🔒
There are new articles available, click to refresh the page.
Before yesterdayZero Day Initiative - Blog

The November 2021 Security Update Review

9 November 2021 at 18:26

The second Tuesday of the month is upon us, and with it comes the latest security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for their latest security offerings.

Adobe Patches for November 2021

For November, Adobe released only three patches correcting four CVEs in Creative Cloud Desktop, InCopy, and RoboHelp. The patch for Creative Cloud fixes a single Important-rated denial-of-service (DoS) bug. The InCopy patch fixes two bugs, including a Critical-rated code execution. The release for RoboHelp Server is listed as a security hotfix rather than a security patch, but it’s not clear why there’s a difference in the nomenclature. Either way, a Critical-rated arbitrary code execution bug is being fixed, so if you still use RoboHelp, apply this hotfix.

If this seems especially light, Adobe did release fixes for more than 80 CVEs in late October for critical code execution flaws, privilege escalation, denial-of-service, and memory leaks across multiple products. None of these fixes were listed as under active attack, so it’s unclear why Adobe released so many patches out of band.

None of the patches released today by Adobe are listed as being publicly known or under active attack at the time of release.

Microsoft Patches for November 2021

For November, Microsoft released patches today for 55 new CVEs in Microsoft Windows and Windows Components, Azure, Azure RTOS, Azure Sphere, Microsoft Dynamics, Microsoft Edge (Chromium-based), Exchange Server, Microsoft Office and Office Components, Windows Hyper-V, Windows Defender, and Visual Studio.

Historically speaking, 55 patches in November is a relatively low number. Last year, there were more than double this number of CVEs fixed. Even going back to 2018 when there were only 691 CVEs fixed all year, there were more November CVEs fixed than in this month. Given that December is typically a slower month patch-wise, it causes one to wonder if there is a backlog of patches awaiting deployment due to various factors. It seems odd that Microsoft would be releasing fewer patches after seeing nothing but increases across the industry for years.

Of the CVEs patched today, six are rated Critical and 49 are rated as Important in severity. Four of these bugs came through the ZDI program. Four of these bugs are listed as publicly known two are listed as under active exploit at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with the two bugs listed as under active attack:

-       CVE-2021-42321 – Microsoft Exchange Server Remote Code Execution Vulnerability
This Exchange bug is listed by Microsoft as currently under active attack; however, authentication is listed as a requirement. As with all Exchange bugs in the wild, we urge Exchange admins to test and deploy the patches as soon as possible. Microsoft has also published this blog to aid Exchange administrators with their patch deployment.

-       CVE-2021-42292 – Microsoft Excel Security Feature Bypass Vulnerability
This patch fixes a bug that could allow code execution when opening a specially crafted file with an affected version of Excel. This is likely due to loading code that should be behind a prompt, but for whatever reason, that prompt does not appear, thus bypassing that security feature. It’s unclear if it’s a malicious macro or some other form of code loading within a spreadsheet, but I would be reluctant to open any unexpected attachments for a while. This is especially true for users of Office for Mac because there currently is no patch available for Mac users. They must wait for a future update to be protected. It’s also interesting to note Microsoft lists this as under active attack, but the CVSS rating lists the exploit code maturity as “proof of concept”.

-       CVE-2021-26443 – Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability
This patch addresses a guest-to-host escape through the virtual machine bus (VMBus). A user on a guest VM can send a specially crafted communication on the VMBus channel to the host OS that could result in arbitrary code execution on the underlying host. With a CVSS of 9.0, this is one of the more severe vulnerabilities fixed this month. Based on the CVE number, this has been known to Microsoft for a few months.

-       CVE-2021-38666 – Remote Desktop Client Remote Code Execution Vulnerability
While not as severe as a bug in the RDP Server, this bug in the RDP client is still worth prioritizing. If an attacker can lure a user to connect to a malicious RCP server, they could execute code on the connecting RDP client system. Again, this doesn’t reach the level of the Bluekeep bugs, but definitely something to watch.

Here’s the full list of CVEs released by Microsoft for November 2021:

CVE Title Severity CVSS Public Exploited Type
CVE-2021-42292 Microsoft Excel Security Feature Bypass Vulnerability Important 7.8 No Yes SFB
CVE-2021-42321 Microsoft Exchange Server Remote Code Execution Vulnerability Important 8.8 No Yes RCE
CVE-2021-43208 3D Viewer Remote Code Execution Vulnerability Important 7.8 Yes No RCE
CVE-2021-43209 3D Viewer Remote Code Execution Vulnerability Important 7.8 Yes No RCE
CVE-2021-38631 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability Important 4.4 Yes No Info
CVE-2021-41371 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability Important 4.4 Yes No Info
CVE-2021-42279 Chakra Scripting Engine Memory Corruption Vulnerability Critical 4.2 No No RCE
CVE-2021-42298 Microsoft Defender Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-42316 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability Critical 8.7 No No RCE
CVE-2021-26443 Microsoft Virtual Machine Bus (VMBus) Remote Code Execution Vulnerability Critical 9 No No RCE
CVE-2021-3711 OpenSSL: CVE-2021-3711 SM2 Decryption Buffer Overflow Critical 9.8 No No RCE
CVE-2021-38666 Remote Desktop Client Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-42278 Active Directory Domain Services Elevation of Privilege Vulnerability Important 7.5 No No EoP
CVE-2021-42282 Active Directory Domain Services Elevation of Privilege Vulnerability Important 7.5 No No EoP
CVE-2021-42287 Active Directory Domain Services Elevation of Privilege Vulnerability Important 7.5 No No EoP
CVE-2021-42291 Active Directory Domain Services Elevation of Privilege Vulnerability Important 7.5 No No EoP
CVE-2021-42302 Azure RTOS Elevation of Privilege Vulnerability Important 6.6 No No EoP
CVE-2021-42303 Azure RTOS Elevation of Privilege Vulnerability Important 6.6 No No EoP
CVE-2021-42304 Azure RTOS Elevation of Privilege Vulnerability Important 6.6 No No EoP
CVE-2021-26444 Azure RTOS Information Disclosure Vulnerability Important 3.3 No No Info
CVE-2021-42301 Azure RTOS Information Disclosure Vulnerability Important 3.3 No No Info
CVE-2021-42323 Azure RTOS Information Disclosure Vulnerability Important 3.3 No No Info
CVE-2021-41374 Azure Sphere Information Disclosure Vulnerability Important 6.7 No No Info
CVE-2021-41375 Azure Sphere Information Disclosure Vulnerability Important 4.4 No No Info
CVE-2021-41376 Azure Sphere Information Disclosure Vulnerability Important 2.3 No No Info
CVE-2021-42300 Azure Sphere Tampering Vulnerability Important 6 No No Tampering
CVE-2021-41366 Credential Security Support Provider Protocol (CredSSP) Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-42277 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability Important 5.5 No No EoP
CVE-2021-41373 FSLogix Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-41368 Microsoft Access Remote Code Execution Vulnerability Important 6.1 No No RCE
CVE-2021-42275 Microsoft COM for Windows Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-41351 Microsoft Edge (Chrome based) Spoofing on IE Mode Important 4.3 No No Spoofing
CVE-2021-40442 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-41349 Microsoft Exchange Server Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2021-42305 Microsoft Exchange Server Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2021-42276 Microsoft Windows Media Foundation Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-42296 Microsoft Word Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-41367 NTFS Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-41370 NTFS Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-42283 NTFS Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2021-41372 Power BI Report Server Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2021-38665 Remote Desktop Protocol Client Information Disclosure Vulnerability Important 7.4 No No Info
CVE-2021-42322 Visual Studio Code Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-42319 Visual Studio Elevation of Privilege Vulnerability Important 4.7 No No EoP
CVE-2021-42286 Windows Core Shell SI Host Extension Framework for Composable Shell Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-41356 Windows Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-36957 Windows Desktop Bridge Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-41377 Windows Fast FAT File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-42280 Windows Feedback Hub Elevation of Privilege Vulnerability Important 5.5 No No EoP
CVE-2021-42288 Windows Hello Security Feature Bypass Vulnerability Important 5.7 No No SFB
CVE-2021-42284 Windows Hyper-V Denial of Service Vulnerability Important 6.8 No No DoS
CVE-2021-42274 Windows Hyper-V Discrete Device Assignment (DDA) Denial of Service Vulnerability Important 6.8 No No DoS
CVE-2021-41379 Windows Installer Elevation of Privilege Vulnerability Important 5.5 No No EoP
CVE-2021-42285 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-41378 Windows NTFS Remote Code Execution Vulnerability Important 7.8 No No RCE

Looking at the remaining Critical-rated patches for November, the entries for Chakra and Dynamics (On-Prem) stand out. The Chakra patch fixes a bug that could allow an attacker to execute their own code on affected systems, usually in a browse-and-own or open-and open-and-own scenario. Microsoft doesn’t make it clear how the code execution on Dynamics would occur but considering the types of infrastructure and supply chains managed by Dynamics, this Critical-rated bug should be taken seriously.  The patch for Defender should be of concern for those disconnected from the Internet, but for others will likely not need to take any action. Microsoft regularly updates the Malware Protection Engine, so if your system is connected to the Internet, it should have already received an update. You should still verify the version and manually apply the update if needed. Finally, Microsoft is releasing its update of an OpenSSL patch from August. This is a good reminder that if you ship open-source code, you should always check to ensure you’re shipping the latest, most secure version.

Moving on to the other code execution bugs, two can be found in the 3D Viewer. These were reported by ZDI’s Mat Powell, but Microsoft failed to meet our disclosure timeline. That’s why these are listed as publicly known as we published some details about these bugs back in June and July. The other code execution bugs mostly reside in one of the Office components. In these cases, opening a specially crafted file could lead to code execution. The final code exec bug resides in NTFS, but it’s not clear from Microsoft how this could work. They list no user interaction required, while also listing the vector as local. This removes the open-and-own scenario as well as the browse-to-a-remote-folder vector. This bug came through the THEORI team, who had quite the showing at the recent Pwn2Own Austin. Hopefully, they will release additional details in the near future.

There are 20 elevation of privilege (EoP) bugs patches in this release, with the most severe impacting NTFS, Active Directory Domain Service, and Azure RTOS. The NTFS bugs are confusing as they list no user interaction needed while still being a local vector with low privileges required. Those are the same ratings for the NTFS RCE bug, so it’s not clear how these are different. The patches for ADDS also should not be ignored as bugs here could make lateral movement within an enterprise easier. It’s also not clear how many people are using Azure RTOS, but they have a tough road ahead of them. They can’t just apply a patch. Instead, they will need to recompile their project with updated USBX source code then redeploy the new code. Failure to do so could result in an EoP if an attacker plugged in a malicious USB device. The remaining EoP patches fix more traditional issues where an attacker is required to log on to a system and run their own code to take advantage of an affected component.

There are some heavy-hitting information disclosure bugs being patched this month. First up are three patches for Azure RTOS that could lead to info disclosure, although Microsoft does not state what type of information could be disclosed. Again, a recompile and redeploy is required to stop a malicious USB attack. More disturbingly, there are two publicly known info disclosure bugs in RDP that could allow read access to Windows RDP client passwords by RDP administrators. That could be a game-changer to inside threats since we all know users would NEVER reuse a password – at least that’s what they swear to me (and this time, they mean it).

There’s also an info disclosure bug being fixed in FSLogix. This bug could allow an attacker to disclose user data redirected to the profile or Office container via FSLogix Cloud cache, which includes user profile settings and files. Surprisingly, only one of the 10 info disclosure bugs results in a leak consisting of unspecified memory contents.

Three info disclosure impact Azure Sphere devices, but these devices should receive updates automatically if they are connected to the internet. There’s also a tampering bug being fixed in Azure Sphere, but again, provided you are connected to the internet, there’s no action to take.

Looking at patches for denial-of-service (DoS) bugs, the most important is the one impacting Windows – not a subcomponent – Windows. A remote attacker with no permissions could create a DoS on all supported Windows versions (including Windows 11). It’s not clear if this would result in a system hang or a reboot, but either way, do not bypass this impactful DoS. The other two DoS bugs impact Hyper-V, and one of those requires GRE to be enabled.

Besides the Excel bug already mentioned, there’s only one other Security Feature Bypass (SFB) being fixed in November. This impacts Windows Hello on Windows 10 and Server 2019 systems. No details are provided, but just by the component and impact, it seems there’s a way to access affected systems without using a PIN, facial recognition, or fingerprint. If you use this feature for authentication, you may want to disable it until you are sure all affected systems are patched.

Finally, the November release contains fixes for four spoofing bugs, including one for Exchange that must be obvious when you look for it as eight different researchers are all acknowledged by Microsoft for reporting it. Of course, they provide no info on what sort of spoofing is being fixed by this patch, the other Exchange spoofing bug, or by the Edge (Chrome-based) spoofing bug while on IE Mode. Microsoft does state the fix for the Power BI Report Server addresses a Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF) vulnerability with the template file.

No new advisories were released this month. The latest servicing stack updates can be found in the revised ADV90001.

Looking Ahead

The next Patch Tuesday falls on December 14, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The November 2021 Security Update Review

Pwn2Own Austin 2021 - Schedule and Live Results

2 November 2021 at 01:53

Welcome to Pwn2Own Austin 2021! This year’s consumer-focused event is our largest ever with 58 total entries from 22 different contestants. As with all of our contests now, you can follow along live on YouTube and Twitch. With attempts going every 30 minutes, is should be an exciting few days.

As always, we started the contest with a random drawing to determine the order of attempts. You can view the results here. Our schedule is so packed, we’ve extended to contest to a fourth day. The complete schedule for the contest is below (all times Eastern [GMT -4:00]). We will update this schedule with results as they become available.

Note: All times subject to change - You can watch the event live here.

Jump to Day Two Results; Day Three Results; Day Four Results

Tuesday, November 2

For a quick review of Day One, check out our recap video here.

1000 - Sam Thomas (@_s_n_t) from team Pentest Limited (@pentestltd) targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category

SUCCESS - Sam used a three-bug chain that included an unsafe redirect and a command injection to get code execution on the Western Digital My Cloud Pro Series PR4100. This successful demonstration earns him $40,000 and 4 Master of Pwn points.

1030 - Bien Pham (@bienpnn) from Team Orca of Sea Security (security.sea.com) targeting the WAN interface of the Cisco RV340 in the router category

SUCCESS - Bien Pham leveraged a logic error to compromise the WAN interface of the Cisco RV340 router. He earns $30,000 and 3 Master of Pwn points.

1100 - The Synacktiv (@Synacktiv) team targeting the Canon ImageCLASS MF644Cdw in the printer category

SUCCESS - The Synacktiv team used a heap overflow to take over the Canon ImageCLASS printer and bring home the first Printer Category win in Pwn2Own history. They earn $20,000 and 2 points towards Master of Pwn.

1130 - trichimtrich and nyancat0131 targeting the LAN interface of the TP-Link AC1750 Smart Wi-Fi in the router category

SUCCESS - trichimtrich used an Out-Of-Bounds (OOB) Read to get a root shell via the LAN interface of the TP-Link AC1750 router. This earns him $5,000 and 1 point towards Master of Pwn.

1200 - The THEORI Team (@theori_io) targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category

SUCCESS - The THEORI team combined an OOB Read and a stack-based buffer overflow to take over the Western Digital My Cloud Pro Series PR4100 NAS device. They used a unique bug chain, so they earn the full $40,000 and 4 points towards Master of Pwn.

1230 - Bien Pham (@bienpnn) from Team Orca of Sea Security (security.sea.com) targeting the LAN interface of the Cisco RV340 in the router category

SUCCESS - Bien Phamfrom Team Orca of Sea Security used a three-bug chain, including an auth bypass and a command injection, to take over the LAN interface of the Cisco RV340. This effor earns him $15,000 and 2 more Master of Pwn points.

1300 - Ken Gannon (@yogehi) of F-Secure Labs (@fsecurelabs) targeting the Samsung Galaxy S21 in the Mobile Phone category

FAILURE - Unfortunately, Ken could not get his exploit to work within the time allotted.

1400 - Bugscale targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category

COLLISION - The exploit chain used by Bugscale included known bugs. They still earn $20,000 and 2 Master of Pwn points.

1430 - Benjamin Grap (@blightzero), Hanno Heinrichs (@HeinrichsH), and Lukas Kupczyk (@___luks___) of CrowdStrike Intelligence targeting the LAN interface of the Cisco RV340 in the router category

COLLISION - The exploit chain used by the CrowdStrike team included some known bugs. They still earn $10,000 and 1.5 Master of Pwn points.

1500 - Orange Tsai (@orange_8361), Angelboy (@scwuaptx) and Meh Chang (@mehqq_) from the DEVCORE Research Team targeting the Canon ImageCLASS MF644Cdw in the printer category

SUCCESS - The DEVCORE team used a stack-based buffer overflow to take over the Canon ImageCLASS printer. This unique bug chain earned them $20,000 and 2 Master of Pwn points.

1530 - Bien Pham (@bienpnn) from Team Orca of Sea Security (security.sea.com) targeting the LAN interface of the TP-Link AC1750 Smart Wi-Fi Router in the router category

SUCCESS - Bien Pham finishes Day 1 by using an OOB Read bug to take control of the TP-Link AC1750 router via the LAN interface. This earns him another $5,000 and 1 Master of Pwn point.

1630 - Orange Tsai (@orange_8361), Angelboy (@scwuaptx) and Meh Chang (@mehqq_) from the DEVCORE Research Team targeting the Sonos One Speaker in the home automation category

SUCCESS - The DEVCORE team used an integer underflow to gain code execution on the Sonos One Speaker. They earn $60,000 and 6 points towards Master of Pwn.

1700 - Gaurav Baruah (@_gauravb_) targeting the WAN interface of the Cisco RV340 in the router category

COLLISION - A partial collision. One of the bugs used by Gaurav was previously known. He still $22,500 and 2.5 Master of Pwn points.

1730 - The THEORI Team (@theori_io) targeting the 3TB My Cloud Home Personal Cloud from WD in the NAS category

SUCCESS - The THEORI Team used a stack-based buffer overflow to get code execution on the 3TB My Cloud Home Personal Cloud from WD. This earns them $40,000 and 4 Master of Pwn points, giving them a 1 day total of $80,000 and 8 points.

1800 - Orange Tsai (@orange_8361), Angelboy (@scwuaptx) and Meh Chang (@mehqq_) from the DEVCORE Research Team targeting the HP Color LaserJet Pro MFP M283fdw in the printer category

SUCCESS - The DEVCORE team used a stack-based buffer overflow to gain code execution on the HP Color LaserJet Pro. They earn another $20,000 and 2 Master of Pwn points, bringing their day 1 total to $100,000 and 10 Master of Pwn points.

Due to time limitations and resource constraints, the following attempts will occur off the live stream during the evening. Results of these attempts will still be reported here and on Twitter.

— trichimtrich and nyancat0131 targeting the LAN interface of the NETGEAR R6700v3 in the router category

SUCCESS - trichimtrich leveraged an integer overflow to gain code execution via the LAN interface of the NETGEAR R6700v3 router. They win another $5,000 and 1 more point towards Master of Pwn.

— Flashback Team of Pedro Ribeiro (@pedrib1337) && Radek Domanski (@RabbitPro) targeting the WAN interface of the NETGEAR R6700v3 in the router category

FAILURE - Unfortunately, Team Flashback could not get their exploit to work within the time allotted.

— Bugscale targeting the LAN interface of the NETGEAR R6700v3 in the router category

SUCCESS - The Bugscale team combined an authorization bypass with a command injection bug to get code execution on the LAN interface of the NETGEAR router. They earn $5,000 and 1 Master of Pwn point.

— crixer (@pwning_me), Axel Souchet (@0vercl0k), @chillbro4201, and friends from Mofoffensive Research Team targeting the LAN interface of the NETGEAR R6700v3 in the router category

SUCCESS - The Mofoffensive Research Team combining a heap overflow and a stack-based buffer overflow to gain code execution on the LAN interface of the NETGEAR R6700 router. Their efforts earn $5,000 and 1 Master of Pwn point.

Wednesday, November 3

For a video overview of the Day Two results, see here.

1000 - NCC Group EDG (Alex Plaskett, Cedric Halbronn, Aaron Adams) targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category

SUCCESS - The NCC Group leveraged a memory corruption bug three different ways (and overcame a timing issue) to get code execution on the Western Digital My Cloud Pro Series PR4100. They earn themselves $40,000 and 4 Master of Pwn points.

1030 - Flashback Team of Pedro Ribeiro (@pedrib1337) && Radek Domanski (@RabbitPro) targeting the WAN interface of the Cisco RV340 in the router category

SUCCESS - The Flashback team of Pedro and Redek used an impressive stack-based buffer overflow to get code execution on the WAN interface of the Cisco RV340 router. They earn $30,000 and 3 Master of Pwn points.

