The July 2021 Security Update Review

July 13, 2021 | Dustin Childs

The second Tuesday of the month is here, and it brings with it the latest security patches from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for their latest security offerings.

Adobe Patches for July 2021

For July, Adobe released five patches addressing 29 CVEs in Adobe Dimension, Illustrator, Framemaker, Acrobat and Reader, and Adobe Bridge. A total of 15 of these bugs were reported through the ZDI program with several being discovered by ZDI researchers Mat Powell and Joshua Smith. The update for update Acrobat and Reader fixes 19 different bugs – several of which could lead to code execution if an attacker can convince a user to open a malicious PDF with an affected version. The update for Dimension also could allow code execution. For Illustrator, three bugs are being fixed. The two that allow for code execution occur in during the processing of PDF and JPEG2000 files. These issues result from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. Similar Out-Of-Bounds (OOB) Write bugs exist in the five fixes for Bridge. Again, code execution would occur at the level of the logged-on user. The single CVE fixed by the Framemaker patch corrects an OOB Write that exists within the parsing of TrueType fonts embedded in PDF files.

None of the bugs fixed this month by Adobe are listed as publicly known or under active attack at the time of release.

Microsoft Patches for July 2021

For July, Microsoft released patches for 117 CVEs in Microsoft Windows, Dynamics, Exchange Server, Microsoft Office, Windows Storage Spaces Controller, Bing, SharePoint Server, Internet Explorer (IE), Visual Studio, and OpenEnclave. A total of 17 of these bugs were reported through the ZDI program. Of these 117 bugs, 13 are rated Critical, 103 are rated Important, and one is rated as Moderate in severity. This volume of fixes is more than the last two months combined and on par with the monthly totals from 2020. Perhaps the lowered rate seen in the prior months was an aberration. According to Microsoft, six of these bugs are publicly known and four are listed as under active attack at the time of release.

Let’s take a closer look at some of the more interesting updates for this month, starting with a bug that’s already received a lot of (warranted) attention:

-       CVE-2021-34527 - Windows Print Spooler Remote Code Execution Vulnerability
Much has already been written about this currently exploited bug also known as PrintNightmare. Microsoft released an Out-of-Band (OOB) patch for this bug on July 1, and they have updated it multiple times since then. There have been reports the patch is ineffective, but Microsoft insists it works – provided certain registry keys have the correct values. Enterprises should verify these registry keys are configured as intended and get this patch rolled out. It’s also a fine time to disable the Print Spooler service wherever it isn’t needed and restrict the installation of printer drivers to just administrators.

-       CVE-2021-34448 - Scripting Engine Memory Corruption Vulnerability
This bug is also listed as under active exploit, but there’s no indication of how widespread the attack is. The vulnerability allows an attacker to execute their code on an affected system if a user browses to a specially crafted website. The code execution would occur at the logged-on user level. This is also a case where CVSS doesn’t quite offer a true glimpse of the threat. Microsoft lists the attack complexity as high, which knocks this from a high severity (>8) to a medium severity (6.8). However, if there are already active attacks, does complexity matter? Regardless, treat this as critical since it could allow code execution on every supported version of Windows.

-       CVE-2021-34494 - Windows DNS Server Remote Code Execution Vulnerability
This bug is currently not under active attack, but considering the severity, there are those who will work to change that status. This bug could allow remote code execution at a privileged service level on a listening network port without user interaction. Microsoft does mention low privileges are needed, but depending on the server configuration, these could be easily gained. This bug is restricted to DNS Servers only, but if there’s one system you don’t want wormed, it’s probably your DNS server. Definitely test and deploy this one quickly.

-       CVE-2021-34458 - Windows Kernel Remote Code Execution Vulnerability
It’s rare to see remote code execution in a kernel bug, but this is that rare exception. This bug impacts systems hosting virtual machines with single root input/output virtualization (SR-IOV) devices. It’s not clear how widespread this configuration is, but considering this bug rates as a CVSS 9.9, it’s not one to ignore. If you have virtual machines in your environment, test and patch quickly.

