July 2021 Patch Tuesday: Microsoft fixes 4 actively exploited bugs

On this July 2021 Patch Tuesday:

• Microsoft has fixed 117 CVEs, 4 of which are actively exploited
• Adobe has delivered security updates for Acrobat and Reader, Bridge, Framemaker, Illustrator, and Dimension
• VMware has fixed two vulnerabilities in VMware ESXi and VMware Cloud Foundation
• SAP has released 12 security notes and updated 3
• Intel has fixed an EOP bug affecting some of its Xeon and Core X-series processors
• Mozilla has upgraded Firefox and Firefox ESR, fixed security flaws and improved security features

Microsoft

Microsoft has released patches for 117 CVEs, 13 of which are considered to be critical. 6 of the total are publicly known, and 4 are actively exploited (including CVE-2021-34527, aka PrintNightmare).

“There have been reports the patch [for CVE-2021-34527] is ineffective, but Microsoft insists it works – provided certain registry keys have the correct values,” noted Dustin Childs, with Trend Micro’s Zero Day Initiative.

“Enterprises should verify these registry keys are configured as intended and get this patch rolled out. It’s also a fine time to disable the Print Spooler service wherever it isn’t needed and restrict the installation of printer drivers to just administrators.”

He also singled out CVE-2021-34448, an actively exploited Scripting Engine memory corruption vulnerability as worthy of a quick patch implementation. Even though there’s no indication of how widespread the attack leveraging it is, he says, it should be treated as critical since it could allow code execution on every supported version of Windows.

“[CVE-2021-34448] is elegant in its simplicity, letting an attacker gain remote code execution just by getting the target to visit a domain. With malicious, yet professional looking, domains carrying valid TLS certificates a regular feature nowadays, seamless compromise would be a trivial matter. Victims could even be attacked by sending .js or .hta files in targeted phishing emails,” noted Kevin Breen, Director of Cyber Threat Research at Immersive Labs.

“A pair of Windows kernel privilege elevation flaws (CVE-2021-33771 and CVE-2021-31979) should also be high on the patch list as they are being actively exploited. These are exactly the type of vulnerabilities in the ransomware attack toolkit, allowing threat actors to boost their user level from user to admin, for greater control over the environment. Admins should keep an eye on existing and new accounts for suspicious activity.”

Another Windows kernel flaw – CVE-2021-34458, potentially leading to remote code execution – has been singled out by Childs.

“This bug impacts systems hosting virtual machines with single root input/output virtualization (SR-IOV) devices. It’s not clear how widespread this configuration is, but considering this bug rates as a CVSS 9.9, it’s not one to ignore. If you have virtual machines in your environment, test and patch quickly.”

Among the less critical vulnerabilities fixed by Microsoft this month is a security feature bypass vulnerability (CVE-2021-34466) in the Windows Hello passwordless authentication system, discovered and detailed by CyberArk researchers.

But security researcher Omer Tsarfati says that Microsoft’s patch may not fully mitigate the issue.

“Based on our preliminary testing of the mitigation, using Enhanced Sign-in Security with compatible hardware limits the attack surface but is dependent on users having specific cameras. Inherent to system design, implicit trust of input from peripheral devices remains. To mitigate this inherent trust issue more comprehensively, the host should validate the integrity of the biometric authentication device before trusting it. We are continuing our investigation,” he told Help Net Security.

Adobe

To mark the July 2021 Patch Tuesday, Adobe has addressed 29 CVEs, most of which are critical.

The Acrobat and Reader security updates should be prioritized, as these (PDF creating and viewing) solutions are more widely used and, consequently, opportunistic attackers are more likely to exploit their flaws than those in Adobe Bridge (digital asset management software) or Adobe Dimension (3D rendering and design software).

The Acrobat and Reader security updates also fix the larger batch of flaws, many of which may allow attackers to achieve arbitrary code execution.

The rest of the security advisories accompanying the other updates can be found here: users should review them and implement the updates at their discretion.

None of the vulnerabilities are actively exploited.

VMware

VMware has plugged two privately reported security holes in VMware ESXi and VMware Cloud Foundation. One is an authentication bypass vulnerability in ESXi’s Small Footprint CIM Broker (CVE-2021-21994), the other one a heap out-of-bounds read issue in the SLP service that could lead to DDoS (CVE-2021-21995).

Users can upgrade to a fixed version or, alternatively, temporarily disable the affected services on the affected host.

SAP

SAP has released 12 new security notes and updated 3 previously released ones. Two of the latter should be given priority (they are, as SAP defines it, “Hot News”), and they cover vulnerabilities in SAP Business Client and SAP NetWeaver AS ABAP and ABAP Platform.

“Since there are only two updated HotNews Notes and two new High Priority Notes, SAP’s July Patch Day can be considered a fairly uneventful patch day,” Onapsis researcher Thomas Fritsch commented, but warned that a note’s CVSS score does not necessarily take into account the worst case scenario.

“The assigned numerical level of severity does not consider the impact of subsequent attacks that could occur or attacks that might gain a broader attack surface through an exploit of the given vulnerability.”

Intel

Intel has released one security advisory on this July 2021 Patch Tuesday: for an escalation of privilege vulnerability (CVE-2021-0144) in the customer build time configuration for the Intel BIOS Shared SW Architecture (BSSA) Design for Test (DFT) feature.

It affects several of its Xeon and Core X-series processor families, and Intel advises affected users to get the latest BIOS firmware version from the system manufacturer.

Mozilla

Mozilla has upgraded Firefox to version 90 and Firefox ESR to version 78.12, simultaneously fixing a variety of security flaws – though none critical.

Firefox 90 also contains some additional security improvements, such as:

• A new version the SmartBlock tracker blocking mechanism built into Firefox Private Browsing and Strict Mode, and
• Support for Fetch Metadata Request Headers, to stymie cross-origin threats – including speculative cross-site execution side channel (aka Spectre) attacks – targeting web applications