1100 - Nicolas Devillers (@nikaiw), Jean-Romain Garnier, and Raphael Rigo (@_trou_) targeting the Canon ImageCLASS MF644Cdw in the printer category

SUCCESS - The team of Nicolas Devillers, Jean-Romain Garnier, and Raphael Rigo obtained code execution on the Canon ImageCLASS printer through a stack-based buffer overflow. This unique bug chain earns them $20,000 and 2 Master of Pwn points.

1130 - crixer (@pwning_me), Axel Souchet (@0vercl0k), @chillbro4201, and friends from Mofoffensive Research Team targeting the LAN interface of the TP-Link AC1750 Smart Wi-Fi Router in the router category

FAILURE - Unfortunately, the Mofoffensive Team could not get his exploit to work within the time allotted.

1200 - The Synacktiv (@Synacktiv) team targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category

SUCCESS - The Synacktiv team leveraged a configuration error bug to get code execution on the PR411. They earn $40,000 and 4 Master of Pwn points.

1230 - Q. Kaiser & T. Shiomitsu from IoT Inspector Research Lab targeting the LAN interface of the Cisco RV340 in the router category

SUCCESS - Q. Kaiser & T. Shiomitsu from IoT Inspector Research Lab used 3 unique bugs, incuding an authorization bypass and a commange injection, to get code execution on the Cisco RV340 via the LAN interface. They earn $15,000 and 2 Master of Pwn points.

1300 - The STARLabs Team targeting the Samsung Galaxy S21 in the mobile phone category

COLLISION - The exploit chain used by the STARLabs team included a bug known by the vendor. They still earn $25,000 and 2.5 Master of Pwn points.

1400 - The Synacktiv (@Synacktiv) team targeting the Sonos One Speaker in the home automation category

SUCCESS - The Synacktiv team used a stack-based buffer over to compromise the Sonos One speaker and play us a tune. They earn $60,000 and 6 Master of Pwn points.

1430 - trichimtrich and nyancat0131 targeting the WAN interface of the Cisco RV340 in the router category

SUCCESS - trichmitrich used nearly all the time on the clock, but his command injection bug is unique. His takeover of the Cisco RV340 via the WAN interface earns him $30,000 and 3 Master of Pwn points.

1500 - Orange Tsai (@orange_8361), Angelboy (@scwuaptx) and Meh Chang (@mehqq_) from the DEVCORE Research Team targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category

COLLISION - The DEVCORE team successfully exploited the WD PR411, but the bugs they leveraged had been previously used in the competition. Their work still earns them $20,000 and 2 Master of Pwn points.

1530 - The STARLabs Team targeting the LAN interface of the TP-Link AC1750 Smart Wi-Fi Router in the router category

COLLISION - The STARLabs team exploited the LAN interface of the TP-Link AC1750 router, but they used a known bug. This still nets them $2,500 and .5 Master of Pwn points.

1600 - The Synacktiv (@Synacktiv) team targeting the Lexmark MC3224i in the printer category

SUCCESS - The Synacktiv team combined three unique bugs, including an unprivileged access bug and a command injection bug, to get code execution on the Lexmark MC3224i printer. They earn $20,000 and 2 more Master of Pwn points.

1700 - The STARLabs Team targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category

COLLISION - The exploit chain used by Nguyễn Hoàng Thạch (hi_im_d4rkn3ss) of STARLabs team included bugs previously used in the contest. They still earn $20,000 and 2 Master of Pwn points.

1745 - The Synacktiv (@Synacktiv) team targeting the HP Color LaserJet Pro MFP M283fdw in the printer category

COLLISION - The exploit chain used by the Synacktiv team included a bug used earlier in the competition. They still earn $10,000 and 1 Master of Pwn point.

Due to time limitations and resource constraints, the following attempts will occur off the live stream during the evening. Results of these attempts will still be reported here and on Twitter.

Q. Kaiser & T. Shiomitsu from IoT Inspector Research Lab targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category

FAILURE - Unfortunately, the IoT Inspector Research team could not get their exploit to work within the time allotted.

— The STARLabs Team targeting the 3TB My Cloud Home Personal Cloud from WD in the NAS category

COLLISION - The exploit chain used by Nguyễn Hoàng Thạch (hi_im_d4rkn3ss) and Phan Thanh Duy (PTDuy) of STARLabs took over the 3TB My Cloud Home Personal Cloud from WD using a bug previously seen in the competition. They still earn $20,000 and 2 Master of Pwn points.

— Diffense Team targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category

COLLISION - In their Pwn2Own debut, the Diffense Team runs into a collision. They were able to exploit the Western Digital My Cloud Pro Series PR4100, but the bug they leveraged was also used on Day 1. They still earn $20,000 and two Master of Pwn points in their debut effort.

— Orange Tsai (@orange_8361), Angelboy (@scwuaptx) and Meh Chang (@mehqq_) from the DEVCORE Research Team targeting the Lexmark MC3224i in the printer category

SUCCESS - The DEVCORE team used a code injection bug to take over the Lexmark MC3224i printer. This unique bug chain earned them $20,000 and 2 Master of Pwn points.

— NCC Group EDG (Alex Plaskett, Cedric Halbronn, Aaron Adams) targeting the Lexmark MC3224i in the printer category in the printer category

SUCCESS - The NCC Group again needed multiple attempts, but they successfully exploited the Lexmark MC3224i with a file write bug. The earn $20,000 and 2 Master of Pwn points.

— Bien Pham (@bienpnn) from Team Orca of Sea Security (security.sea.com) targeting the WAN interface of the NETGEAR R6700v3 in the router category

FAILURE - Unfortunately, Bien could not get his exploit to work within the time allotted.

— Bien Pham (@bienpnn) from Team Orca of Sea Security (security.sea.com) targeting the LAN interface of the NETGEAR R6700v3 in the router category

COLLISION - The two-bug exploit chain used by Bien included bugs used earlier in the competition. He still earn $2,500 and .5 Master of Pwn points.

— Q. Kaiser & T. Shiomitsu from IoT Inspector Research Lab targeting the WAN interface of the NETGEAR R6700v3 in the router category

FAILURE - Unfortunately, the IoT Inspector Research team could not get their exploit to work within the time allotted.

— Diffense Team targeting the LAN interface of the NETGEAR R6700v3 in the router category

FAILURE - Unfortunately, the Diffense Team could not get their exploit to work within the time allotted.

Thursday, November 4

For a quick overview of Day Three results, see the recap video here.

1000 - Martin Rakhmanov (@mrakhmanov) targeting the Western Digital My Cloud Pro Series PR4100 in the NAS category

SUCCESS - Martin used a unique two-bug chain that included a command injection to compormise the NAS device. He earns himself $40,000 and 4 points towards Master of Pwn.

1030 - The Synacktiv (@Synacktiv) team targeting the LAN interface of the Cisco RV340 in the router category

COLLISION - The three-bug exploit chain used by the Synacktiv team included some known bugs. They still earn $7,500 and 1 Master of Pwn points.

1100 - Alexander Bolshev (@dark_k3y), Timo Hirvonen (@TimoHirvonen), and Dmitry Janushkevich (@InfoSecDJ) of F-Secure Labs (@fsecurelabs) targeting the HP Color LaserJet Pro MFP M283fdw in the printer category

SUCCESS - The team from F-Secure Labs used a single stack-based buffer overflow to take over the printer and turn it into a jukebox. They earn $20,000 and 2 Master of Pwn points.

1200 - The STARLabs Team targeting the beta version of the 3TB My Cloud Home Personal Cloud from WD in the NAS category

SUCCESS - The STARLabs team of Nguyễn Hoàng Thạch (@hi_im_d4rkn3ss) and Billy Jheng Bing-Jhong (@st424204) combined an OOB Read and a heap-based buffer overflow to exploit the beta version of the 3TB My Cloud Home Personal Cloud from WD. They earn $45,000 and 5 Master of Pwn points.

1230 - Stephen Fewer (@stephenfewer) of Relyze Software Limited (www.relyze.com) targeting the LAN interface of the Cisco RV340 in the router category

COLLISION - The four-bug exploit chain used by the Stephen included some known bugs. His successful demonstration still earns him $10,000 and 1.5 Master of Pwn points.

1300 - Sam Thomas (@_s_n_t) from team Pentest Limited (@pentestltd) targeting the Samsung Galaxy S21 in the mobile phone category

SUCCESS - Sam used a three-bug chain to get code execution on the Sumsung Galaxt S21. This successful demonstration earns him $50,000 and 5 Master of Pwn points.

1400 - The Synacktiv (@Synacktiv) team targeting the 3TB My Cloud Home Personal Cloud from WD in the NAS category

COLLISION - The Synacktiv team used a two-bug chain to compromise the 3TB My Cloud Home Personal Cloud, but one of the bugs had been used prior in the contest. Their demonstration still earns them $20,000 and 2 Master of Pwn points.

1500 - Chris Anastasio (@mufinnnnnnn) targeting the Lexmark MC3224i in the printer category

COLLISION - Chris used a four-bug chain to compromise the Lexmark printer, but one of the bugs had been used prior in the contest. His efforts still earns him $17,500 and 1.75 Master of Pwn points.

1600 - The STARLabs Team targeting the LAN interface of the NETGEAR R6700v3 in the router category

FAILURE - Unfortunately, the STARLabs Team could not get their exploit to work within the time allotted.

1700 - Stephen Fewer (@stephenfewer) of Relyze Software Limited (www.relyze.com) targeting the LAN interface of the NETGEAR R6700v3 in the router category

SUCCESS - Stephen used an uninitialized variable to get a root shell via the LAN interface of the NETGEAR R6700v3 router. He earns $5,000 and 1 Master of Pwn point.

Due to time limitations and resource constraints, the following attempts will occur off the live stream during the evening. Results of these attempts will still be reported here and on Twitter.

The Synacktiv (@Synacktiv) team targeting the WAN interface of the NETGEAR R6700v3 in the router category

SUCCESS - The Synactiv team used an improper certificate validation and a stack-based buffer overflow to compromise the NETGEAR router via the WAN interface. They earn $20,000 and 2 critical Master of Pwn points.

— Flashback Team of Pedro Ribeiro (@pedrib1337) && Radek Domanski (@RabbitPro) targeting the LAN interface of the NETGEAR R6700v3 in the router category

COLLISION - Pedro and Radek leveraged 2 bugs to exploit the NETGEAR R6700 router via the LAN interface, but the path traversal they chose was an N-day. This still earns them $3,750 and .75 Master of Pwn points.

Friday, November 5

For a quick overview of Day Four results, see the recap video here.

1000 - Orange Tsai (@orange_8361), Angelboy (@scwuaptx) and Meh Chang (@mehqq_) from the DEVCORE Research Team targeting the 3TB My Cloud Home Personal Cloud from WD in the NAS category

SUCCESS - The DEVCORE team combined an OOB Read and an OOB Write to sucessfully exploit the 3TB My Cloud Home Personal Cloud from WD. This unique bug chain earned them $40,000 and 4 Master of Pwn points.

1030 - Diffense Team targeting the LAN interface of the Cisco RV340 in the router category

COLLISION - The Diffense Team leveraged 4 bugs to exploit the Cisco RV340 router via the LAN interface, but some of the bugs had been seen earlier in the conference. This still earns them $10,000 and 1.5 Master of Pwn points.

1100 - Benjamin Grap (@blightzero), Hanno Heinrichs (@HeinrichsH), and Lukas Kupczyk (@___luks___) of CrowdStrike Intelligence targeting the Lexmark MC3224i in the printer category

COLLISION - The team from CrowdStrike had no problem taking over the Lexmark printer using a three-bug chain, however all of the bused used had been seen earlier in the contest. Their effort wins them $10,000 and 1 Masrer of Pwn point.

1200 - The NullRiver team of Xin’an Zhou, Xiaochen Zou, Zhiyun Qian targeting the LAN interface of the NETGEAR R6700v3 in the router category

SUCCESS - The team used a pair of bugs to execute code via the LAN interface. They earn $5,000 and 1 Master of Pwn point.

1230 - Final wrap-up and the crowning of the Master of Pwn


Congratulations to the Synacktiv team for being crowned Master of Pwn! It was a tight race, but tehir combined efforts held off all challengers.

Thanks again to our partners Western Digital as well as our sponsor Synology. Thanks also to the researchers who participate and to the vendors for providing fixes for what’s discovered during the contest. As a reminder, vendors have 90 days to produce a fix for all vulnerabilities reported.

Pwn2Own Austin 2021 - Schedule and Live Results

The October 2021 Security Update Review

12 October 2021 at 17:28

The second Tuesday of the month is here, and that means the latest security updates from Adobe and Microsoft have arrived. Take a break from your regularly scheduled activities and join us as we review the details for their latest security offerings.

Adobe Patches for October 2021

For October, Adobe released six patches covering 10 CVEs in Adobe Reader, Acrobat Reader for Android, Adobe Campaign Standard, Commerce, Ops-CLI, and Adobe Connect. The update for Adobe Acrobat fixes four bugs in total – two rated Critical and two rated Moderate in severity. Two of these bugs were submitted through the ZDI program. The Critical-rated bugs could allow remote code execution while the Moderate-rated bugs could allow a privilege escalation. The update for Reader for Android fixes a single path traversal bug that could lead to code execution. All require some form of user interaction, such as browsing to a web page or opening a PDF.

Several cross-site scripting (XSS) bugs receive patches this month. The patch for Campaign Standard fixes a DOM-based XSS. The fix for Adobe Commerce addresses a stored XSS. The patch for Adobe Connect fixes two bugs, one of which is a reflective XSS. The other bug is more a more severe Critical-rated deserialization vulnerability that could allow remote code execution. The final Adobe patch for October fixes a Critical-rated deserialization bug in Ops-CLI, which is a python wrapper for Terraform, Ansible, and SSH for cloud automation.

None of the bugs fixed this month by Adobe are listed as publicly known or under active attack at the time of release.

Microsoft Patches for October 2021

For October, Microsoft released patches today for 71 new CVEs in Microsoft Windows and Windows Components, Microsoft Edge (Chromium-based), Exchange Server, .NET Core and Visual Studio, Microsoft Office Services and Web Apps, SharePoint Server, Microsoft Dynamics, InTune, and System Center Operations Manager. This is in addition to the eight CVEs patched by Microsoft Edge (Chromium-based) earlier this month and three previously released OpenSSL patches, which brings the October total to 82 CVEs – slightly down from last month. A total of 11 of these bugs were submitted through the ZDI program.

Of the 71 CVEs patched today, two are rated Critical, 68 are rated Important, and one is rated Low in severity. Three of today’s patches are listed as publicly known, while one is listed as being under active attack at the time of release. This is in addition to two of the Chromium bugs that were listed as under active attack when Chrome patched on September 30. For those wondering, this month does include patches for the recently released Windows 11 operating system.

Let’s take a closer look at some of the more interesting updates for this month, starting with the kernel bug that’s listed as under active attack:

-       CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability
This patch corrected a kernel bug that could be used to escalate privileges on an affected system. Attackers typically use these types of bugs in conjunction with code execution bugs to take over a system. Considering the source of this report, this bug is likely being used in a targeted malware attack. We will also likely see more information about this bug and the associated attack within the next few days.

-       CVE-2021-26427 - Microsoft Exchange Server Remote Code Execution Vulnerability
The bug will certainly receive its fair share of attention, if nothing else, due to it being reported by the National Security Agency (NSA). Due to the similar CVE numbers, this bug was likely reported when they reported the more severe Exchange issues back in April. This bug is not as severe since this exploit is limited at the protocol level to a logically adjacent topology and not reachable from the Internet. This flaw, combined with the other Exchange bugs patched this month, should keep Exchange admins busy for a while.

-       CVE-2021-40486 - Microsoft Word Remote Code Execution Vulnerability
This patch corrects a bug that would allow code execution when a specially crafted Word document is viewed on an affected system. Although Microsoft lists user interaction required, the Preview Pane is also listed as an attack vector. This creates a much larger attack surface. When combined with a privilege escalation – like the one currently under active attack – this could be used to take over a target system. This bug came through the ZDI program and results from the lack of validating the existence of an object before performing operations on the object.

-       CVE-2021-40454 - Rich Text Edit Control Information Disclosure Vulnerability
We don’t often highlight information disclosure bugs, but this vulnerability goes beyond just dumping random memory locations. This bug could allow an attacker to recover cleartext passwords from memory, even on Windows 11. It’s not clear how an attacker would abuse this bug, but if you are using the rich text edit control in Power Apps, definitely test and deploy this bug quickly.

Here’s the full list of CVEs released by Microsoft for October 2021:

CVE Title Severity CVSS Public Exploited Type
CVE-2021-40449 Win32k Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2021-41338 Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability Important 5.5 Yes No SFB
CVE-2021-40469 Windows DNS Server Remote Code Execution Vulnerability Important 7.2 Yes No RCE
CVE-2021-41335 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 Yes No EoP
CVE-2021-40486 Microsoft Word Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-38672 Windows Hyper-V Remote Code Execution Vulnerability Critical 8 No No RCE
CVE-2021-40461 Windows Hyper-V Remote Code Execution Vulnerability Critical 8 No No RCE
CVE-2021-41355 .NET Core and Visual Studio Information Disclosure Vulnerability Important 5.7 No No Info
CVE-2021-41361 Active Directory Federation Server Spoofing Vulnerability Important 5.4 No No Spoofing
CVE-2021-41337 Active Directory Security Feature Bypass Vulnerability Important 4.9 No No SFB
CVE-2021-41346 Console Window Host Security Feature Bypass Vulnerability Important 5.3 No No SFB
CVE-2021-40470 DirectX Graphics Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-41363 Intune Management Extension Security Feature Bypass Vulnerability Important 4.2 No No SFB
CVE-2021-41339 Microsoft DWM Core Library Elevation of Privilege Vulnerability Important 4.7 No No EoP
CVE-2021-41354 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 4.1 No No XSS
CVE-2021-40457 Microsoft Dynamics 365 Customer Engagement Cross-Site Scripting Vulnerability Important 7.4 No No XSS
CVE-2021-41353 Microsoft Dynamics 365 Sales Spoofing Vulnerability Important 5.4 No No Spoofing
CVE-2021-40472 Microsoft Excel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-40471 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-40473 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-40474 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-40479 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-40485 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-34453 Microsoft Exchange Server Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-41348 Microsoft Exchange Server Elevation of Privilege Vulnerability Important 8 No No EoP
CVE-2021-26427 Microsoft Exchange Server Remote Code Execution Vulnerability Important 9 No No RCE
CVE-2021-41350 Microsoft Exchange Server Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2021-40480 Microsoft Office Visio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-40481 Microsoft Office Visio Remote Code Execution Vulnerability Important 7.1 No No RCE
CVE-2021-40482 Microsoft SharePoint Server Information Disclosure Vulnerability Important 5.3 No No Info
CVE-2021-41344 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.1 No No RCE
CVE-2021-40487 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.1 No No RCE
CVE-2021-40484 Microsoft SharePoint Server Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2021-41330 Microsoft Windows Media Foundation Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-40454 Rich Text Edit Control Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-41352 SCOM Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2021-40478 Storage Spaces Controller Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-40488 Storage Spaces Controller Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-40489 Storage Spaces Controller Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26441 Storage Spaces Controller Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-41345 Storage Spaces Controller Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-40450 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-41357 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-40456 Windows AD FS Security Feature Bypass Vulnerability Important 5.3 No No SFB
CVE-2021-40476 Windows AppContainer Elevation Of Privilege Vulnerability Important 7.5 No No EoP
CVE-2021-41347 Windows AppX Deployment Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-40468 Windows Bind Filter Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-40475 Windows Cloud Files Mini Filter Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-40443 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-40466 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-40467 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-41334 Windows Desktop Bridge Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-40477 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38663 Windows exFAT File System Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-38662 Windows Fast FAT File System Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-41343 Windows Fast FAT File System Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-41340 Windows Graphics Component Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-26442 Windows HTTP.sys Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-40455 Windows Installer Spoofing Vulnerability Important 5.5 No No Info
CVE-2021-41336 Windows Kernel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-41331 Windows Media Audio Decoder Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-40462 Windows Media Foundation Dolby Digital Atmos Decoders Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-41342 Windows MSHTML Platform Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2021-40463 Windows NAT Denial of Service Vulnerability Important 7.7 No No DoS
CVE-2021-40464 Windows Nearby Sharing Elevation of Privilege Vulnerability Important 8 No No EoP
CVE-2021-41332 Windows Print Spooler Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2021-36970 Windows Print Spooler Spoofing Vulnerability Important 8.8 No No Spoofing
CVE-2021-40460 Windows Remote Procedure Call Runtime Security Feature Bypass Vulnerability Important 6.5 No No SFB
CVE-2021-36953 Windows TCP/IP Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-40465 Windows Text Shaping Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-40483 Microsoft SharePoint Server Spoofing Vulnerability Low 7.6 No No Spoofing
* CVE-2021-37973 Chromium: CVE-2021-37973 Use after free in Portals High N/A No No RCE
* CVE-2021-37974 Chromium: CVE-2021-37974 Use after free in Safe Browsing High N/A No Yes RCE
* CVE-2021-37975 Chromium: CVE-2021-37975 Use after free in V8 High N/A No Yes RCE
* CVE-2021-37977 Chromium: CVE-2021-37977 Use after free in Garbage Collection High N/A No No RCE
* CVE-2021-37978 Chromium: CVE-2021-37978 Heap buffer overflow in Blink High N/A No No RCE
* CVE-2021-37979 Chromium: CVE-2021-37979 Heap buffer overflow in WebRTC High N/A No No RCE
* CVE-2021-37980 Chromium: CVE-2021-37980 Inappropriate implementation in Sandbox High N/A No No RCE
* CVE-2021-37976 Chromium: CVE-2021-37976 Information leak in core Medium N/A No No Info
* CVE-2020-1971 OpenSSL: CVE-2020-1971 EDIPARTYNAME NULL pointer de-reference Important N/A No No DoS
* CVE-2021-3449 OpenSSL: CVE-2021-3449 NULL pointer deref in signature_algorithms processing Important N/A No No DoS
* CVE-2021-3450 OpenSSL: CVE-2021-3450 CA certificate check bypass with X509_V_FLAG_X509_STRICT Important N/A No No Info

* Indicates this CVE had previously been released by a 3rd-party and is now being incorporated into Microsoft products.

