits in highly targeted attacks against multiple companies.”

CVE-2021-33739 is an elevation of privilege zero-day vulnerability in the Microsoft Desktop Window Manager (DWM) Core Library.

“For context, Microsoft patched two elevation of privilege vulnerabilities in February (CVE-2021-1732) and April (CVE-2021-28310) which appear to be linked to a threat actor known as BITTER APT. In the case of CVE-2021-28310, researchers linked the flaw to the dwmcore.dll file. Given that CVE-2021-33739 is credited to the same researchers who found CVE-2021-1732 in February, and was discovered in the same core library as CVE-2021-28310, it is feasible this is another zero-day being leveraged by the same BITTER APT group,” commented Satnam Narang, staff research engineer at Tenable.

Finally, Childs also believes that patching CVE-2021-31962, a Kerberos AppContainer Security Feature Bypass vulnerability should be prioritized.

Adobe’s updates

Adobe has released 10 security updates addressing 39 CVEs in: Adobe Connect, Acrobat and Reader, Photoshop, Experience Manager, Creative Cloud (desktop app), RoboHelp Server, Photoshop Elements, Premiere Elements, After Effects and Animate.

Of these, the Acrobat and Reader updates should be a priority, as the software is widely used and they fix two critical flaws that could allow arbitrary code execution if a user opens a specifically crafted PDF file.

The Experience Manager update should be prioritized next, as it resolves vulnerabilities that could result in arbitrary JavaScript execution in the browser, and so should the After Effects update, as it fixes, among other things, three RCE flaws.

None of the vulnerabilities fixed in this batch of security updates are under active attack.

Other updates

Intel has released a very large stack of security advisories and patches, but none fix critical vulnerabilities.

SAP has dropped 17 security notes and updated 2. Among the fixed vulnerabilities the most critical one is an Improper Authentication vulnerability in SAP NetWeaver AS ABAP and ABAP Platform that can be used to bypass protection against external calls.

“This enabled a malicious user to abuse stolen credentials from an internal communication between two servers of the same system for external RFC or HTTP calls. The credential data could be used to establish an own connection between a malicious external program and the affected SAP system pretending to be an internal caller,” Onapsis researcher Thomas Fritsch explained.