The remaining Critical-rated bugs fix remote code execution vulnerabilities in Hyper-V server. One of these bugs could allow a guest OS to execute code on the host OS if the guest can cause a memory allocation error within the guest VM. Microsoft provides no details on the other bug, but it could also be used for a guest-to-host escape.

Looking at the remaining 18 code execution bugs, most are within the Office family and require a user to open a specially crafted file. One notable exception is a remote code execution bug in the DNS server. No user interaction is required to exploit this bug, but it does require high privileges, knocking this from Critical rated to Important. Microsoft lists this as publicly known but doesn’t state where which is frustrating. Knowing how widespread the knowledge of this vulnerability could benefit network defenders in creating a true risk assessment for their enterprise. There are also a couple of SharePoint code execution bugs receiving patches, but both require local privileges to exploit. These bugs came through the ZDI program, and we’ll have more details about them in the future. Another interesting RCE bug impacts the MSHTML platform. Although Internet Explorer is now “retired”, it lives on as the underlying MSHTML, EdgeHTML, and scripting platforms are still supported. There are even patches here for Windows 11. The legacy of IE hasn’t quite left us after all.

Moving on to the privilege escalation bugs, most require an attacker to log on to a system and run their own code to take advantage of an affected component. There’s another kernel bug here, and it is listed as publicly known – again with no additional information or details on the public disclosure. There’s also a privilege escalation in Exchange that also requires the attacker to be on an adjacent network. No user interaction is listed, so the likely scenario would be an insider threat.

There are five security feature bypass (SFB) bugs patched in this month’s release. The first is a vulnerability in RPC Runtime that could allow an attacker to bypass Extended Protection for Authentication provided by Service Principal Name (SPN) target name validation. A different bug in the Windows active directory could allow an attacker to bypass the Active Directory Federation Services (AD FS) BannedIPList entries for WS-Trust workflows. A different Active Directory bug could allow an attacker to bypass Active Directory domain permissions for Key Admins groups. The bypass in Intune requires the Intune Management Extension to be installed, but Microsoft provides no further details on what is being bypassed. Microsoft provides no details on what security feature is being bypassed on either the console Windows host or the Windows AppContainer Firewall. The lack of details around the container firewall vulnerability is especially frustrating since Microsoft lists this bug as publicly known.

The October release contains fixes for three new Denial-of-Service (DoS) bugs, each of which is significant. The first patch fixes a DoS vulnerability in TCP/IP that impacts all supported versions of Windows – including Windows 11. It’s not clear if this would allow an attacker to completely shut down a system, but without further details from Microsoft, network defenders should assume this worst-case scenario is likely. There’s a DoS bug in Exchange Server, and again, details are scarce. Since the CVSS score lists Availability=High, assume an attacker can abuse this bug to shut down an Exchange server. The final DoS bug getting fixed this month impacts Windows Network Address Translation (NAT) and was discovered by the same researchers that found the TCP/IP bug. Again, the CVSS score indicates this vulnerability could be used to take down a system, so test and deploy these patches quickly.

In addition to the one previously mentioned, there are 13 information disclosure bugs receiving fixes in this month’s release. Most of these simply result in leaks consisting of unspecified memory contents. However, if you’re running the web console of the System Center Operations Manager (SCOM), you definitely want to pay attention to the bug that could disclose file content on an affected system.

The October release is rounded out by fixes for six spoofing bugs and two cross-site scripting (XSS) bugs. Microsoft provides no details on what may be spoofed for any of these vulnerabilities, but the ones for Print Spooler and Exchange stand out. There are only a couple of print spooler bugs in this month’s release, so perhaps the days of PrintNightmare are finally behind us. The only clue we have for the impact of the Exchange spoofing bug is the CVSS rating of Confidentiality=High. This implies a total loss of confidentiality, which is not something you want to be associated with your Exchange server. The remaining spoofing bugs read very close to XSS bugs, including the rare Low severity fix for SharePoint Server.

No new advisories were released this month. The latest servicing stack updates can be found in the revised ADV90001.

Looking Ahead

The next Patch Tuesday falls on November 9, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The October 2021 Security Update Review

The September 2021 Security Update Review

14 September 2021 at 17:37

It’s the second Tuesday of the month, and that means the latest security updates from Adobe and Microsoft have been released. Apple and Google Chrome also released updates yesterday to fix bugs under active attack. Take a break from your regularly scheduled activities and join us as we review the details for their latest security offerings.

Adobe Patches for September 2021

For September, Adobe released 15 patches covering 59 CVEs in Adobe Acrobat Reader, XMP Toolkit SDK, Photoshop, Experience Manager, Genuine Service, Digital Editions, Premiere Elements, Photoshop Elements, Creative Cloud Desktop, ColdFusion, Framemaker, InDesign, SVG-Native-Viewer, InCopy, and Premiere Pro. A total of 17 of these bugs came through the ZDI program.

The update for Adobe Acrobat fixes 26 bugs in total. Of these 26 bugs, 13 are rated Critical, 9 are rated Important, and four are rated Moderate in severity. The most severe of these bugs could allow remote code execution through either a type confusion, heap-based buffer overflow, or a use after free vulnerability. The single bug fixed by the Photoshop patch could also lead to code execution when opening a specially crafted file. The update for Framemaker includes five bugs found by ZDI researcher Mat Powell. The most severe of these issues result from the lack of proper validation of user-supplied data, which can result in a memory corruption condition. If you’re still using ColdFusion, you’ll definitely want to patch the two Critical rated security feature bypass bugs being fixed today.

You can check out all of Adobe’s patches on their PSIRT page. None of the bugs fixed this month by Adobe are listed as publicly known or under active attack at the time of release.

Apple Patches for September 2021

Although Apple does not follow the second Tuesday patch release cycle, they did release patches yesterday fixing a couple of significant bugs. CVE-2021-30860 fixes an input validation bug in CoreGraphics that could allow remote code execution. Apple notes they are aware of a report this bug is being actively exploited. This was reported by the Citizen Lab, and public accounts indicate this bug was used to target a Saudi activist’s iPhone. While the likelihood of widespread attack using this bug is low, it should still be taken seriously. Apple also notes CVE-2021-30858 – a Use-After-Free (UAF) bug in Webkit – has also been detected in the wild. These bugs impact several different Apple products, including iOS, iPad OS, watchOS, Safari, Catalina, and Big Sur. Definitely take some time to review all of the patches and apply the applicable updates once tested.

Google Chrome Patches for September 2021

Not to be outdone by Apple, Google also released a new version of Chrome yesterday to address a total of nine CVEs – two of which are listed as under active attack. CVE-2021-30632 fixes an Out-of-Bounds (OOB) Write, while CVE-2021-30633 fixes a UAF bug. Both were reported by an anonymous researcher, and both could lead to code execution at the level of the logged-on user. All of the bugs fixed in this release receive a “High” severity rating from Google. If you are running Chrome, definitely update to ensure you are on the latest stable version.

Side note: As of today, not all these fixes have not been absorbed by Microsoft Edge (Chromium) and are unrelated to the Edge (Chromium) fixes discussed below. Microsoft did list CVE-2021-30632 on September 11 but appears to have jumped the gun a bit on this release as it currently shows a September 14 release date.

Microsoft Patches for September 2021

For September, Microsoft released patches today for 66 CVEs in Microsoft Windows and Windows components, Microsoft Edge (Chromium, iOS, and Android), Azure, Office and Office Components, SharePoint Server, Microsoft Windows DNS, and the Windows Subsystem for Linux. This is in addition to the 20 CVEs patched by Microsoft Edge (Chromium-based) earlier this month, which brings the September total to 86 CVEs. A total of 11 of these bugs were submitted through the ZDI program.

Of the 66 new CVEs patched today, three are rated Critical, 62 are rated Important, and one is rated Moderate in severity. This volume is slightly higher than the average for 2021, which is below the 2020 volume while still above what was seen in 2019. As with last month, Microsoft spent significant resources responding to bugs under active attack, most notably CVE-2021-40444. One other bug is listed as publicly known but not being exploited (for now).

Let’s take a closer look at some of the more interesting updates for this month, starting with the MSHTML bug that’s listed as under active attack:

-       CVE-2021-40444 - Microsoft MSHTML Remote Code Execution Vulnerability
This patch fixes a bug currently being exploited via Office documents. A specially crafted ActiveX control is embedded in an Office doc then sent to a target. If opened on an affected system, code executes at the level of the logged-on user. Microsoft lists disabling ActiveX as a workaround, but other reports state this may be ineffective. As of now, the most effective defense is to apply the patch and avoid Office docs you aren’t expecting to receive. There are multiple updates for specific platforms, so be sure to carefully review and install all needed patches to ensure you are covered.  

-       CVE-2021-36965 - Windows WLAN AutoConfig Service Remote Code Execution Vulnerability
This patch fixes a vulnerability that could allow network adjacent attackers to run their code on affected systems at SYSTEM level. This means an attacker could completely take over the target – provided they are on an adjacent network. This would be highly useful in a coffee shop scenario where multiple people are using an unsecured WiFi network. Still, this requires no privileges or user interaction, so don’t let the adjacent aspect of this bug diminish the severity. Definitely test and deploy this patch quickly.

-       CVE-2021-38647 - Open Management Infrastructure Remote Code Execution Vulnerability
This patch rates the highest CVSS (9.8) for this month and fixes an RCE bug in the Open Management Infrastructure (OMI). If you aren’t familiar with OMI, it’s an open-source project to further the development of a production-quality implementation of the DMTF CIM/WBEM standards. You can read all about it here. This vulnerability requires no user interaction or privileges, so an attacker can run their code on an affected system just by sending a specially crafted message to an affected system. OMI users should test and deploy this one quickly.

Here’s the full list of CVEs released by Microsoft for September 2021:

CVE Title Severity CVSS Public Exploited Type
CVE-2021-40444 Microsoft MSHTML Remote Code Execution Vulnerability Important 8.8 Yes Yes RCE
CVE-2021-36968 Windows DNS Elevation of Privilege Vulnerability Important 7.8 Yes No EoP
CVE-2021-38647 Open Management Infrastructure Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2021-26435 Windows Scripting Engine Memory Corruption Vulnerability Critical 8.1 No No RCE
CVE-2021-36965 Windows WLAN AutoConfig Service Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-36956 Azure Sphere Information Disclosure Vulnerability Important 4.4 No No Info
CVE-2021-38632 BitLocker Security Feature Bypass Vulnerability Important 5.7 No No SFB
CVE-2021-38661 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-40448 Microsoft Accessibility Insights for Android Information Disclosure Vulnerability Important 6.3 No No Info
CVE-2021-40440 Microsoft Dynamics Business Central Cross-site Scripting Vulnerability Important 5.4 No No XSS
CVE-2021-26436 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 6.1 No No EoP
CVE-2021-36930 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 5.3 No No EoP
CVE-2021-38669 Microsoft Edge (Chromium-based) Tampering Vulnerability Important 6.4 No No Tampering
CVE-2021-38641 Microsoft Edge for Android Spoofing Vulnerability Important 6.1 No No Spoofing
CVE-2021-38642 Microsoft Edge for iOS Spoofing Vulnerability Important 6.1 No No Spoofing
CVE-2021-38655 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-38644 Microsoft MPEG-2 Video Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-38646 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-38657 Microsoft Office Graphics Component Information Disclosure Vulnerability Important 6.1 No No Info
CVE-2021-38658 Microsoft Office Graphics Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-38660 Microsoft Office Graphics Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-38659 Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-38650 Microsoft Office Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2021-38653 Microsoft Office Visio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-38654 Microsoft Office Visio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-38651 Microsoft SharePoint Server Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2021-38652 Microsoft SharePoint Server Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2021-38634 Microsoft Windows Update Client Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2021-38656 Microsoft Word Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-38645 Open Management Infrastructure Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38648 Open Management Infrastructure Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38649 Open Management Infrastructure Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-26437 Visual Studio Code Spoofing Vulnerability Important 5.5 No No Spoofing
CVE-2021-26434 Visual Studio Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36952 Visual Studio Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-36975 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38639 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38628 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38638 Windows Ancillary Function Driver for WinSock Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38629 Windows Ancillary Function Driver for WinSock Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2021-36959 Windows Authenticode Spoofing Vulnerability Important 5.5 No No Spoofing
CVE-2021-36954 Windows Bind Filter Driver Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2021-36963 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36955 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38633 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36964 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38630 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36961 Windows Installer Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2021-36962 Windows Installer Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-38625 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38626 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38624 Windows Key Storage Provider Security Feature Bypass Vulnerability Important 6.5 No No SFB
CVE-2021-38667 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-38671 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-40447 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36969 Windows Redirected Drive Buffering SubSystem Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-38635 Windows Redirected Drive Buffering SubSystem Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-38636 Windows Redirected Drive Buffering SubSystem Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-36973 Windows Redirected Drive Buffering System Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36974 Windows SMB Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36960 Windows SMB Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2021-36972 Windows SMB Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-38637 Windows Storage Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-36966 Windows Subsystem for Linux Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36967 Windows WLAN AutoConfig Service Elevation of Privilege Vulnerability Important 8 No No EoP
CVE-2021-26439 Microsoft Edge for Android Information Disclosure Vulnerability Moderate 4.6 No No Info
CVE-2021-30606 Chromium: CVE-2021-30606 Use after free in Blink High N/A No No RCE
CVE-2021-30607 Chromium: CVE-2021-30607 Use after free in Permissions High N/A No No RCE
CVE-2021-30608 Chromium: CVE-2021-30608 Use after free in Web Share High N/A No No RCE
CVE-2021-30609 Chromium: CVE-2021-30609 Use after free in Sign-In High N/A No No RCE
CVE-2021-30610 Chromium: CVE-2021-30610 Use after free in Extensions API High N/A No No RCE
CVE-2021-30632 Chromium: CVE-2021-30632 Out of bounds write in V8 High N/A No Yes RCE
CVE-2021-30623 Chromium: CVE-2021-30623 Use after free in Bookmarks Low N/A No No RCE
CVE-2021-30624 Chromium: CVE-2021-30624 Use after free in Autofill Low N/A No No RCE
CVE-2021-30611 Chromium: CVE-2021-30611 Use after free in WebRTC Medium N/A No No RCE
CVE-2021-30612 Chromium: CVE-2021-30612 Use after free in WebRTC Medium N/A No No RCE
CVE-2021-30613 Chromium: CVE-2021-30613 Use after free in Base internals Medium N/A No No RCE
CVE-2021-30614 Chromium: CVE-2021-30614 Heap buffer overflow in TabStrip Medium N/A No No RCE
CVE-2021-30615 Chromium: CVE-2021-30615 Cross-origin data leak in Navigation Medium N/A No No Info
CVE-2021-30616 Chromium: CVE-2021-30616 Use after free in Media Medium N/A No No RCE
CVE-2021-30617 Chromium: CVE-2021-30617 Policy bypass in Blink Medium N/A No No SFB
CVE-2021-30618 Chromium: CVE-2021-30618 Inappropriate implementation in DevTools Medium N/A No No RCE
CVE-2021-30619 Chromium: CVE-2021-30619 UI Spoofing in Autofill Medium N/A No No Spoofing
CVE-2021-30620 Chromium: CVE-2021-30620 Insufficient policy enforcement in Blink Medium N/A No No SFB
CVE-2021-30621 Chromium: CVE-2021-30621 UI Spoofing in Autofill Medium N/A No No Spoofing
CVE-2021-30622 Chromium: CVE-2021-30622 Use after free in WebApp Installs Medium N/A No No RCE

As we did last month, this month’s table also lists the Chromium updates for Edge. These vulnerabilities are listed with the severity as assigned by Google, which is different from the standard Microsoft nomenclature. Google does not assign CVSS scores, so none are listed in the table. Again, these bugs are different than the ones fixed by Google Chrome in yesterday’s release. Those bugs should be incorporated into a future version of Edge (Chromium).

The remaining Critical-rated bug fixes a code execution vulnerability in the Scripting Engine. An attacker would need to convince a user to browse to a specially crafted website or open a file to get code execution. Looking at the other RCE bugs addressed in this release, many impact Office or an Office component. Visio receives some rare updates to go along with the more common fixes for Word, Access, and Excel.

This month’s release brings a total of 27 Elevation of Privilege (EoP) patches with it. The most notable is one listed as publicly known impacting DNS. Microsoft provides no details about the nature of the bug other than to say local privileges are required to successfully exploit it. This is not to be confused with the patch for an EoP in the Bind Filter Driver, which is completely different from the ISC BIND DNS system. Other notable EoP bugs include updates for Edge (Chromium) that seem unique to Edge – meaning the bugs weren’t from the port of Chromium and patched by Google. Visual Studio receives a patch to fix an EoP reported by ZDI researcher Michael DePlante. The issue results from incorrect permissions set on a resource used by the installer. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. There are some patches for the Print Spooler, but these don’t appear to have the impact or urgency as the PrintNightmare series of bugs. The other EoP fixes address various Windows components. In almost all cases, an attacker would need to log on to an affected system and run specially crafted code.

There are only two patches for security feature bypasses (SFBs) in this month’s release, but one seems awfully familiar. CVE-2021-38632 fixes a bug that could allow an attacker with physical access to a powered-off system to gain access to encrypted data. This sounds vaguely like the “cold boot” attacks widely discussed back in 2008. The other SFB bug being fixed this month could allow an attacker to bypass the Windows Key Storage Provider that issues key certificates for trust in attestation scenarios. This one’s a bit more vague, but surprisingly, Microsoft lists the attack complexity as Low for this bug. Definitely something to look out for.

Looking at the 12 information disclosure bugs in this month’s release, more simply result in leaks consisting of unspecified memory contents. A notable exception is a bug in the Windows Installer that could allow an attacker to read from the file system. The Windows Storage component has a bug with a similar impact. It’s not clear if any file can be read by an attacker or just specifical files and locations. The info disclosure being fixed in the Microsoft Accessibility Insights for Android is even more vague. According to Microsoft, the type of info disclosed is “sensitive information.” Well then. Plan accordingly.

The September release includes fixes for seven spoofing bugs and one for a cross-site scripting (XSS) bug. Microsoft provides no details on what may be spoofed for any of these vulnerabilities, but some have intriguing titles. There are fixes for Microsoft Edge for iOS and Android, so for those of you who use Edge on your phone, hit up the appropriate store to update your apps. There is a fix for a spoofing bug in Windows Authenticode, but the attacker vector is listed as local with privileges required. It’s possible this could allow an attacker access to something otherwise prohibited, but without further details, we can only speculate.

This month’s release is rounded out by a fix for a Denial-of-Service (DoS) bug in the Windows Installer and by a fix for Microsoft Edge (Chromium) in the mercurial Tampering category. Again, no information on what sort of tampering this vulnerability would allow. However, tampering bugs in the browser usually means an attacker could view and/or alter data within the browser. Interestingly, Microsoft appears to have released this update on September 9, but it does not appear to map to any bug fix released by the Chrome team.

No new advisories were released this month. The latest servicing stack updates can be found in the revised ADV990001.

Looking Ahead

The next Patch Tuesday falls on October 12, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The September 2021 Security Update Review

The August 2021 Security Update Review

10 August 2021 at 17:22

It’s the second Tuesday of the month, and that means the latest security updates from Adobe and Microsoft have been released. Take a break from your regularly scheduled activities and join us as we review the details for their latest security offerings.

Adobe Patches for August 2021

For August, Adobe released two patches addressing 29 CVEs in Adobe Connect and Magento. The update for Connect is rated Important and fixes a single security feature bypass and two cross-site scripting bugs. The Critical-rated patch for Magento fixes a wide range of bugs, the worst of which could allow remote code execution.

None of the bugs fixed this month by Adobe are listed as publicly known or under active attack at the time of release.

Microsoft Patches for August 2021

For August, Microsoft released patches today for 44 CVEs in Microsoft Windows and Windows components, Office, .NET Core and Visual Studio, Windows Defender, Windows Update and Update Assistant, Azure, and Microsoft Dynamics. This is in addition to seven CVEs patched in Microsoft Edge (Chromium-based) earlier this month. A total of eight of these bugs were submitted through the ZDI program. Of the 44 CVEs patched today, seven are rated Critical and 37 are rated Important in severity. This is the smallest release for Microsoft in 2021 and could be due to resource constraints since Microsoft spent so much time in July responding to events like PrintNightmare and PetitPotam. In fact, this is the smallest release since December 2019. It will be interesting to see if the September patch volume rebounds to triple digits or remains on the smaller side.

According to Microsoft, two of these bugs are publicly known and one is listed as under active attack at the time of release. Let’s take a closer look at some of the more interesting updates for this month, starting with a bug that’s listed as under active attack:

-       CVE-2021-36948 - Windows Update Medic Service Elevation of Privilege Vulnerability
This bug could allow a local privilege escalation through the Windows Update Medic Service – a new feature introduced in Windows 10 designed to repair Windows Update components from damage so that the computer can continue to receive updates. An attacker would need to log on to an affected system and run a specially crafted program to escalate privileges. Microsoft does not say how widespread the attacks are, but they are most likely targeted at this point.

-       CVE-2021-36942 - Windows LSA Spoofing Vulnerability
Speaking of PetitPotam, Microsoft released this patch to further protect against NTLM relay attacks by issuing this update to block the LSARPC interface. This will impact some systems, notably Windows Server 2008 SP2, that use the EFS API OpenEncryptedFileRawA function. You should apply this to your Domain Controllers first and follow the additional guidance in ADV210003 and KB5005413. This has been an ongoing issue since 2009, and, likely, this isn’t the last we’ll hear of this persistent issue.

-       CVE-2021-36936 - Windows Print Spooler Remote Code Execution Vulnerability
Another month, another remote code execution bug in the print spooler. This bug is listed as publicly known, but it’s not clear if this bug is a variant of PrintNightmare or a unique vulnerability all on its own. There are quite a few print spooler bugs to keep track of. Either way, attackers can use this to execute code on affected systems. Microsoft does state low privileges are required, so that should put this in the non-wormable category, but you should still prioritize testing and deployment of this Critical-rated bug.

UPDATE: Microsoft has released KB5005652 to provide guidance on managing new Point and Print default driver installation behavior. This is an update for CVE-2021-34481, which was originally released in July, 2021. Sysadmins should review this KB along with applying the Print Spooler related updates in this release.

-       CVE-2021-34535 - Remote Desktop Client Remote Code Execution Vulnerability
Before you start having flashbacks to BlueKeep, this bug affects the RDP client and not the RDP server. However, the CVSS 9.9 bug is nothing to ignore. An attacker can take over a system if they can convince an affected RDP client to connect to an RDP server they control. On Hyper-V servers, a malicious program running in a guest VM could trigger guest-to-host RCE by exploiting this vulnerability in the Hyper-V Viewer. This is the more likely scenario and the reason you should test and deploy this patch quickly.

Here’s the full list of CVEs released by Microsoft for August 2021:

CVE Title Severity CVSS Public Exploited Type
CVE-2021-36948 Windows Update Medic Service Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2021-36936 Windows Print Spooler Remote Code Execution Vulnerability Critical 8.8 Yes No RCE
CVE-2021-36942 Windows LSA Spoofing Vulnerability Important 9.8 Yes No Spoofing
CVE-2021-34535 Remote Desktop Client Remote Code Execution Vulnerability Critical 9.9 No No RCE
CVE-2021-34480 Scripting Engine Memory Corruption Vulnerability Critical 6.8 No No RCE
CVE-2021-34530 Windows Graphics Component Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-34534 Windows MSHTML Platform Remote Code Execution Vulnerability Critical 6.8 No No RCE
CVE-2021-26432 Windows Services for NFS ONCRPC XDR Driver Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2021-26424 Windows TCP/IP Remote Code Execution Vulnerability Critical 9.9 No No RCE
CVE-2021-26423 .NET Core and Visual Studio Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-34485 .NET Core and Visual Studio Information Disclosure Vulnerability Important 5 No No Info
CVE-2021-34532 ASP.NET Core and Visual Studio Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-33762 Azure CycleCloud Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-36943 Azure CycleCloud Elevation of Privilege Vulnerability Important 4 No No EoP
CVE-2021-26430 Azure Sphere Denial of Service Vulnerability Important 6 No No DoS
CVE-2021-26429 Azure Sphere Elevation of Privilege Vulnerability Important 7.7 No No EoP
CVE-2021-26428 Azure Sphere Information Disclosure Vulnerability Important 4.4 No No Info
CVE-2021-36949 Microsoft Azure Active Directory Connect Authentication Bypass Vulnerability Important 7.1 No No SFB
CVE-2021-36950 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important 5.4 No No XSS
CVE-2021-34524 Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability Important 8.1 No No RCE
CVE-2021-36946 Microsoft Dynamics Business Central Cross-site Scripting Vulnerability Important 5.4 No No XSS
CVE-2021-34478 Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-36940 Microsoft SharePoint Server Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2021-34471 Microsoft Windows Defender Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36941 Microsoft Word Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-34536 Storage Spaces Controller Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36945 Windows 10 Update Assistant Elevation of Privilege Vulnerability Important 7.3 No No EoP
CVE-2021-34537 Windows Bluetooth Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36938 Windows Cryptographic Primitives Library Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-36927 Windows Digital TV Tuner device registration application Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26425 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34486 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34487 Windows Event Tracing Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-34533 Windows Graphics Component Font Parsing Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-36937 Windows Media MPEG-4 Video Decoder Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-34483 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-36947 Windows Print Spooler Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-26431 Windows Recovery Environment Agent Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26433 Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2021-36926 Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2021-36932 Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2021-36933 Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2021-26426 Windows User Account Profile Picture Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-34484 Windows User Profile Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-30590 Chromium: CVE-2021-30590 Heap buffer overflow in Bookmarks High N/A No No RCE
CVE-2021-30591 Chromium: CVE-2021-30591 Use after free in File System API High N/A No No RCE
CVE-2021-30592 Chromium: CVE-2021-30592 Out of bounds write in Tab Groups High N/A No No RCE
CVE-2021-30593 Chromium: CVE-2021-30593 Out of bounds read in Tab Strip High N/A No No Info
CVE-2021-30594 Chromium: CVE-2021-30594 Use after free in Page Info UI High N/A No No RCE
CVE-2021-30596 Chromium: CVE-2021-30596 Incorrect security UI in Navigation Medium N/A No No SFB
CVE-2021-30597 Chromium: CVE-2021-30597 Use after free in Browser UI Medium N/A No No RCE

You’ll notice this month’s table includes the Chromium updates for Edge. These vulnerabilities are listed with the severity as assigned by Google, which is different from the standard Microsoft nomenclature. Google does not assign a CVSS score, so none is listed in the table.

Looking at the remaining Critical-rated updates, most are of the browse-and-own variety, meaning an attacker would need to convince a user to browse to a specially crafted website with an affected system. One exception would be CVE-2021-26432, which is a patch for the Windows Services for NFS ONCRPC XDR Driver. Microsoft provides no information on how the CVSS 9.8 rated vulnerability could be exploited, but it does note  it needs neither privileges or user interaction to be exploited. This may fall into the “wormable” category, at least between servers with NFS installed, especially since the open network computing remote procedure call (ONCRPC) consists of an External Data Representation (XDR) runtime built on the Winsock Kernel (WSK) interface. That certainly sounds like elevated code on a listening network service. Don’t ignore this patch.

Another interesting Critical-rated bug affects the TCP/IP stack. Despite its CVSS rating of 9.9, this may prove to be a trivial bug, but it’s still fascinating. An attacker on a guest Hyper-V OS could execute code on the host Hyper-V server by sending a specially crafted IPv6 ping. This keeps it out of the wormable category. Still, a successful attack would allow the guest OS to completely take over the Hyper-V host. While not wormable, it’s still cool to see new bugs in new scenarios being found in protocols that have been around for years.

The remaining patches for RCE bugs primarily address open-and-own types of bugs in Microsoft Dynamics (on-prem), Office, Word, and Windows media components. For example, the vulnerability in Word would require someone to open a specially crafted Word doc with an affected version, resulting in code execution at the logged-on user lever. There’s also an Important-rated RCE bug in the print spooler, however, it’s not clear why this one is rated Important while the other is rated Critical. Both have the exact same CVSS rating. One is publicly known, but that shouldn’t affect severity. Best to treat both print spooler bugs as Critical, just to be on the safe side. 

There are a total of 16 Elevation of Privilege (EoP) patches in this month’s release. Most of these exist in Windows components and require an attacker to log on to an affected system and execute their specially crafted program. Six of these bugs were reported through the ZDI program by Abdelhamid Naceri (halov) and deal with improper link resolution before file access (Link Following) vulnerabilities. For example, by creating a directory junction, an attacker can abuse the Windows Update Assistant to delete a file. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of the Administrator. Altogether, there are EoP fixes for Windows Defender, Azure Sphere and CycleCloud, Storage Spaces, the Update Assistant, the Bluetooth service, Windows Event Tracing, and the aforementioned Print Spooler.

Looking at the eight information disclosure bugs in this month’s release, more simply result in leaks consisting of unspecified memory contents. A notable exception is the patch for .NET Core and Visual Studio that could disclose data inside the targeted website like IDs, tokens, nonces, and other sensitive information. Microsoft does not specify what information is disclosed by the bug in the Windows Cryptographic Primitives Library, but judging by the title alone, it’s possible (though unlikely) that an attacker could recover plaintext data from encrypted content. Let’s hope we receive more information on this bug in the future.

Only two patches this month result in Denial-of-Service (DoS) conditions, but you likely only need to act on one. The update for Azure Sphere should have been automatically delivered to your device provided it is connected to the Internet. The other patch fixes a DoS bug in .NET Core and Visual Studio and needs to be installed as per usual.

There are also just two security feature bypasses getting fixes this month. The first is for Azure Active Directory Connect, but you’ll need to do more than just patch to prevent a Man-in-The-Middle (MiTM) attack between your Azure AD Connect server and a domain controller. You will also need to disable NTLM as laid out in this document. The other spoofing bug occurs in SharePoint Server and likely manifests as a cross-site scripting (XSS) issue. Speaking of XSS bugs, this month’s release is rounded out by two patches for XSS vulnerabilities in Microsoft Dynamics.

As expected, the servicing stack advisory (ADV990001) was revised for multiple versions of Windows this month. No new advisories were released this month.

Looking Ahead

The next Patch Tuesday falls on September 14, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The August 2021 Security Update Review

The July 2021 Security Update Review

13 July 2021 at 17:24

The second Tuesday of the month is here, and it brings with it the latest security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for their latest security offerings.

Adobe Patches for July 2021

For July, Adobe released five patches addressing 29 CVEs in Adobe Dimension, Illustrator, Framemaker, Acrobat and Reader, and Adobe Bridge. A total of 15 of these bugs were reported through the ZDI program with several being discovered by ZDI researchers Mat Powell and Joshua Smith. The update for update Acrobat and Reader fixes 19 different bugs – several of which could lead to code execution if an attacker can convince a user to open a malicious PDF with an affected version. The update for Dimension also could allow code execution. For Illustrator, three bugs are being fixed. The two that allow for code execution occur in during the processing of PDF and JPEG2000 files. These issues result from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. Similar Out-Of-Bounds (OOB) Write bugs exist in the five fixes for Bridge. Again, code execution would occur at the level of the logged-on user. The single CVE fixed by the Framemaker patch corrects an OOB Write that exists within the parsing of TrueType fonts embedded in PDF files.

None of the bugs fixed this month by Adobe are listed as publicly known or under active attack at the time of release.

Microsoft Patches for July 2021

For July, Microsoft released patches for 117 CVEs in Microsoft Windows, Dynamics, Exchange Server, Microsoft Office, Windows Storage Spaces Controller, Bing, SharePoint Server, Internet Explorer (IE), Visual Studio, and OpenEnclave. A total of 17 of these bugs were reported through the ZDI program. Of these 117 bugs, 13 are rated Critical, 103 are rated Important, and one is rated as Moderate in severity. This volume of fixes is more than the last two months combined and on par with the monthly totals from 2020. Perhaps the lowered rate seen in the prior months was an aberration. According to Microsoft, six of these bugs are publicly known and four are listed as under active attack at the time of release.

Let’s take a closer look at some of the more interesting updates for this month, starting with a bug that’s already received a lot of (warranted) attention:

-       CVE-2021-34527 - Windows Print Spooler Remote Code Execution Vulnerability
Much has already been written about this currently exploited bug also known as PrintNightmare. Microsoft released an Out-of-Band (OOB) patch for this bug on July 1, and they have updated it multiple times since then. There have been reports the patch is ineffective, but Microsoft insists it works – provided certain registry keys have the correct values. Enterprises should verify these registry keys are configured as intended and get this patch rolled out. It’s also a fine time to disable the Print Spooler service wherever it isn’t needed and restrict the installation of printer drivers to just administrators.

-       CVE-2021-34448 - Scripting Engine Memory Corruption Vulnerability
This bug is also listed as under active exploit, but there’s no indication of how widespread the attack is. The vulnerability allows an attacker to execute their code on an affected system if a user browses to a specially crafted website. The code execution would occur at the logged-on user level. This is also a case where CVSS doesn’t quite offer a true glimpse of the threat. Microsoft lists the attack complexity as high, which knocks this from a high severity (>8) to a medium severity (6.8). However, if there are already active attacks, does complexity matter? Regardless, treat this as critical since it could allow code execution on every supported version of Windows.

-       CVE-2021-34494 - Windows DNS Server Remote Code Execution Vulnerability
This bug is currently not under active attack, but considering the severity, there are those who will work to change that status. This bug could allow remote code execution at a privileged service level on a listening network port without user interaction. Microsoft does mention low privileges are needed, but depending on the server configuration, these could be easily gained. This bug is restricted to DNS Servers only, but if there’s one system you don’t want wormed, it’s probably your DNS server. Definitely test and deploy this one quickly.

-       CVE-2021-34458 - Windows Kernel Remote Code Execution Vulnerability
It’s rare to see remote code execution in a kernel bug, but this is that rare exception. This bug impacts systems hosting virtual machines with single root input/output virtualization (SR-IOV) devices. It’s not clear how widespread this configuration is, but considering this bug rates as a CVSS 9.9, it’s not one to ignore. If you have virtual machines in your environment, test and patch quickly.

Here’s the full list of CVEs released by Microsoft for July 2021:

CVE Title Severity CVSS Public Exploited Type
CVE-2021-34527 Windows Print Spooler Remote Code Execution Vulnerability Critical 8.8 Yes Yes RCE
CVE-2021-34448 Scripting Engine Memory Corruption Vulnerability Critical 6.8 No Yes RCE
CVE-2021-31979 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2021-33771 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2021-34473 Microsoft Exchange Server Remote Code Execution Vulnerability Critical 9.1 Yes No RCE
CVE-2021-33781 Active Directory Security Feature Bypass Vulnerability Important 8.1 Yes No SFB
CVE-2021-34523 Microsoft Exchange Server Elevation of Privilege Vulnerability Important 9 Yes No EoP
CVE-2021-33779 Windows ADFS Security Feature Bypass Vulnerability Important 8.1 Yes No SFB
CVE-2021-34492 Windows Certificate Spoofing Vulnerability Important 8.1 Yes No Spoofing
CVE-2021-34474 Dynamics Business Central Remote Code Execution Vulnerability Critical 8 No No RCE
CVE-2021-34464 Microsoft Defender Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-34522 Microsoft Defender Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-34439 Microsoft Windows Media Foundation Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-34503 Microsoft Windows Media Foundation Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-34494 Windows DNS Server Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-34450 Windows Hyper-V Remote Code Execution Vulnerability Critical 8.5 No No RCE
CVE-2021-34458 Windows Kernel Remote Code Execution Vulnerability Critical 9.9 No No RCE
CVE-2021-33740 Windows Media Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-34497 Windows MSHTML Platform Remote Code Execution Vulnerability Critical 6.8 No No RCE
CVE-2021-34476 Bowser.sys Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-34489 DirectWrite Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-34440 GDI+ Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-31947 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33775 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33776 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33777 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33778 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33760 Media Foundation Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-33753 Microsoft Bing Search Spoofing Vulnerability Important 4.7 No No Spoofing
CVE-2021-34501 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-34518 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33766 Microsoft Exchange Information Disclosure Vulnerability Important 7.3 No No Info
CVE-2021-33768 Microsoft Exchange Server Elevation of Privilege Vulnerability Important 8 No No EoP
CVE-2021-34470 Microsoft Exchange Server Elevation of Privilege Vulnerability Important 8 No No EoP
CVE-2021-31196 Microsoft Exchange Server Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2021-31206 Microsoft Exchange Server Remote Code Execution Vulnerability Important 7.6 No No RCE
CVE-2021-34451 Microsoft Office Online Server Spoofing Vulnerability Important 5.3 No No Spoofing
CVE-2021-34469 Microsoft Office Security Feature Bypass Vulnerability Important 8.2 No No SFB
CVE-2021-34467 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 7.1 No No RCE
CVE-2021-34468 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 7.1 No No RCE
CVE-2021-34520 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.1 No No RCE
CVE-2021-34517 Microsoft SharePoint Server Spoofing Vulnerability Important 5.3 No No Spoofing
CVE-2021-34479 Microsoft Visual Studio Spoofing Vulnerability Important 7.8 No No Spoofing
CVE-2021-34441 Microsoft Windows Media Foundation Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-34452 Microsoft Word Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33767 Open Enclave SDK Elevation of Privilege Vulnerability Important 8.2 No No EoP
CVE-2021-31984 Power BI Remote Code Execution Vulnerability Important 7.6 No No RCE
CVE-2021-34521 Raw Image Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33751 Storage Spaces Controller Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-34460 Storage Spaces Controller Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34510 Storage Spaces Controller Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34512 Storage Spaces Controller Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34513 Storage Spaces Controller Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34509 Storage Spaces Controller Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-34477 Visual Studio Code .NET Runtime Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34528 Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-34529 Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-34449 Win32k Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-34516 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34491 Win32k Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-34504 Windows Address Book Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33785 Windows AF_UNIX Socket Provider Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-34459 Windows AppContainer Elevation Of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34462 Windows AppX Deployment Extensions Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-33782 Windows Authenticode Spoofing Vulnerability Important 5.5 No No Spoofing
CVE-2021-33784 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34488 Windows Console Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34461 Windows Container Isolation FS Filter Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-33759 Windows Desktop Bridge Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-33745 Windows DNS Server Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2021-34442 Windows DNS Server Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-34444 Windows DNS Server Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2021-34499 Windows DNS Server Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2021-33746 Windows DNS Server Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2021-33754 Windows DNS Server Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2021-33780 Windows DNS Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-34525 Windows DNS Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-33749 Windows DNS Snap-in Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-33750 Windows DNS Snap-in Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-33752 Windows DNS Snap-in Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-33756 Windows DNS Snap-in Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-33774 Windows Event Tracing Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-34455 Windows File History Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34438 Windows Font Driver Host Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-34498 Windows GDI Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34496 Windows GDI Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-34466 Windows Hello Security Feature Bypass Vulnerability Important 5.7 No No SFB
CVE-2021-34446 Windows HTML Platform Security Feature Bypass Vulnerability Important 8 No No SFB
CVE-2021-33755 Windows Hyper-V Denial of Service Vulnerability Important 6.3 No No DoS
CVE-2021-33758 Windows Hyper-V Denial of Service Vulnerability Important 7.7 No No DoS
CVE-2021-34511 Windows Installer Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-33765 Windows Installer Spoofing Vulnerability Important 6.2 No No Spoofing
CVE-2021-31961 Windows InstallService Elevation of Privilege Vulnerability Important 6.1 No No EoP
CVE-2021-34514 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34500 Windows Kernel Memory Information Disclosure Vulnerability Important 6.3 No No Info
CVE-2021-34508 Windows Kernel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33764 Windows Key Distribution Center Information Disclosure Vulnerability Important 5.9 No No Info
CVE-2021-33788 Windows LSA Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-33786 Windows LSA Security Feature Bypass Vulnerability Important 8.1 No No SFB
CVE-2021-34447 Windows MSHTML Platform Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2021-34493 Windows Partition Management Driver Elevation of Privilege Vulnerability Important 6.7 No No EoP
CVE-2021-33743 Windows Projected File System Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-33761 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-33773 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34445 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34456 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-33763 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-34454 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-34457 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-34507 Windows Remote Assistance Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2021-33744 Windows Secure Kernel Mode Security Feature Bypass Vulnerability Important 5.3 No No SFB
CVE-2021-33757 Windows Security Account Manager Remote Protocol Security Feature Bypass Vulnerability Important 5.3 No No SFB
CVE-2021-33783 Windows SMB Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-31183 Windows TCP/IP Driver Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-33772 Windows TCP/IP Driver Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-34490 Windows TCP/IP Driver Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-34519 Microsoft SharePoint Server Information Disclosure Vulnerability Moderate 5.3 No No Info

Looking at the remaining patches, you’ll note seven patches for Exchange Server, but only some of these are actually new. One of the new ones is CVE-2021-31206, which was disclosed during the last Pwn2Own contest. There are also new patches for elevation of privilege bugs that could be exploited in a man-in-the-middle attack or be network adjacent. The real surprise in this month’s Exchange patches are the three bugs patched in April but not documented until today. Silent patches have caused many problems in the past and represent significant risks to enterprises. While the goal should be for administrators to install every patch, this is simply not feasible for most networks. Network defenders need as much information as possible to prioritize their resources. If they are not provided guidance on installing the patch, or information from the vendor on the severity of the patch, their uninformed decision could have negative consequences.

Taking a look at the remaining Critical-rated bugs, there are two updates for Defender code execution bugs, although you likely won’t need to take any action. Microsoft regularly updates the Malware Protection Engine, so if your system is connected to the Internet, it should have already received an update. There are also RCE bugs in Dynamics 365 Business Central, Windows Media Foundation, MSHTML, and Hyper-V.

Moving to the Important-rated RCE bugs, there are quite a few impacting the Windows DNS Server. Most of these would require an administrator to view a malicious record in the DNS Snap-in to be exploited. There are also a few that have no user interaction and require only low-level privileges. Two of the patches fix denial-of-service (DoS) bugs in the server. Shutting DNS down is nearly as severe as taking it over. In all cases, the DNS Server must be enabled for a system to be impacted by these bugs. The Important RCEs category is rounded out by fixes for Office components, SharePoint Server, and HEVC Video Extensions.

There are a total of 32 Elevation of Privilege (EoP) patches in this month’s release. In addition to the ones previously mentioned, six of these fix EoP bugs in the Windows Storage Spaces Controller. There are also fixes for EoP vulnerabilities in the kernel, Remote Access Connection Manager, Installer service, partition management, and projected file system.

We’ve already mentioned quite a few DoS bugs in this release, and there are a few more to look out for. The first is a bug in the Local Security Authority (LSA). Microsoft doesn’t detail the impact of the bug, but a DoS on LSA implies users can’t authenticate. There are three DoS vulnerabilities in the TCP/IP stack. Again, no details from Microsoft, but it appears an attacker could shut down all networking on a device. Finally, there are fixes for DoS bugs in bowser.sys and the Windows AF_UNIX Socket Provider.

There are 14 patches fixing information disclosure bugs this month, including the single Moderate-rated fix for a bug in SharePoint Server. This bug could disclose PII and, in some cases, requires multiple packages to be completely addressed. Most of the other bugs only lead to leaks consisting of unspecified memory contents. Two notable exceptions impact KDC and SMB. The KDC has a weak encryption algorithm that could be used to decrypted and expose information related to a user or service's active session. The SMB bug could allow an attacker unauthorized file system access, meaning they could read files on the affected system.

Eight security feature bypasses are fixed in this month’s release. The patch for ADFS fixes a bug in the Primary Refresh Tokens, which are normally stored in the TPM. The tokens aren’t encrypted properly. Attackers could extract and potentially decrypt the token for reuse until the token expires or is renewed. There’s a bug in LSA that could allow a read-only domain controller (RODC) to delegate rights by granting itself a ticket. This ticket isn’t validated by a domain controller, which could lead to a read-only DC getting Read/Write privileges. A patch for the Security Account Manager adds Advanced Encryption Standard (AES) encryption as the preferred method when using the MS-SAMR protocol. Microsoft will be releasing KB5004605 with additional configuration details in the future. At the time of release, it’s mentioned, but not live yet. Frustratingly, no details are available about the other bypasses, which includes the patches for two publicly known bugs and Windows Hello.

This month’s release is rounded out by seven patches to address spoofing bugs in SharePoint Server, Bing Search, Visual Studio, Office, Authenticode, Installer, and bug that could allow certificate spoofing. In late June, Microsoft reported they were investigating reports regarding a malicious actor trying to leverage the Windows Hardware Compatibility Program (WHCP) process. While they indicated there was no evidence of certificate exposure, it’s possible this patch resulted from that investigation. They do mark the bug as publicly known, but there’s no documentation confirming the link. No details are available about any of the other spoofing patches.

As usual, the servicing stack advisory (ADV990001) was revised for multiple versions of Windows this month. No new advisories were released this month.

Looking Ahead

The next Patch Tuesday falls on August 10, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The July 2021 Security Update Review

The June 2021 Security Update Review

8 June 2021 at 17:31

It’s the second Tuesday of the month, which means the latest security updates from Adobe and Microsoft are here. Take a break from your regularly scheduled activities and join us as we review the details for their latest security offerings.

Adobe Patches for June 2021

For June, Adobe released 10 patches addressing 39 CVEs in Adobe Connect, Acrobat and Reader, Photoshop. Photoshop Elements, Experience Manager, Creative Cloud, RoboHelp, Premiere Elements, Animate, and After Effects. A total of nine of these bugs came through the ZDI program. The two patches that stand out are the fixes for Reader and After Effects. In the case of Adobe Reader, the Critical-rated CVEs could allow code execution if an attacker can convince a user to open a specially crafted PDF file with an affected version of Reader. For the use-after-free (UAF) bugs reported through our program, the specific flaw exists within the handling of AcroForm fields. The issue results from the lack of validating the existence of an object prior to performing operations on the object. The update for After Effects fixes a large mix of Critical- to Moderate-rated bugs. The worst of these could allow code execution at the level of the logged-on user.

None of the bugs fixed this month by Adobe are listed as publicly known or under active attack at the time of release.

Microsoft Patches for June 2021

For June, Microsoft released patches for 50 CVEs in Microsoft Windows, .NET Core and Visual Studio, Microsoft Office, Microsoft Edge (Chromium-based and EdgeHTML), SharePoint Server, Hyper-V, Visual Studio Code - Kubernetes Tools, Windows HTML Platform, and Windows Remote Desktop. A total of eight of these bugs came through the ZDI program. Of these 50 bugs, five are rated Critical and 45 are rated Important in severity. According to Microsoft, six of these bugs are currently under active attack while three are publicly known at the time of release.

Let’s take a closer look at some of the more interesting updates for this month, starting with some of the bugs listed as under active attack:

-       CVE-2021-33742 - Windows MSHTML Platform Remote Code Execution Vulnerability
This bug could allow an attacker to execute code on a target system if a user views specially crafted web content. Since the vulnerability is in the Trident (MSHTML) engine itself, many different applications are impacted – not just Internet Explorer. It’s not clear how widespread the active attacks are, but considering the vulnerability impacts all supported Windows versions, this should be at the top of your test and deploy list.

-       CVE-2021-31199/CVE-2021-31201 - Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability
These two bugs are linked to the Adobe Reader bug listed as under active attack last month (CVE-2021-28550). It’s common to see privilege escalation paired with code execution bugs, and it seems these two vulnerabilities were the privilege escalation part of those exploits. It is a bit unusual to see a delay between patch availability between the different parts of an active attack, but good to see these holes now getting closed.

-       CVE-2021-31956 - Windows NTFS Elevation of Privilege Vulnerability
This is another of the bugs listed as under active attack this month. This was reported by the same researcher who found CVE-2021-31955, an information disclosure bug also listed as under active attack. It's possible these bugs were used in conjunction, as that is a common technique - use a memory leak to get the address needed to escalate privileges. These bugs are important on their own and could be even worse when combined. Definitely prioritize the testing and deployment of these patches.

-       CVE-2021-31962 - Kerberos AppContainer Security Feature Bypass Vulnerability
This bug allows an attacker to bypass Kerberos authentication and potentially authenticate to an arbitrary service principal name (SPN). This vulnerability earns the highest CVSS for June at 9.4. This could allow an attacker to potentially bypass authentication to access any service that is accessed via an SPN. Given that SPN authentication is crucial to security in Kerberos deployments, this patch should be given highest priority.

Here’s the full list of CVEs released by Microsoft for June 2021:

CVE Title Severity CVSS Public Exploited Type
CVE-2021-33742 Windows MSHTML Platform Remote Code Execution Vulnerability Critical 7.5 Yes Yes RCE
CVE-2021-33739 Microsoft DWM Core Library Elevation of Privilege Vulnerability Important 8.4 Yes Yes EoP
CVE-2021-31199 Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability Important 5.2 No Yes EoP
CVE-2021-31201 Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability Important 5.2 No Yes EoP
CVE-2021-31955 Windows Kernel Information Disclosure Vulnerability Important 5.5 No Yes Info
CVE-2021-31956 Windows NTFS Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2021-31968 Windows Remote Desktop Services Denial of Service Vulnerability Important 7.5 Yes No DoS
CVE-2021-31985 Microsoft Defender Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-31963 Microsoft SharePoint Server Remote Code Execution Vulnerability Critical 7.1 No No RCE
CVE-2021-31959 Scripting Engine Memory Corruption Vulnerability Critical 6.4 No No RCE
CVE-2021-31967 VP9 Video Extensions Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-31957 .NET Core and Visual Studio Denial of Service Vulnerability Important 5.9 No No DoS
CVE-2021-31944 3D Viewer Information Disclosure Vulnerability Important 5 No No Info
CVE-2021-31942 3D Viewer Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-31943 3D Viewer Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-31972 Event Tracing for Windows Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-31962 Kerberos AppContainer Security Feature Bypass Vulnerability Important 9.4 No No SFB
CVE-2021-31978 Microsoft Defender Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2021-33741 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 8.2 No No EoP
CVE-2021-31939 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-31980 Microsoft Intune Management Extension Remote Code Execution Vulnerability Important 8.1 No No RCE
CVE-2021-31940 Microsoft Office Graphics Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-31941 Microsoft Office Graphics Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-31949 Microsoft Outlook Remote Code Execution Vulnerability Important 6.7 No No RCE
CVE-2021-31965 Microsoft SharePoint Server Information Disclosure Vulnerability Important 5.7 No No Info
CVE-2021-26420 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 7.1 No No RCE
CVE-2021-31966 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2021-31948 Microsoft SharePoint Server Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2021-31950 Microsoft SharePoint Server Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2021-31964 Microsoft SharePoint Server Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2021-31938 Microsoft VsCode Kubernetes Tools Extension Elevation of Privilege Vulnerability Important 7.3 No No EoP
CVE-2021-31945 Paint 3D Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-31946 Paint 3D Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-31983 Paint 3D Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-31974 Server for NFS Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-31975 Server for NFS Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2021-31976 Server for NFS Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2021-31960 Windows Bind Filter Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-31969 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-31954 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26414 Windows DCOM Server Security Feature Bypass Important 4.8 No No SFB
CVE-2021-31953 Windows Filter Manager Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-31973 Windows GPSVC Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-31971 Windows HTML Platform Security Feature Bypass Vulnerability Important 6.8 No No SFB
CVE-2021-31977 Windows Hyper-V Denial of Service Vulnerability Important 8.6 No No DoS
CVE-2021-31951 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-31952 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-31958 Windows NTLM Elevation of Privilege Vulnerability Important 7.5 No No EoP
CVE-2021-1675 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-31970 Windows TCP/IP Driver Security Feature Bypass Vulnerability Important 5.5 No No SFB

Looking at the remaining Critical-rated bugs, the update for Defender stands out even though you likely won’t need to take any action. Microsoft regularly updates the Malware Protection Engine, so if your system is connected to the Internet, it should have already received an update. You should still verify the version and manually apply the update if needed. Similarly, the update for the VP9 codecs should be automatically updated through the Microsoft store. Again, if you’re in a disconnected environment, you’ll need to manually apply the patch. The remaining Critical-rated bugs include a browse-and-own bug in the scripting engine and a remote code execution vulnerability in SharePoint. The SharePoint bug requires no user interaction but does require some level of privilege. The attack complexity is listed as high, but considering the target, attackers are likely to do everything possible to turn this into a practical exploit.

Moving on to the Important-rated updates, there are a couple of SharePoint code execution bugs here as well. One of these came through the ZDI program, and we’ll post more details about it in the near future. We blogged about a similar bug last week, so you can check that out in the meantime. There are several patches impacting Office components with the most notable being the update for Outlook. Fortunately, the Preview Pane is not affected. An attacker would need to convince someone to open a specially crafted file with an affected version of Outlook. Those using Microsoft Intune for device management should ensure they apply the patch as soon as possible. While the attack scenario is not defined, it does not require authentication or user interaction. If you use Intune, I recommend treating this patch as Critical and deploy it quickly. The Important-rated code execution patches are rounded out by a couple of patches for the 3D Viewer and Paint 3D. One of the Paint bugs was reported by ZDI researcher Mat Powell and exists within the parsing of STL files. The issue results from the lack of proper validation of user-supplied data, which can result in a read past the end of an allocated data structure.

There are 10 additional elevation of privilege (EoP) bugs receiving patches this month beyond those previously mentioned. The bug fixed by the Desktop Windows Manager (DWM) patch is also listed as publicly known and under active attack. Again, it’s not clear how widespread these attacks are, but they are likely more targeted at this point. The update for the Chromium-based Edge actually went live on Friday, June 4. It’s not clear how this bug is an EoP rather than code execution, but either way, user interaction is required. The other EoPs addressed this month require the attacker to run their code on an affected system to escalate privileges. Several Windows components are impacted by these bugs, including the Windows Kernel and Microsoft’s Kubernetes tools.

There are seven patches fixing information disclosure bugs this month, with the vulnerability for the Windows Kernel listed as under active attack. For the most part, all of these bugs only lead to leaks consisting of unspecified memory contents. The one exception is the info leak in SharePoint that could lead to exposing Personally Identifiable Information (PII).

There are five patches fixing denial-of-service (DoS) bugs in the release. The most notable affected components are Hyper-V and Windows Defender. Again, you should have already received the Defender update. Even if you have Defender disabled, a vulnerability scanner may detect systems as vulnerable due to the presence of the impacted files. However, Microsoft states systems with Defender disabled are not in a “vulnerable state.” The DoS bug fixed in the Windows Remote Desktop Protocol is listed as publicly known, but it’s not clear what public information is available.

Four security feature bypasses are fixed in this month’s release, including the previously mentioned Kerberos bypass. The update for Windows DCOM requires special attention. The patch doesn’t automatically fix the vulnerability. Instead, it provides enterprises the ability to enable hardening for protections from the bug. Microsoft plans another release in Q4 2021 that enables the protections by default while allowing the hardened to be disabled via the registry. In late 2021 or early 2022, the ability to disable the protections will be removed. It seems Microsoft anticipates some application compatibility problems may arise from this fix, so definitely test this update thoroughly.

This month’s release is rounded out by three patches to address spoofing bugs in SharePoint Server. As per usual, the servicing stack advisory (ADV990001) was revised for versions of Windows 10 and Server 2019. No new advisories were released this month.

Looking Ahead

The next Patch Tuesday falls on July 13, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The June 2021 Security Update Review

The May 2021 Security Update Review

11 May 2021 at 17:26

It’s the second Tuesday of the month, which means the latest security updates from Adobe and Microsoft are released. Take a break from your regularly scheduled activities and join us as we review the details for their latest security offerings.

Adobe Patches for May 2021

For May, Adobe released 12 patches addressing 44 CVEs in Experience Manager, InDesign, Illustrator, InCopy, Adobe Genuine Service, Acrobat and Reader, Magento, Creative Cloud Desktop, Media Encoder, After Effects, Medium, and Animate. A total of five of these bugs came through the ZDI program.

The update for Acrobat and Reader should be given the highest priority. One of the 14 CVEs fixed by this patch is listed as being currently used in the wild. The bug (CVE-2021-28550) is one of three use after free (UAF) bugs addressed by this patch. These and other vulnerabilities could lead to code execution if someone were to open a specially crafted PDF with an affected version of Acrobat or Reader. The update for InDesign also stands out. These bugs result from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated structure. An attacker can leverage this vulnerability to execute code in the context of the current process.

Beyond the one Reader bug, none of the other vulnerabilities patched by Adobe this month are listed as publicly known or under active attack at the time of release.

Microsoft Patches for May 2021

For May, Microsoft released patches for 55 CVEs in Microsoft Windows, .NET Core and Visual Studio, Internet Explorer (IE), Microsoft Office, SharePoint Server, Open-Source Software, Hyper-V, Skype for Business and Microsoft Lync, and Exchange Server. A total of 13 of these bugs came through the ZDI program. Of these 55 bugs, four are rated as Critical, 50 are rated as Important, and one is listed as Moderate in severity. According to Microsoft, three of these bugs are publicly known but none are listed as under active exploit at the time of release.

Let’s take a closer look at some of the more interesting updates for this month, starting with a bug sure to garner a lot of attention:

-       CVE-2021-31166 - HTTP Protocol Stack Remote Code Execution Vulnerability
This patch corrects a bug that could allow an unauthenticated attacker to remotely execute code as kernel. An attacker would simply need to send a specially crafted packet to an affected server. That makes this bug wormable, with even Microsoft calling that out in their write-up. Before you pass this aside, Windows 10 can also be configured as a web server, so it is impacted as well. Definitely put this on the top of your test-and-deploy list.

-       CVE-2021-28476 - Hyper-V Remote Code Execution Vulnerability
With a CVSS of 9.9, this bug scores the highest severity rating for this month’s release. However, Microsoft notes an attacker is more likely to abuse this vulnerability for a denial of service in the form of a bugcheck rather than code execution. Because of this, it could be argued that the attack complexity would be high, which changes the CVSS rating to 8.5. That still rates as high severity, but not critical. Still, the bugcheck alone is worth making sure your Hyper-V systems get this update.

-       CVE-2021-27068 - Visual Studio Remote Code Execution Vulnerability
This patch fixes an unusual bug in Visual Studio 2019 that could allow code execution. It’s unusual because it’s listed as not requiring any user interaction, so it’s unclear how an attacker would leverage this vulnerability. It does appear that the attacker would need to be authenticated at some level, but the attack complexity is listed as low. If you are a developer running Visual Studio, make sure you grab this update.

-       CVE-2020-24587 - Windows Wireless Networking Information Disclosure Vulnerability
We don’t normally highlight info disclosure bugs, but this one has the potential to be pretty damaging. This patch fixes a vulnerability that could allow an attacker to disclose the contents of encrypted wireless packets on an affected system. It’s not clear what the range on such an attack would be, but you should assume some proximity is needed. You’ll also note this CVE is from 2020, which could indicate Microsoft has been working on this fix for some time.

Here’s the full list of CVEs released by Microsoft for May 2021:

CVE Title Severity CVSS Public Exploited Type
CVE-2021-31204 .NET Core and Visual Studio Elevation of Privilege Vulnerability Important 7.3 Yes No EoP
CVE-2021-31200 Common Utilities Remote Code Execution Vulnerability Important 7.2 Yes No RCE
CVE-2021-31207 Microsoft Exchange Server Security Feature Bypass Vulnerability Moderate 6.6 Yes No SFB
CVE-2021-31166 HTTP Protocol Stack Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2021-28476 Hyper-V Remote Code Execution Vulnerability Critical 9.9 No No RCE
CVE-2021-31194 OLE Automation Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-26419 Scripting Engine Memory Corruption Vulnerability Critical 6.4 No No RCE
CVE-2021-28461 Dynamics Finance and Operations Cross-site Scripting Vulnerability Important 6.1 No No XSS
CVE-2021-31936 Microsoft Accessibility Insights for Web Information Disclosure Vulnerability Important 7.4 No No Info
CVE-2021-31182 Microsoft Bluetooth Driver Spoofing Vulnerability Important 7.1 No No Spoofing
CVE-2021-31174 Microsoft Excel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-31195 Microsoft Exchange Server Remote Code Execution Vulnerability Important 6.5 No No RCE
CVE-2021-31198 Microsoft Exchange Server Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-31209 Microsoft Exchange Server Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2021-28455 Microsoft Jet Red Database Engine and Access Connectivity Engine Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-31180 Microsoft Office Graphics Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-31178 Microsoft Office Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-31175 Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-31176 Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-31177 Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-31179 Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-31171 Microsoft SharePoint Information Disclosure Vulnerability Important 4.1 No No Info
CVE-2021-31181 Microsoft SharePoint Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-31173 Microsoft SharePoint Server Information Disclosure Vulnerability Important 5.3 No No Info
CVE-2021-28474 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-26418 Microsoft SharePoint Spoofing Vulnerability Important 4.6 No No Spoofing
CVE-2021-28478 Microsoft SharePoint Spoofing Vulnerability Important 7.6 No No Spoofing
CVE-2021-31172 Microsoft SharePoint Spoofing Vulnerability Important 7.1 No No Spoofing
CVE-2021-31184 Microsoft Windows Infrared Data Association (IrDA) Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-26422 Skype for Business and Lync Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2021-26421 Skype for Business and Lync Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2021-31214 Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-31211 Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-31213 Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27068 Visual Studio Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-28465 Web Media Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-31190 Windows Container Isolation FS Filter Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-31165 Windows Container Manager Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-31167 Windows Container Manager Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-31168 Windows Container Manager Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-31169 Windows Container Manager Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-31208 Windows Container Manager Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-28479 Windows CSC Service Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-31185 Windows Desktop Bridge Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2021-31170 Windows Graphics Component Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-31188 Windows Graphics Component Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-31192 Windows Media Foundation Core Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-31191 Windows Projected File System FS Filter Driver Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-31186 Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability Important 7.4 No No Info
CVE-2021-31205 Windows SMB Client Security Feature Bypass Vulnerability Important 4.3 No No SFB
CVE-2021-31193 Windows SSDP Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-31187 Windows WalletService Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2020-24587 Windows Wireless Networking Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2020-24588 Windows Wireless Networking Spoofing Vulnerability Important 6.5 No No Spoofing
CVE-2020-26144 Windows Wireless Networking Spoofing Vulnerability Important 6.5 No No Spoofing

There’s a flurry of Exchange patches in this month’s release, and some are related to bugs disclosed during the recent Pwn2Own contest. Two of the patches correct remote code execution bugs. While it appears these bugs result from Pwn2Own submissions, the exploits used during the contest did not require user interaction. The write-up from Microsoft does list user interaction in the CVSS score, however they may be scoring just this piece of the exploit chain. There’s also a spoofing bug and a security feature bypass that were used at the contest as part of a multi-bug chain. More Exchange patches are expected as not everything disclosed at the contest has been addressed. We’re working with Microsoft to get further clarification.

Moving on to the two remaining Critical-rated patches, both involve browsing to a website to get code execution. One bug impacts Internet Explorer while the other occurs when an attacker invokes OLE automation through a web browser. In both cases, the attacker would somehow have to lure the victim to their website.

Looking at the Important-rated patches, 18 involve remote code execution (RCE) of some form. One of the publicly known bugs falls into this category, although the disclosure occurred several months ago. The common utilities (common_utils.py) had an update checked in to GitHub back in December. If you use the Neural Network Intelligence open-source toolkit, make sure you have the latest version. There are several open-and-own style bugs in various Office components. There are three code execution bugs in Visual Studio Code, but these require a user to open a malicious file in a directory. If an attacker can convince such an act, they can execute their code at the level of the logged-on user.

Another RCE was reported by ZDI researcher Hossein Lotfi and impacts the Jet Red Database Engine and Access Connectivity Engine. To completely address this vulnerability, you’ll want to apply the update and restrict access to remote databases. Failing to restrict access can still expose your database to potential SQL adhoc/injection flaws. Microsoft published KB5002984 to provide guidance on restricting access.

There are 11 elevation of privilege (EoP) bugs receiving patches this month, and most are in the Windows Container Manager Service. Another EoP fix for .NET Core and Visual Studio is listed as publicly known, but Microsoft does not say where the disclosure occurred. One bug reported through the ZDI program affects the Wallet Service. By creating a directory junction, an attacker can abuse the service to create a file in an arbitrary location. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of SYSTEM. Two other EoP bugs in the Windows Graphics component were reported by ZDI researcher Lucas Leong. The vulnerability result from the handling of Palette and Font Entry objects.

This month’s release includes 10 patches for information disclosure bugs, including the one previously mentioned. For the most part, these only lead to leaks consisting of unspecified memory contents. There are some notable exceptions. The info disclosure bugs in SharePoint could lead to unauthorized file system access or exposing Personally Identifiable Information (PII). Again, the info disclosure bug in Wireless is the most severe of this bunch.

There are eight spoofing bugs in May, and two were reported by the same researcher who reported the Wireless info disclosure bug. These also impact the Wireless component, but it’s not clear how the spoofing occurs. These also have CVEs from 2020, so again, it’s an indicator that these bugs have been in the works for a while. Other spoofing bugs being fixed this month affect SharePoint Server, Bluetooth, and Skype for Business and Lync.

In addition to the previously mentioned Exchange security feature bypass, there’s a fix for a bypass in the SMB client. In SMBv2, guest fallback is not disabled by default. The patch disables guest fallback access to enforce the OS and Group Policy settings. You can also disable guest access via the registry. The May release is rounded out with a cross-site scripting (XSS) bug in Dynamics Finance and Operations and a DoS bug in Windows Desktop Bridge.

Finally, the servicing stack advisory (ADV990001) was revised for all versions of Windows. No new advisories were released this month.

Looking Ahead

The next Patch Tuesday falls on June 8, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The May 2021 Security Update Review

The April 2021 Security Update Review

13 April 2021 at 17:29

It’s the second Tuesday of the month, which means the latest security updates from Adobe and Microsoft are released. Take a break from your regularly scheduled activities and join us as we review the details for their latest security offerings.

Adobe Patches for April 2021

For April, Adobe released four patches addressing 10 CVEs in Adobe Photoshop, Digital Editions, RoboHelp, and Bridge. The update for Bridge fixes six CVEs, all of which were reported through the ZDI program. Four of these bugs are rated Critical and could allow arbitrary code execution if exploited. The patch for Photoshop fixes two Critical-rated CVEs. Both of these buffer overflows could all arbitrary code execution. The update for Digital Editions fixes a Critical-rated privilege escalation bug that could lead to an arbitrary file system write. Finally, the patch for RoboHelp fixes a single privilege escalation bug. None of the CVEs addressed by Adobe are listed as publicly known or under active attack at the time of release.

Microsoft Patches for April 2021

For April, Microsoft released patches for 114 CVEs in Microsoft Windows, Edge (Chromium-based), Azure and Azure DevOps Server, Microsoft Office, SharePoint Server, Hyper-V, Team Foundation Server, Visual Studio, and Exchange Server. This is the largest number of CVEs addressed in a month by Microsoft this year, and it is slightly higher than April of last year. A total of five of these bugs came through the ZDI program. None of the bugs being addressed this month were disclosed at the recent Pwn2Own contest. Of these 114 bugs, 19 are rated as Critical, 88 are rated Important, and one is rated Moderate in severity. Six additional bugs impact Edge (Chromium-based) and were ingested from a recent Chromium update. According to Microsoft, one bug is currently being exploited while four others are publicly known at the time of release.

Let’s take a closer look at some of the more interesting updates for this month, starting with the bug listed as being under active attack:

-       CVE-2021-28310 - Win32k Elevation of Privilege Vulnerability
This is the only vulnerability listed as being actively exploited being patched in April. The bug allows an attacker to escalate privileges by running a specially crafted program on a target system. This does mean that they will either need to log on to a system or trick a legitimate user into running the code on their behalf. Considering who is listed as discovering this bug, it is probably being used in malware. Bugs of this nature are typically combined with other bugs, such as a browser bug or PDF exploit, to take over a system.

-       CVE-2021-28480/28481 – Microsoft Exchange Server Remote Code Execution Vulnerability
Both of these CVEs are listed at a 9.8 CVSS and have identical write-ups, so they both get listed here. Both code execution bugs are unauthenticated and require no user interaction. Since the attack vector is listed as “Network,” it is likely these bugs are wormable – at least between Exchange servers. The CVSS score for these two bugs is actually higher than the Exchange bugs exploited earlier this year. These bugs were credited to the National Security Agency. Considering the source, and considering these bugs also receive Microsoft’s highest Exploit Index rating, assume they will eventually be exploited. Update your systems as soon as possible.

-       CVE-2021-28329 et al. – Remote Procedure Call Runtime Remote Code Execution Vulnerability
There are 27 bugs in this month’s release with this title, and all have identical descriptions and CVSS scores. However, 12 are rated Critical while 15 are rated Important in severity. In RPC vulnerabilities seen in the past, an attacker would need to send a specially crafted RPC request to an affected system. Successful exploitation results in executing code in the context of another user. Perhaps the users involved in the Important-rated bugs have lower privileges than their Critical-rated counterparts, but that is not clear from the description. Either way, the researcher who reported these bugs certainly found quite the attack surface.

-       CVE-2021-28444 – Windows Hyper-V Security Feature Bypass Vulnerability
This security feature bypass allows an attacker to potentially bypass Router Guard configurations on Hyper-V. Router Guard is designed to prevent guest OSes from offering router services on the network. Many don’t realize Windows can be set up as a router, and on physical or virtual systems, be configured to re-route packets to a rouge location (e.g. Man-in-the-Middle) or simply black hole the traffic. If you’re running Hyper-V, even accidental misconfigurations could cause disruptions, so definitely don’t ignore this patch.

Here’s the full list of CVEs released by Microsoft for April 2021, minus the Edge bugs ingested from Chromium.

CVE Title Severity CVSS Public Exploited Type
CVE-2021-28310 Win32k Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2021-28458 Azure ms-rest-nodeauth Library Elevation of Privilege Vulnerability Important 7.8 Yes No EoP
CVE-2021-27091 RPC Endpoint Mapper Service Elevation of Privilege Vulnerability Important 7.8 Yes No EoP
CVE-2021-28437 Windows Installer Information Disclosure Vulnerability Important 5.5 Yes No Info
CVE-2021-28312 Windows NTFS Denial of Service Vulnerability Moderate 3.3 Yes No DoS
CVE-2021-28460 Azure Sphere Unsigned Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2021-28480 Microsoft Exchange Server Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2021-28481 Microsoft Exchange Server Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2021-28482 Microsoft Exchange Server Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-28483 Microsoft Exchange Server Remote Code Execution Vulnerability Critical 9 No No RCE
CVE-2021-28329 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-28330 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-28331 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-28332 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-28333 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-28334 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-28335 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-28336 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-28337 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-28338 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-28339 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-28343 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-27095 Windows Media Video Decoder Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-28315 Windows Media Video Decoder Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-27092 Azure AD Web Sign-in Security Feature Bypass Vulnerability Important 4.3 No No SFB
CVE-2021-27067 Azure DevOps Server and Team Foundation Server Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2021-28459 Azure DevOps Server and Team Foundation Services Spoofing Vulnerability Important 6.1 No No Spoofing
CVE-2021-28313 Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-28321 Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-28322 Diagnostics Hub Standard Collector Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-28456 Microsoft Excel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-28451 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-28454 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27089 Microsoft Internet Messaging API Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-28449 Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-28452 Microsoft Outlook Memory Corruption Vulnerability Important 7.1 No No RCE
CVE-2021-28450 Microsoft SharePoint Denial of Service Update Important 5 No No DoS
CVE-2021-28317 Microsoft Windows Codecs Library Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-28453 Microsoft Word Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27096 NTFS Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-28466 Raw Image Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-28468 Raw Image Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-28471 Remote Development Extension for Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-28327 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-28340 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-28341 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-28342 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-28344 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-28345 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-28346 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-28352 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-28353 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-28354 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-28355 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-28356 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-28357 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-28358 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-28434 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-28470 Visual Studio Code GitHub Pull Requests and Issues Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-28448 Visual Studio Code Kubernetes Tools Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-28472 Visual Studio Code Maven for Java Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-28457 Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-28469 Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-28473 Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-28475 Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-28477 Visual Studio Code Remote Code Execution Vulnerability Important 7 No No RCE
CVE-2021-27064 Visual Studio Installer Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-28464 VP9 Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27072 Win32k Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-28311 Windows Application Compatibility Cache Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2021-28326 Windows AppX Deployment Server Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2021-28438 Windows Console Driver Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2021-28443 Windows Console Driver Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2021-28323 Windows DNS Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2021-28328 Windows DNS Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2021-27094 Windows Early Launch Antimalware Driver Security Feature Bypass Vulnerability Important 4.4 No No SFB
CVE-2021-28447 Windows Early Launch Antimalware Driver Security Feature Bypass Vulnerability Important 4.4 No No SFB
CVE-2021-27088 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-28435 Windows Event Tracing Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-28318 Windows GDI+ Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-28348 Windows GDI+ Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-28349 Windows GDI+ Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-28350 Windows GDI+ Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-26416 Windows Hyper-V Denial of Service Vulnerability Important 7.7 No No DoS
CVE-2021-28314 Windows Hyper-V Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-28441 Windows Hyper-V Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2021-28444 Windows Hyper-V Security Feature Bypass Vulnerability Important 5.7 No No SFB
CVE-2021-26415 Windows Installer Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-28440 Windows Installer Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-26413 Windows Installer Spoofing Vulnerability Important 6.2 No No Spoofing
CVE-2021-27093 Windows Kernel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-28309 Windows Kernel Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-27079 Windows Media Photo Codec Information Disclosure Vulnerability Important 5.7 No No Info
CVE-2021-28445 Windows Network File System Remote Code Execution Vulnerability Important 8.1 No No RCE
CVE-2021-26417 Windows Overlay Filter Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-28446 Windows Portmapping Information Disclosure Vulnerability Important 7.1 No No Info
CVE-2021-28320 Windows Resource Manager PSM Service Extension Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-27090 Windows Secure Kernel Mode Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-27086 Windows Services and Controller App Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-28324 Windows SMB Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2021-28325 Windows SMB Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2021-28347 Windows Speech Runtime Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-28351 Windows Speech Runtime Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-28436 Windows Speech Runtime Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-28319 Windows TCP/IP Driver Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-28439 Windows TCP/IP Driver Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-28442 Windows TCP/IP Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2021-28316 Windows WLAN AutoConfig Service Security Feature Bypass Vulnerability Important 4.2 No No SFB

Moving on to the remaining Critical-rated patches, there are two additional patches for Exchange that are nearly as severe as those already documented. None of the Exchange bugs this month indicate Office 365 versions are affected. Like those before them, these bugs only impact on-prem installations. Microsoft also provided additional information about the security updates. If you’re running Exchange, this should be considered required reading.

There’s a bug impacting Azure Sphere, but you likely won’t need to take any action to be protected. Devices running Azure Sphere connected to the Internet should receive automatic updates. If your devices are isolated, you will need to ensure these updates are applied. The final two Critical-rated patches correct bugs in the Windows Media Video Decoder component. For these, an attacker would need to convince a user to open specially crafted media on an affected system to gain arbitrary code execution at the logged-on user level.

Looking at other bugs in this release, we see more than half of the patches this month are related to remote code execution vulnerabilities. Beyond those already mentioned, the bugs mostly impact Office and Windows components. In most cases, they represent open-and-own scenarios. Of those that stand out, there’s a bug impacting Outlook that requires user interaction but could lead to code execution. There are several patches for Visual Studio as well. These also will require some form of user interaction. There’s one patch for the Visual Studio Code GitHub Pull Requests and Issues Extension, but it’s unclear how an attacker would leverage this vulnerability. The same goes for the bug in Visual Studio Code Kubernetes Tools. The final RCE bugs to watch out for impact the GDI+ component. These are somewhat cryptic. Even though they are listed as RCE, their attack vector is listed as local and user interaction is none. This would indicate the bugs could be triggered by something other than viewing or opening an image, but without further details, we can only speculate. 

There are 19 bugs labelled as privilege escalations, and this includes two of the publicly known vulnerabilities. The first occurs in the Azure ms-rest-nodeauth library, and the other is in the RPC Endpoint Mapper Service. There’s also a privilege escalation in Hyper-V, but it’s not clear where an attacker would escalate from or to. For the majority of these bugs, an attacker would need to log on to an affected system and run their own code. As mentioned above, these are typically combined with a separate code execution bug to take over a system.

This month’s release also includes patches for nine Denial of Service (DoS) bugs, including the publicly known Moderate-rate DoS in NTFS. The other DoS bug that stands impacts the TCP/IP driver. It appears an attacker could cause a DoS by sending specially crafted packets to an affected system, although it’s not clear if this would result in a blue screen of if the system would just stop responding. Other DoS bugs impact SharePoint, the AppX Deployment server, Hyper-V, and other Windows components.

The final publicly known bug this month in an info disclosure bug in the Windows Installer. If exploited, the bug could allow attackers unauthorized file system access. There are 17 total info disclosure bugs receiving patches this month, and most only lead to leaks consisting of unspecified memory contents. An exception to this is a bug that impacts the Azure DevOps Server. If exploited, this vulnerability could leak pipeline configuration variables and secrets. There’s a patch for an info disclosure bug in Excel as well. A user would need to open a specially crafted file with Excel to be impacted, but it’s not clear what would leak beyond “sensitive information.”

Shifting to the security feature bypasses, there are two patches for the Windows Early Launch Antimalware driver – better known as ELAM. Microsoft does not list what security feature could be bypassed by either vulnerability. Other bypasses impact the Azure AD Web Sign-in and the Windows WLAN AutoConfig Service. These bugs also provide no guidance on what may be bypassed by an attacker.

This month’s release is rounded out by patches to address two spoofing bugs. The first bug impacts Azure DevOps Server and Team Foundation Services, while the other affects the Windows Installer. Neither of these bugs receives much in the way of documentation, but a CVSS score north of 6 means they shouldn’t be ignored.

Finally, the servicing stack advisory (ADV990001) was revised for multiple versions of Windows. No additional advisories were released this month.

Looking Ahead

The next Patch Tuesday falls on May 11, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The April 2021 Security Update Review

Pwn2Own 2021 - Schedule and Live Results

6 April 2021 at 13:47

Welcome to Pwn2Own 2021! This year, we’re distributed amongst various locations to run the contest, but we’ll be bringing you all of the results live from Austin with love. This year’s event is shaping up to be one of the largest in Pwn2Own history, with 23 separate entries targeting 10 different products in the categories of Web Browsers, Virtualization, Servers, Local Escalation of Privilege, and - our newest category - Enterprise Communications.

If you’ve ever wanted to watch Pwn2Own but couldn’t get to Vancouver, you’re in luck! We’ll be streaming the entirety of the event on YouTube, Twitch, and the conference site. In between the attempts, we’ll also have interviews with researchers and vendors, highlights from previous events, and other videos highlighting some of the work done by Trend Micro research. On Wednesday, we’ll have a special “Hacker Hall of Fame” video series that is not to be missed. Be sure to stop by often to see the latest.

As always, we started the contest with a random drawing to determine the order of attempts. We have a total of 23 attempts scheduled over the next three very full days. The complete schedule for the contest is below (all times Eastern [UTC -4:00]). We will update this schedule with results as they become available.

Note: All times subject to change

Tuesday, April 6

Miss any of the attempts? You can watch the full replay of Day One here.

1000 - Jack Dates from RET2 Systems targeting Apple Safari in the Web Browser category

SUCCESS - Jack used an integer overflow in Safari and an OOB Write to get kernel-level code execution. In doing so, he wins $100,000 and 10 Master of Pwn points.

1130 - DEVCORE targeting Microsoft Exchange in the Server category

SUCCESS - The DEVCORE team combined an authentication bypass and a local privilege escalation to complete take over the Exchange server. They earn $200,000 and 20 Master of Pwn points.

1300 - The researcher who goes by OV targeting Microsoft Teams in the Enterprise Communications category

SUCCESS - OV combined a pair of bugs to demonstrate code execution on Microsoft Teams. In doing so, we earns himself $200,000 and 20 points towards Master of Pwn

1430 - Team Viettel targeting Windows 10 in the Local Escalation of Privilege category

SUCCESS - The team used an integer overflow in Windows 10 to escalate from a regular user to SYSTEM privileges. This earns them $40,000 and 4 points towards Master of Pwn.

1530 - The STAR Labs team of Billy, Calvin and Ramdhan targeting Parallels Desktop in the Virtualization category

FAILURE - The STAR Labs team could not get their exploit to work within the time allotted.

1630 - Ryota Shiga of Flatt Security Inc targeting Ubuntu Desktop in the Local Escalation of Privilege category

SUCCESS - Ryota used an OOB access bug to go from a standard user to root on Ubuntu Desktop. He earns $30,000 and 3 Master of Pwn points in his Pwn2Own debut.

1730 - The STAR Labs team of Billy, Calvin and Ramdhan Oracle VirtualBox in the Virtualization category

FAILURE - The STAR Labs team could not get their exploit to work within the time allotted.

Wednesday, April 7

Miss any of the attempts? You can watch the full replay of Day Two here.

0900 - Jack Dates from RET2 Systems targeting Parallels Desktop in the Virtualization category

SUCCESS - Jack combined three bugs - an uninitialized memory leak, a stack overflow, and an integer overflow to escape Parallels Desktop and execute code on the underlying OS. He earns $40K and 4 more Master of Pwn points. His two day total is now $140,000 and 14 points.

1000 - Bruno Keith (@bkth_) & Niklas Baumstark (@_niklasb) of Dataflow Security (@dfsec_it) targeting Google Chrome and Microsoft Edge (Chromium) in the Web Browser category

SUCCESS - The team used a Typer Mismatch bug to exploit the Chrome renderer and Microsoft Edge. Same exploit for both browsers. They earn $100,000 total and 10 Master of Pwn points.

1130 - Team Viettel targeting Microsoft Exchange in the Server category

PARTIAL - Team Viettel successfully demonstrated their code execution on the Exchange server, but some of the bugs they used in their exploit chain had been previously reported in the contest. This counts as a partial win but does get them 7.5 Master of Pwn points.

1300 - Daan Keuper and Thijs Alkemade from Computest targeting Zoom Messenger in the Enterprise Communications category

SUCCESS - Daan Keuper and Thijs Alkemade from Computest used a three bug chain to exploit Zoom messenger and get code execution on the target system - all without the target clicking anything. They earn themselves $200,000 and 20 Master of Pwn points.

Zero clicks needed to pop calc

Zero clicks needed to pop calc

1430 - Tao Yan (@Ga1ois) of Palo Alto Networks targeting Windows 10 in the Local Escalation of Privilege category

SUCCESS - Tao Yan used a Race Condition bug to escalate to SYSTEM on the fully patched Windows 10 machine. He earns himself $40,000 and 4 points towards Master of Pwn.

1530 - Sunjoo Park (aka grigoritchy) targeting Parallels Desktop in the Virtualization category

SUCCESS - Sunjoo Park (aka grigoritchy) used a logic bug to execute code on the underlying operating system through Parallels Desktop. He wins $40,000 and 4 points towards Master of Pwn.

1630 - Manfred Paul targeting Ubuntu Desktop in the Local Escalation of Privilege category

SUCCESS - Manfred used an OOB Access bug to escalate to a root user on Ubuntu Desktop. The Pwn2Own veteran earns himself $30,000 and 3 points towards Master of Pwn.

1730 - The researcher known as z3r09 targeting Windows 10 in the Local Escalation of Privilege category

SUCCESS - z3r09 used an integer overflow to escalate his permissions up to NT Authority\SYSTEM. His impressive display nets him $40,000 and 4 points towards Master of Pwn.

Thursday, April 8

0900 - Benjamin McBride from L3Harris Trenchant targeting Parallels Desktop in the Virtualization category

SUCCESS - Ben used a memory corruption bug to successfully execute code on the host OS from within Parallels Desktop. He earns $40,000 and 4 Master of Pwn points.

1000 - Steven Seeley of Source Incite targeting Microsoft Exchange in the Server category

PARTIAL - Although Steven did use two unique bugs in his demonstration, this attempt was a partial win due to the Man-in-the-Middle aspect of the exploit. It's still great research though, and he earns 7.5 Master of Pwn points.

1130 - The STAR Labs team of Billy targeting Ubuntu Desktop in the Local Escalation of Privilege category

PARTIAL - Although Billy was able to successfuolly escalate privileges to root, the bug he used was known to the vendor and will be patched soon. The demonstration does earn him 2 additional Master of Pwn points.

1230 - Fabien Perigaud of Synacktiv targeting Windows 10 in the Local Escalation of Privilege category

PARTIAL - Despite the excellent use of ASCII art during his demonstration, it turns out Microsoft was aware of the bug he used. He still earns 2 Master of Pwn points for the partial win.

1330 - Alisa Esage targeting Parallels Desktop in the Virtualization category

PARTIAL - Despite the great demonstration (replete with ASCII art), the bug used by Alisa had been reported to the ZDI prior to the contest, making this a partial win. It's still great work, and we're thrilled she broke ground as the 1st woman to participate as an independent researcher in Pwn2Own history. Her efforts do result in two points towards Maser of Pwn.

1430 - Vincent Dehors of Synacktiv targeting Ubuntu Desktop in the Local Escalation of Privilege category

SUCCESS - Despite admitting this was the first exploit he had written for Linux, Vincent had no issues escalating to root through a double free bug. He earns himself $30,000 and 3 Master of Pwn points.

1530 - Da Lao targeting Parallels Desktop in the Virtualization category

SUCCESS - The researcher known as Da Lao used an OOB Write to successfully complete his guest-to-host escape in Parallels. He earns $40,000 and 4 points towards Master of Pwn.

1630 - Marcin Wiazowski targeting Windows 10 in the Local Escalation of Privilege category

SUCCESS - Marcin used a Use After Free (UAF) bug to escalate to SYSTEM on Windows 10. He wins himself $40,000 and 4 Master of Pwn points.

Thanks again to our partners Tesla, Zoom, and Adobe as well as our sponsor VMware. Thanks also to the researchers who participate and to the vendors for providing fixes for what’s discovered during the contest. As a reminder, vendors have 90 days to produce a fix for all vulnerabilities reported.

Pwn2Own 2021 - Schedule and Live Results

The March 2021 Security Update Review

9 March 2021 at 18:31

It’s the third second Tuesday of the year, which means we get the latest security updates from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for their latest security offerings.

Adobe Patches for March 2021

For March, Adobe released three patches covering eight CVEs in Adobe Connect, Creative Cloud Desktop, and Framemaker. Two of these CVEs came through the ZDI program. The update for Framemaker fixes a single Out-of-Bounds (OOB) read vulnerability that could lead to remote code execution. The update for Creative Cloud addresses three different Critical-rated CVEs. Two of these bugs could lead to code execution while the third could allow a privilege escalation. The final Adobe patch for March covers one Critical and three Important-rated vulnerabilities in Adobe Connect. The Critical-rated bug could lead to arbitrary code execution while the other bugs addressed are all reflective cross-site scripting (XSS) bugs). None of the issues addressed by Adobe are listed as publicly known or under active attack at the time of release.

Updated March 10:

After the initial release, Adobe also shipped patches for PhotoShop and Animate to address nine additional CVEs. The Animate patch fixes two Critical and five Important-rated bugs. The Critical bugs are buffer overflows that could allow code execution while the Important-rated bugs could allow information disclosure. The patch for PhotoShop addresses two Critical rated bugs that could allow code execution. None of the issues are listed as publicly known or under active attack at the time of release.

Microsoft Patches for March 2021

Microsoft started the March patch cycle early by shipping an emergency patch for Exchange last week covering seven unique CVEs. Four of these bugs are listed as under active attack, which is why the patch was released outside the normal, patch Tuesday cycle. There has already been a mountain of information published about these vulnerabilities, so I won’t cover the bugs in more detail here. However, if you run Exchange on-premise, you need to follow the published guidance and apply the patches as soon as possible. Microsoft has even taken the extraordinary step of creating patches for out-of-support versions of Exchange. Ignore these updates at your own peril.

For all of March, Microsoft released patches for 89 unique CVEs covering Microsoft Windows components, Azure and Azure DevOps, Azure Sphere, Internet Explorer and Edge (EdgeHTML), Exchange Server, Office and Office Services and Web Apps, SharePoint Server, Visual Studio, and Windows Hyper-V. These 89 CVEs include the seven Exchange CVEs released last week. A total of 15 of these bugs came through the ZDI program. Of these 89 bugs, 14 are listed as Critical and 75 are listed as Important in severity. According to Microsoft, two of these bugs are listed as publicly known while five are listed as under active attack at the time of release.

Please note these CVE counts do not include the CVEs patched in the recent update to the Chromium version of the Edge browser. Last week, Version 89 of this browser was released.

 Let’s take a closer look at some of the more interesting updates for this month, starting with the other bug listed as being under active attack:

 -       CVE-2021-26411 – Internet Explorer Memory Corruption Vulnerability
This patch corrects a bug in Internet Explorer (IE) and Edge (EdgeHTML-based) that could allow an attacker to run their code on affected systems if they view a specially crafted HTML file. Microsoft lists this as both publicly known and under active attack at the time of release. While not as impactful as the Exchange bugs, enterprises that rely on Microsoft browsers should definitely roll this out quickly. Successful exploitation would yield code execution at the level of the logged-on user, which is another reminder not to browse web pages using an account with Administrative privileges.

 -        CVE-2021-26897 – Windows DNS Server Remote Code Execution Vulnerability
This is the second straight month with a DNS server RCE vulnerability, and this month’s bug has company. A total of 5 bugs are listed as DNS Server Remote Code Execution Vulnerabilities, but this CVE is the only one listed as Critical. All note that Secure Zone Updates lessen the likelihood of successful exploitation but are not a full mitigation. This implies dynamic updates may be involved in the exploitation of these bugs. All five of these bugs are listed as a CVSS 9.8, and there is the outside chance this could be wormable between DNS servers. Definitely prioritize the testing and deployment of these updates.

 -       CVE-2021-26867 – Windows Hyper-V Remote Code Execution Vulnerability
This bug could allow an authenticated attacker to execute code on the underlying Hyper-V server. While listed as a CVSS of 9.9, the vulnerability is really only relevant to those using the Plan-9 file system. Microsoft does not list other Hyper-V clients as impacted by this bug, but if you are using Plan-9, definitely roll this patch out as soon as possible.

 -       CVE-2021-27076 – Microsoft SharePoint Server Remote Code Execution Vulnerability
This patch fixes a code execution bug originally submitted through the ZDI program. For an attack to succeed, the attacker must be able to create or modify Sites with the SharePoint server. However, the default configuration of SharePoint allows authenticated users to create sites. When they do, the user will be the owner of this site and will have all the necessary permissions. This is similar to some other SharePoint bugs we have blogged about in the past, and we’ll have additional details about this vulnerability on our blog in the near future.

Here’s the full list of CVEs released by Microsoft for March 2021.

CVE Title Severity CVSS Public Exploited DOS
CVE-2021-26411 Internet Explorer Memory Corruption Vulnerability Critical 8.8 Yes Yes RCE
CVE-2021-26855 Microsoft Exchange Server Remote Code Execution Vulnerability Critical 9.1 No Yes RCE
CVE-2021-26857 Microsoft Exchange Server Remote Code Execution Vulnerability Critical 7.8 No Yes RCE
CVE-2021-27065 Microsoft Exchange Server Remote Code Execution Vulnerability Critical 7.8 No Yes RCE
CVE-2021-26858 Microsoft Exchange Server Remote Code Execution Vulnerability Important 7.8 No Yes RCE
CVE-2021-27077 Windows Win32k Elevation of Privilege Vulnerability Important 7.8 Yes No EoP
CVE-2021-27074 Azure Sphere Unsigned Code Execution Vulnerability Critical 6.2 No No RCE
CVE-2021-27080 Azure Sphere Unsigned Code Execution Vulnerability Critical 9.3 No No RCE
CVE-2021-21300 Git for Visual Studio Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-24089 HEVC Video Extensions Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-26902 HEVC Video Extensions Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-27061 HEVC Video Extensions Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-26412 Microsoft Exchange Server Remote Code Execution Vulnerability Critical 9.1 No No RCE
CVE-2021-26876 OpenType Font Parsing Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-26897 Windows DNS Server Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2021-26867 Windows Hyper-V Remote Code Execution Vulnerability Critical 9.9 No No RCE
CVE-2021-26890 Application Virtualization Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27075 Azure Virtual Machine Information Disclosure Vulnerability Important 6.8 No No Info
CVE-2021-24095 DirectX Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-24110 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27047 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27048 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27049 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27050 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27051 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27062 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27085 Internet Explorer Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-27053 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27054 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-26854 Microsoft Exchange Server Remote Code Execution Vulnerability Important 6.6 No No RCE
CVE-2021-27078 Microsoft Exchange Server Remote Code Execution Vulnerability Important 9.1 No No RCE
CVE-2021-27058 Microsoft Office ClickToRun Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-24108 Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27057 Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27059 Microsoft Office Remote Code Execution Vulnerability Important 7.6 No No RCE
CVE-2021-26859 Microsoft Power BI Information Disclosure Vulnerability Important 7.7 No No Info
CVE-2021-27056 Microsoft PowerPoint Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27052 Microsoft SharePoint Server Information Disclosure Vulnerability Important 5.3 No No Info
CVE-2021-27076 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-24104 Microsoft SharePoint Spoofing Vulnerability Important 4.6 No No Spoof
CVE-2021-27055 Microsoft Visio Security Feature Bypass Vulnerability Important 7 No No SFB
CVE-2021-26887 Microsoft Windows Folder Redirection Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26881 Microsoft Windows Media Foundation Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2021-27082 Quantum Development Kit for Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-26882 Remote Access API Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-27083 Remote Development Extension for Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-26880 Storage Spaces Controller Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26886 User Profile Service Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2021-27081 Visual Studio Code ESLint Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27084 Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability Important Unlisted No No RCE
CVE-2021-27060 Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27070 Windows 10 Update Assistant Elevation of Privilege Vulnerability Important 7.3 No No EoP
CVE-2021-26869 Windows ActiveX Installer Service Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-27066 Windows Admin Center Security Feature Bypass Vulnerability Important 4.3 No No SFB
CVE-2021-26860 Windows App-V Overlay Filter Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26865 Windows Container Execution Agent Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2021-26891 Windows Container Execution Agent Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26896 Windows DNS Server Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-27063 Windows DNS Server Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-26877 Windows DNS Server Remote Code Execution Vulnerability Important 9.8 No No RCE
CVE-2021-26893 Windows DNS Server Remote Code Execution Vulnerability Important 9.8 No No RCE
CVE-2021-26894 Windows DNS Server Remote Code Execution Vulnerability Important 9.8 No No RCE
CVE-2021-26895 Windows DNS Server Remote Code Execution Vulnerability Important 9.8 No No RCE
CVE-2021-24090 Windows Error Reporting Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26872 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26898 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26901 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-24107 Windows Event Tracing Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-26892 Windows Extensible Firmware Interface Security Feature Bypass Vulnerability Important 6.2 No No SFB
CVE-2021-26868 Windows Graphics Component Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26861 Windows Graphics Component Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-26862 Windows Installer Elevation of Privilege Vulnerability Important 6.3 No No EoP
CVE-2021-26884 Windows Media Photo Codec Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-26879 Windows NAT Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-26874 Windows Overlay Filter Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-1640 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26878 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26870 Windows Projected File System Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26866 Windows Update Service Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2021-26889 Windows Update Stack Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2021-1729 Windows Update Stack Setup Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2021-26899 Windows UPnP Device Host Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26873 Windows User Profile Service Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-26864 Windows Virtual Registry Provider Elevation of Privilege Vulnerability Important 8.4 No No EoP
CVE-2021-26871 Windows WalletService Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26885 Windows WalletService Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26863 Windows Win32k Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-26875 Windows Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26900 Windows Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP

Moving on to the remaining Critical-rated patches, two affect Azure Sphere, but you likely won’t need to take any action. Devices running Azure Sphere are connected to the Internet receive automatic updates. If your devices are isolated, you should make sure these updates are applied. There are four patches to correct bugs in the HEVC Video Extensions, and these updates are available from the Windows Store. There’s a patch for a bug in OpenType Fonts that could be exploited by viewing a specially crafted font. Finally, there’s an intriguing update for Git for Visual Studio that fixes a bug that requires no privileges but some level of user interaction. The attack complexity is also listed as low, so we may hear more about this vulnerability in the future.

Shifting to the Important-rated patches, there are still a bunch of code execution bugs to look at. In fact, 45 of the 90 bugs patched this month are listed as some form of remote code execution. Many of the affected components have matching Important updates to go with their Critical counterparts. These include Exchange, DNS Server, HVEC Video Extensions, and IE. This month’s release included five RCE bugs impacting Visual Studio. Most are straightforward, however, the update for the Quantum Development Kit for Visual Studio must be manually downloaded. This can be done through the extensions page within Visual Studio. There are also the expected updates for Office and Office components. Similar to last month, users of Microsoft Office 2019 for Mac will need to wait for their update to be made available.

Looking at the 30 Elevation of Privilege (EoP) bugs addressed in this month’s release, most require an attacker to log on to an affected system and run specially crafted code to escalate privileges. Almost all of these patches impact the Windows kernel and various Windows components. One bug to note had previously been disclosed by ZDI as Microsoft stated it did not meet their bar for servicing. At some point after we published our advisory, Microsoft changed course and produced a patch to address this issue. We’re glad they changed their mind.

This month’s release includes patches for six information disclosure bugs. Usually, these types of cases only lead to leaks consisting of unspecified memory contents. That’s true for three of these bugs, but the others leak some significant info. The vulnerability in Azure Virtual Machine could allow a low-privileged user to gain virtual machine credentials as well as credentials to extensions associated with the virtual machine. Speaking of credentials, the bug in Microsoft Power BI could expose NTLM hashes, which could then be brute-forced to reveal plaintext passwords. Finally, according to the Microsoft write-up, the info leak in SharePoint Server could allow an attacker access to an “organizational's email, sites, filename, url of file...” There’s nothing more than this generic description listed, but assume valuable information could be exposed by an attacker.

Three components receive patches to fix security feature bypasses (SFB) this month. The bypasses for Windows Extensible Firmware Interface and the Windows Admin Center receive patches but no documentation. The SFB for Visio does get some additional information, but the attack scenario seems far from common. Systems would be affected only with a specific Group Policy Object. An attacker would still need to modify a macro-enabled template that ships with Excel. If those two conditions occur and the user runs a malicious file on a system affected by that Group Policy, some form of bypass can occur. Based on the write-up, it doesn’t read like imminent danger, but still probably best to roll out the patch.

This month’s release is rounded out by four denial-of-service (DoS) bugs and a spoofing vulnerability. The spoofing bug occurs in the SharePoint server, but no further information is provided. Two of the DoS bugs impact the DNS Server service, and they have the same caveats as the previously mentioned code execution bugs. There’s also a DoS in the NAT Server service. For these bugs, it’s not clear if the service can just be restarted or if a full system reboot is required. The final DoS was reported through the ZDI program, but it doesn’t impact a service. Instead, it notes a bug in the User Profile Service. By creating a junction, an attacker can abuse the service to overwrite the contents of a chosen file, thus creating a DoS condition.

Finally, the servicing stack advisory (ADV990001) was revised for multiple versions of Windows. No additional advisories were released this month.

Looking Ahead

The next Patch Tuesday falls on April 13, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The March 2021 Security Update Review

The February 2021 Security Update Review

9 February 2021 at 18:26

It’s the second Tuesday of the month, and that means the latest security updates from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.

Adobe Patches for February 2021

For February, Adobe released six patches addressing 50 CVEs in Adobe Dreamweaver, Illustrator, Animate, Photoshop, Magento, and Reader. A total of 14 of these bugs came through the ZDI program. The update for Adobe Reader fixes a total of 23 CVEs, 17 of which are rated Critical, and eight of which were reported through the ZDI program. CVE-2021-21017, a heap-based buffer overflow, is listed as being under “limited” active attacks on Reader for Windows. Definitely prioritize the testing and deployment of this update.

The update for Magento is also significant as it patches 18 bugs, seven of which are rated Critical. In the worst-case scenario, successful exploitation could lead to arbitrary code execution at the level of the current process. The update for Dreamweaver fixes a single, Important-rated info disclosure bug. The patch for Illustrator fixes two Out-Of-Bounds (OOB) write bugs that could lead to code execution. There’s also an OOB write being fixed in the patch for Animate. The patch for Photoshop fixes five Critical-rated bugs that could allow code execution.

Besides the previously mentioned CVE-2021-21017, none of the other bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release.

Microsoft Patches for February 2021

For February, Microsoft released patches for 56 CVEs covering Microsoft Windows components, .NET Framework, Azure IoT, Azure Kubernetes Service, Microsoft Edge for Android, Exchange Server, Office and Office Services and Web Apps, Skype for Business and Lync, and Windows Defender. Seven of these CVEs were submitted through the ZDI program. Of these 56 CVEs, 11 are listed as Critical, 43 are listed as Important, and two are listed as Moderate in severity. According to Microsoft, one bug is known to be actively exploited and six other bugs are listed as being publicly known at the time of release. This is roughly half the volume as what they patched in February 2020, but this release does contain an unusually high number of publicly known CVEs. Microsoft provides no information on where these CVEs were publicly exposed.

Let’s take a closer look at some of the more interesting updates for this month, starting with the bug listed as being under active attack:

-       CVE-2021-1732 - CVE-2021-1732 - Windows Win32k Elevation of Privilege Vulnerability
This local privilege escalation would allow a logged-on user to execute code of their choosing at higher privileges. Bugs of this nature are typically paired with another bug that allows code execution a the logged-on user level. For example, this could be paired with an Adobe Reader exploit. An attacker would entice a user to open a specially crafted PDF, which would result in code execution through the Reader bug then escalation through this bug. This is also a common tactic for malware.

-       CVE-2021-24078 - Windows DNS Server Remote Code Execution Vulnerability
This patch fixes a bug in the Windows DNS Server that could allow remote code execution on affected systems. Fortunately, if your system is not configured to be a DNS server, it is not impacted by this bug. However, for those systems that are configured as DNS servers, this bug allows code execution in a privileged service from a remote, unauthenticated attacker. This is potentially wormable, although only between DNS servers. Prioritize this update if you depend on Microsoft DNS servers.

-       CVE-2021-24074 - Windows TCP/IP Remote Code Execution Vulnerability
There are two TCP/IP bugs in this month’s release, but I chose to highlight this vulnerability over CVE-2021-24094 since this bug affects IPv4 while the other impacts IPv6. Both bugs could allow remote, unauthenticated code execution on affected systems. For CVE-2021-24074, the vulnerability resides in IPv4 source routing, which should be disabled by default. You can also block source routing at firewalls or other perimeter devices. The IPv6 bug involves packet fragmentation where a large number of fragments could lead to code execution.

-       CVE-2021-26701 - .NET Core and Visual Studio Remote Code Execution Vulnerability
This is the only Critical-rated bug to be listed as publicly known, and without more information from Microsoft, that’s about all we know about it. Based on the CVSS, this could all remote, unauthenticated attackers to execute arbitrary code on an affected system. Regardless, if you rely on the .NET Framework or .NET Core, make sure you test and deploy this one quickly.

Here’s the full list of CVEs released by Microsoft for February 2021.

CVE Title Severity CVSS Public Exploited Type
CVE-2021-1732 Windows Win32k Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2021-26701 .NET Core and Visual Studio Remote Code Execution Vulnerability Critical 8.1 Yes No RCE
CVE-2021-1721 .NET Core and Visual Studio Denial of Service Vulnerability Important 6.5 Yes No DoS
CVE-2021-1733 Sysinternals PsExec Elevation of Privilege Vulnerability Important 7.8 Yes No EoP
CVE-2021-24098 Windows Console Driver Denial of Service Vulnerability Important 5.5 Yes No DoS
CVE-2021-24106 Windows DirectX Information Disclosure Vulnerability Important 5.5 Yes No Info
CVE-2021-1727 Windows Installer Elevation of Privilege Vulnerability Important 7.8 Yes No EoP
CVE-2021-24112 .NET Core for Linux Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2021-24081 Microsoft Windows Codecs Library Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-24091 Windows Camera Codec Pack Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-24078 Windows DNS Server Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2021-1722 Windows Fax Service Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2021-24077 Windows Fax Service Remote Code Execution Vulnerability Critical 8.4 No No RCE
CVE-2021-24093 Windows Graphics Component Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-24088 Windows Local Spooler Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-24074 Windows TCP/IP Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2021-24094 Windows TCP/IP Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2021-24111 .NET Framework Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-24087 Azure IoT CLI extension Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-24101 Microsoft Dataverse Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2021-24092 Microsoft Defender Elevation of Privilege Vulnerability Important 7.8 No No Info
CVE-2021-1724 Microsoft Dynamics Business Central Cross-site Scripting Vulnerability Important 6.1 No No XSS
CVE-2021-24100 Microsoft Edge for Android Information Disclosure Vulnerability Important 5 No No Info
CVE-2021-24067 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-24068 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-24069 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-24070 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-1730 Microsoft Exchange Server Spoofing Vulnerability Important 5.4 No No Spoof
CVE-2021-24085 Microsoft Exchange Server Spoofing Vulnerability Important 6.5 No No Spoof
CVE-2021-24071 Microsoft SharePoint Information Disclosure Vulnerability Important 5.3 No No Info
CVE-2021-24066 Microsoft SharePoint Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-24072 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-1726 Microsoft SharePoint Spoofing Vulnerability Important 8 No No Spoof
CVE-2021-24114 Microsoft Teams iOS Information Disclosure Vulnerability Important 5.7 No No Info
CVE-2021-24076 Microsoft Windows VMSwitch Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-24082 Microsoft.PowerShell.Utility Module WDAC Security Feature Bypass Vulnerability Important 4.3 No No SFB
CVE-2021-24105 Package Managers Configurations Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-1731 PFX Encryption Security Feature Bypass Vulnerability Important 5.5 No No SFB
CVE-2021-24099 Skype for Business and Lync Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2021-24073 Skype for Business and Lync Spoofing Vulnerability Important 6.5 No No Spoof
CVE-2021-1728 System Center Operations Manager Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2021-26700 Visual Studio Code npm-script Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-1639 Visual Studio Code Remote Code Execution Vulnerability Important 7 No No RCE
CVE-2021-24083 Windows Address Book Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-24079 Windows Backup Engine Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-24102 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-24103 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-24096 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-24084 Windows Mobile Device Management Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-24075 Windows Network File System Denial of Service Vulnerability Important 6.8 No No DoS
CVE-2021-25195 Windows PKU2U Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-1734 Windows Remote Procedure Call Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2021-24086 Windows TCP/IP Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-1698 Windows Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-24109 Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability Moderate 6.8 No No EoP
CVE-2021-24080 Windows Trust Verification API Denial of Service Vulnerability Moderate 6.5 No No DoS

You’ll notice we have added the CVSS scores to the table. This is to provide further detail on the severity of the patches since Microsoft is now relying on CVSS scores so heavily. We recommend balancing the Microsoft severity (i.e., Critical, Important, Moderate, etc…) with the CVSS score to help determine prioritization for your enterprise.

Moving on to the remaining Critical-rated patches, two involve codec libraries and were reported by ZDI vulnerability researcher Hossein Lotfi. Both of these bugs are OOB Writes that result from the lack of proper validation of user-supplied data. This can lead to a write past the end of an allocated buffer and allow an attacker to execute code in the context of the current user. There are two Critical-rated bugs impacting the Fax Service, but the Windows Fax and Scan feature needs to be enabled for a system to be affected by this vulnerability. There’s a patch for the Windows graphics component to correct a bug that allows code execution when viewing a specially crafted image. The Windows Spooler service also receives a Critical-rated patch to prevent remote code execution, although the exploit path is not as clear here. The final Critical-rated bug addresses a vulnerability in the .NET Core for Linux. In this case, a .NET application utilizing libgdiplus on a non-Windows system could allow code execution if an attacker sends a specially crafted request.

Shifting our focus to Important-rated updates, there are nine bugs that could result in remote code execution. The most interesting of these are two that impact the SharePoint Server. One of these came from an anonymous contributor to our program and could allow code execution if an authenticated user can trigger through deserialization of untrusted data by tampering with client-side data. There are four patches for Excel – two that came through our program – that would allow code execution when opening a specially crafted file in Excel. Note that the updates for Microsoft Office 2019 for Mac are not currently available. Hopefully, Microsoft gets those out soon.

There are a couple of updates to Visual Studio addressing code execution bugs. In one case, a user would need to clone a malicious repository from inside Visual Studio Code. Once completed, attacker code would execute once the targeted user viewed contents of the repository. That’s not the most likely scenario. The Windows Address Book gets a patch for a bug found by ZDI vulnerability researcher Mat Powell. The bug results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. Finally, there’s a significant bug in the Windows package manager that can only be addressed by reconfiguring installation tools and workflows. Microsoft provides several resources with additional information on this vulnerability and how to mitigate it. It is highly recommended to read and heed all information here. Considering the complexity in resolving this issue, this is a bug that could stick with us for a while.

There are only 11 Elevation of Privilege (EoP) bugs addressed in this month’s release, and we’ve already covered the one under active attack. Two are publicly known, and the more interesting of those impacts Sysinternals PsExec. If you’re not familiar with this tool, it’s a lightweight utility that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. It’s also often used by red teams when penetrating a network. We’ll likely see this bug end up in different toolkits should an exploit become available. The other publicly known bug impacts Windows Installer, but there’s no additional information about this vulnerability. Other EoP fixes of note include one for PKU2U, which is a peer-to-peer authentication protocol. Although systems not running PKU2U are not affected, Microsoft still recommends installing this update to all potentially impacted OSes.

Two different security feature bypasses receive fixes this month. The first covers a bypass in PowerShell, although no further information on what is bypassed is provided. The second covers a bypass in PFX encryption. When exporting a SID-protected PFX file, keys encrypted using AES are not properly protected. You’ll need to do more than just patch here as well. Any SID-protected PFX files using AES for key encryption should be regenerated and exported after this update is installed and all copies of the original PFX files must be securely destroyed.

There are 10 different patches for information disclosure bugs in this month’s release. The info leak impacting DirectX is another of the publicly known bugs. While most of these cases only lead to leaks consisting of unspecified memory contents, some do yield some interesting data. The bug fixed in the patch for Edge for Android could disclose personally identifiable information (PII) and payment information of a user. The vulnerability in Microsoft Dataverse could expose underlying datasets in Dataverse, which could include PII. This vulnerability in Microsoft Teams iOS exposes the Skype token value in the preview URL for images in the Teams iOS app. The SharePoint bug leaks SQL table columns that would normally be restricted. Finally, the bug in Mobile Device Management could allow an attacker to read from the file system.

There are a handful of notable Denial-of-Service (DoS) bugs patched this month, and the fix for TCP/IP leads the way. Similar to CVE-2021-24094, this bug also involves IPv6 fragmentation, although there’s no patch to code execution here. Disallowing IPv6 UDP fragmentation at the perimeter could have some side effects but implementing the workaround to drop out-of-order packets seems more reasonable. Still, this should be tested before updating production systems. The DoS bugs impacting .NET Core and the Windows Console Driver are listed as publicly known, but Microsoft provides no further details. There’s a patch for a DoS vulnerability in Skype for Business and Lync. If you’re still using either of those messaging tools, definitely look to patch soon.

Speaking of Skype for Business and Lync, these also receive a patch to fix a spoofing bug. Microsoft doesn’t indicate what is spoofed, but they do note user interaction is required. There’s also a spoofing bug in Exchange that dates back to September of 2020. Since the bug was in the Exchange Server installer, it could only be addressed in a complete release as opposed to a cumulative update. Microsoft allowed time for customers to move to the September release before disclosing the vulnerability. The other Exchange spoofing bug comes from Pwn2Own winner Steven Seeley and allows an authenticated attacker to leak a CERT file, which would allow an attacker to forge CSRF tokens. The final spoofing bug for this month fixes a SharePoint bug that could allow an authenticated attacker to manipulate the SharePoint blog sharing functionality to produce a bogus message or link.

The only cross-site scripting (XSS) bug in this month’s release impacts Microsoft Dynamics Business Central. Rounding out this month’s release are Moderate-rated bugs in Azure Kubernetes and the Windows Trust Verification API. Those using the Azure Kubernetes Service should be automatically updated to an unaffected version, but you should still verify your version number to be sure.  

Finally, the servicing stack advisory (ADV990001) was revised for multiple versions of Windows. No additional advisories were released this month.

Looking Ahead

The next Patch Tuesday falls on March 9, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The February 2021 Security Update Review

The January 2021 Security Update Review

12 January 2021 at 18:27

Welcome to the new year, and welcome to the first Patch Tuesday of 2021. Take a break from your regularly scheduled activities and join us as we review the details for the latest security offerings from Microsoft and Adobe. 

Adobe Patches for January 2021

This month, Adobe released seven updates addressing eight CVEs in Adobe Campaign Classic, Photoshop, Illustrator, Animate, InCopy, Captivate, and Bridge. Two of these bugs came through the ZDI program. The patch for Campaign Classic fixes a single Server-side request forgery (SSRF) vulnerability. The Photoshop patch fixes a single heap-based buffer overflow. The update for Illustrator corrects a Critical-rated uncontrolled search path element vulnerability. That’s the same story for the Animate and InCopy patches. The update for Captivate also fixes an uncontrolled search path element bug, but this one is only rated Important. The final Adobe patch for January fixes two Out-Of-Bounds (OOB) write bugs in Bridge. None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release.

Microsoft Patches for January 2021

For January, Microsoft released patches for 83 CVEs covering Microsoft Windows, Edge (EdgeHTML-based), ChakraCore, Office and Microsoft Office Services and Web Apps, Visual Studio, Microsoft Malware Protection Engine, .NET Core, ASP .NET, and Azure. Seven of these CVEs were submitted through the ZDI program. Of these 83 CVEs, 10 are listed as Critical and 73 are listed as Important in severity. According to Microsoft, one bug is publicly known, and one other bug is known to be actively exploited at the time of release.

Let’s take a closer look at some of the more interesting updates for this month, starting with the bug listed as being under active attack:

 -       CVE-2021-1647 - Microsoft Defender Remote Code Execution Vulnerability
This bug in the Microsoft Malware Protection Engine may already be patched on your system as the engine auto-updates as needed. However, if your systems are not connected to the Internet, you’ll need to manually apply the patch. Microsoft does not state how wide-spread the active attacks are.

 -       CVE-2021-1648 - Microsoft splwow64 Elevation of Privilege Vulnerability
This bug was publicly disclosed by ZDI after it exceeded our disclosure timeline. It was also discovered by Google, likely because this patch corrects a bug introduced by a previous patch. The previous patch introduced a function to check an input string pointer, but in doing so, it introduced an Out-of-Bounds (OOB) Read condition. Additional bugs are also covered by this patch, including an untrusted pointer deref. The previous CVE was being exploited in the wild, so it’s within reason to think this CVE will be actively exploited as well.

 -       CVE-2021-1677 - Azure Active Directory Pod Identity Spoofing Vulnerability
This vulnerability exists in the way that the Azure Active Directory (AAD) pod identity allows users to assign identities to pods in Kubernetes clusters. When an identity is assigned to a pod, the pod can access to the Azure Instance Metadata Service (IMDS) endpoint and get a token of that identity. This could allow an attacker to laterally steal the identities that are associated with different pods. This is also requires more than just a patch to fix. Anyone with an existing installation will need to re-deploy their cluster and use Azure CNI instead of the default Kubernetes.

 -       CVE-2021-1674 – Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability
This patch is a bit of a mystery. It carries a relatively high CVSS score (8.8), but without an executive summary, we can only guess what security feature in RDP Core is being bypassed. Short of reversing the patches, we don’t even know how this is different than CVE-2021-1669 - Windows Remote Desktop Security Feature Bypass Vulnerability. What we do know is that RDP has been a popular target in recent memory, and these bugs should be taken seriously. Without any solid information to act on, defenders should assume the worst-case scenario and restrict access to RDP wherever possible.  

Here’s the full list of CVEs released by Microsoft for January 2021. 

CVE Title Severity Public Exploited Type
CVE-2021-1647 Microsoft Defender Remote Code Execution Vulnerability Critical No Yes RCE
CVE-2021-1648 Microsoft splwow64 Elevation of Privilege Vulnerability Important Yes No EoP
CVE-2021-1665 GDI+ Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1643 HEVC Video Extensions Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1668 Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1705 Microsoft Edge (HTML-based) Memory Corruption Vulnerability Critical No No RCE
CVE-2021-1658 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1660 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1666 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1667 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1673 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1723 .NET Core and Visual Studio Denial of Service Vulnerability Important No No DoS
CVE-2021-1649 Active Template Library Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1677 Azure Active Directory Pod Identity Spoofing Vulnerability Important No No Spoofing
CVE-2021-1725 Bot Framework SDK Information Disclosure Vulnerability Important No No Info
CVE-2021-1651 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1680 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1644 HEVC Video Extensions Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1691 Hyper-V Denial of Service Vulnerability Important No No DoS
CVE-2021-1692 Hyper-V Denial of Service Vulnerability Important No No DoS
CVE-2021-1713 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1714 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1711 Microsoft Office Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1712 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1719 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1707 Microsoft SharePoint Server Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1718 Microsoft SharePoint Server Tampering Vulnerability Important No No Tampering
CVE-2021-1641 Microsoft SharePoint Spoofing Vulnerability Important No No Spoofing
CVE-2021-1717 Microsoft SharePoint Spoofing Vulnerability Important No No Spoofing
CVE-2021-1636 Microsoft SQL Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1710 Microsoft Windows Media Foundation Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1715 Microsoft Word Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1716 Microsoft Word Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1678 NTLM Security Feature Bypass Vulnerability Important No No SFB
CVE-2021-1664 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1671 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1700 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1701 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1656 TPM Device Driver Information Disclosure Vulnerability Important No No Info
CVE-2020-26870 Visual Studio Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1699 Windows (modem.sys) Information Disclosure Vulnerability Important No No Info
CVE-2021-1642 Windows AppX Deployment Extensions Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1685 Windows AppX Deployment Extensions Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1638 Windows Bluetooth Security Feature Bypass Vulnerability Important No No SFB
CVE-2021-1683 Windows Bluetooth Security Feature Bypass Vulnerability Important No No SFB
CVE-2021-1684 Windows Bluetooth Security Feature Bypass Vulnerability Important No No SFB
CVE-2021-1679 Windows CryptoAPI Denial of Service Vulnerability Important No No DoS
CVE-2021-1652 Windows CSC Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1653 Windows CSC Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1654 Windows CSC Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1655 Windows CSC Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1659 Windows CSC Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1688 Windows CSC Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1693 Windows CSC Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1637 Windows DNS Query Information Disclosure Vulnerability Important No No Info
CVE-2021-1645 Windows Docker Information Disclosure Vulnerability Important No No Info
CVE-2021-1703 Windows Event Logging Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1662 Windows Event Tracing Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1657 Windows Fax Compose Form Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1708 Windows GDI+ Information Disclosure Vulnerability Important No No Info
CVE-2021-1696 Windows Graphics Component Information Disclosure Vulnerability Important No No Info
CVE-2021-1704 Windows Hyper-V Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1661 Windows Installer Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1697 Windows InstallService Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1682 Windows Kernel Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1706 Windows LUAFV Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1689 Windows Multipoint Management Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1676 Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability Important No No Info
CVE-2021-1695 Windows Print Spooler Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1663 Windows Projected File System FS Filter Driver Information Disclosure Vulnerability Important No No Info
CVE-2021-1670 Windows Projected File System FS Filter Driver Information Disclosure Vulnerability Important No No Info
CVE-2021-1672 Windows Projected File System FS Filter Driver Information Disclosure Vulnerability Important No No Info
CVE-2021-1674 Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability Important No No SFB
CVE-2021-1669 Windows Remote Desktop Services ActiveX Client Security Feature Bypass Vulnerability Important No No SFB
CVE-2021-1702 Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1650 Windows Runtime C++ Template Library Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1694 Windows Update Stack Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1681 Windows WalletService Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1686 Windows WalletService Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1687 Windows WalletService Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1690 Windows WalletService Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1709 Windows Win32k Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1646 Windows WLAN Service Elevation of Privilege Vulnerability Important No No EoP

Of the remaining Critical-rated patches, five involve remote code execution (RCE) bugs in the Remote Procedure Call (RPC) runtime. What’s really curious is that there are four Important-rated patches for RPC as well. However, the CVSS and other descriptors are all identical. There’s no indication why some are listed as Critical and others are listed as Important. Similarly, there’s a Critical-rated patch for HEVC Video Extensions that is documented the same as the Important-rated patch for HEVC Video Extensions. Either way, you’ll get the update for both through the Microsoft Store. Those who use either the Microsoft Store for Business or the Microsoft Store for Education will be able to get this update through their organizations. Rounding out the Critical-rated patches is an update for Edge and patch for GDI+. 

Moving on to the other patches, the update for the Active Template Library (ATL) stand out. Back in 2009, multiple bulletins and advisories were required to correct a typo. It’s not clear if the situation is that dire with this update, but if you created anything using ATL, you will likely need to apply the patch then recompile your program. That’s also like true for the patch to fix an EoP in the Windows Runtime C++ Template Library.

In looking at the Important-rated bugs that could allow RCE, the SharePoint bug should not be ignored. It does require authentication, but it could allow an authenticated user to take complete control of the system. The patch for Visual Studio also stands out. This update fixes a bug in Cure53 DOMPurify, which is an open-source library used by Visual Studio. The fix for this has been available since September, so you should treat this as though it was publicly disclosed. The remaining code execution bugs cover “Open-and-Own” bugs in Office components. An attacker would need to send a specially crafted file and convince a user to open it with an affected component. That would allow the attacker to execute code of their choice at the level of the logged-on user.

Similar to last month, there are multiple security feature bypasses being fixed this month. In addition to the two already mentioned, there are three impacting the Bluetooth component and one impacting NTLM. CVE-2021-1638 is definitely intriguing as it requires no authentication and no user interaction. The other Bluetooth bugs do require some level of user interaction. The bypass for NTLM requires some level of user interaction but no authentication. Again, without executive summaries, we can only speculate the true severity of these bypasses.

There are a total of 34 EoP bugs getting patches this month. For almost all of these, an attacker would need to log on to a system then execute specially crafted code to elevate their permissions. Most of these are in various Windows, but the ones in Hyper-V and SharePoint stand out. Speaking of SharePoint, this month’s release also includes patches to fix a tampering bug and two spoofing bugs in SharePoint.   

This month includes four patches to correct Denial-of-Service (DoS) bugs. Two of these bugs are in Hyper-V, and one is in .NET Core and Visual Studio. The last of these bugs resides in the Windows CryptoAPI and can be reached remotely. According to the CVSS rating, there is some level of user interaction involved, but no authentication is needed. 

Rounding out this release are 11 patches fixing information disclosure bugs. As expected, most of these cases only lead to leaks consisting of unspecified memory contents. However, the info leak in Windows Docker is a bit more severe. This vulnerability could allow an attacker to decrypt data that was encrypted by the data protection API (DPAPI). It’s not clear if you need to re-encrypt data after applying this patch, but this has been required for similar bugs in the past. Without specifics on the bug, it’s tough to offer specific guidance. The other info disclosure bug that piques curiosity is the bug impacting the Bot Framework SDK. For this component, we’re just told the information leaked is “sensitive information.” Still, if you use the SDK, make sure you get an unaffected version.

Finally, the servicing stack advisory (ADV990001) was revised for multiple versions of Windows. No additional advisories were released this month.

Looking Ahead

The next Patch Tuesday falls on February 9, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The January 2021 Security Update Review

  • There are no more articles
❌