Here’s the full list of CVEs released by Microsoft for July 2021:

CVE Title Severity CVSS Public Exploited Type
CVE-2021-34527 Windows Print Spooler Remote Code Execution Vulnerability Critical 8.8 Yes Yes RCE
CVE-2021-34448 Scripting Engine Memory Corruption Vulnerability Critical 6.8 No Yes RCE
CVE-2021-31979 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2021-33771 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2021-34473 Microsoft Exchange Server Remote Code Execution Vulnerability Critical 9.1 Yes No RCE
CVE-2021-33781 Active Directory Security Feature Bypass Vulnerability Important 8.1 Yes No SFB
CVE-2021-34523 Microsoft Exchange Server Elevation of Privilege Vulnerability Important 9 Yes No EoP
CVE-2021-33779 Windows ADFS Security Feature Bypass Vulnerability Important 8.1 Yes No SFB
CVE-2021-34492 Windows Certificate Spoofing Vulnerability Important 8.1 Yes No Spoofing
CVE-2021-34474 Dynamics Business Central Remote Code Execution Vulnerability Critical 8 No No RCE
CVE-2021-34464 Microsoft Defender Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-34522 Microsoft Defender Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-34439 Microsoft Windows Media Foundation Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-34503 Microsoft Windows Media Foundation Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-34494 Windows DNS Server Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-34450 Windows Hyper-V Remote Code Execution Vulnerability Critical 8.5 No No RCE
CVE-2021-34458 Windows Kernel Remote Code Execution Vulnerability Critical 9.9 No No RCE
CVE-2021-33740 Windows Media Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-34497 Windows MSHTML Platform Remote Code Execution Vulnerability Critical 6.8 No No RCE
CVE-2021-34476 Bowser.sys Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-34489 DirectWrite Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-34440 GDI+ Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-31947 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33775 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33776 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33777 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33778 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33760 Media Foundation Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-33753 Microsoft Bing Search Spoofing Vulnerability Important 4.7 No No Spoofing
CVE-2021-34501 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-34518 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33766 Microsoft Exchange Information Disclosure Vulnerability Important 7.3 No No Info
CVE-2021-33768 Microsoft Exchange Server Elevation of Privilege Vulnerability Important 8 No No EoP
CVE-2021-34470 Microsoft Exchange Server Elevation of Privilege Vulnerability Important 8 No No EoP
CVE-2021-31196 Microsoft Exchange Server Remote Code Execution Vulnerability Important 7.2 No No RCE
CVE-2021-31206 Microsoft Exchange Server Remote Code Execution Vulnerability Important 7.6 No No RCE
CVE-2021-34451 Microsoft Office Online Server Spoofing Vulnerability Important 5.3 No No Spoofing
CVE-2021-34469 Microsoft Office Security Feature Bypass Vulnerability Important 8.2 No No SFB
CVE-2021-34467 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 7.1 No No RCE
CVE-2021-34468 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 7.1 No No RCE
CVE-2021-34520 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.1 No No RCE
CVE-2021-34517 Microsoft SharePoint Server Spoofing Vulnerability Important 5.3 No No Spoofing
CVE-2021-34479 Microsoft Visual Studio Spoofing Vulnerability Important 7.8 No No Spoofing
CVE-2021-34441 Microsoft Windows Media Foundation Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-34452 Microsoft Word Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33767 Open Enclave SDK Elevation of Privilege Vulnerability Important 8.2 No No EoP
CVE-2021-31984 Power BI Remote Code Execution Vulnerability Important 7.6 No No RCE
CVE-2021-34521 Raw Image Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33751 Storage Spaces Controller Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-34460 Storage Spaces Controller Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34510 Storage Spaces Controller Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34512 Storage Spaces Controller Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34513 Storage Spaces Controller Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34509 Storage Spaces Controller Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-34477 Visual Studio Code .NET Runtime Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34528 Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-34529 Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-34449 Win32k Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-34516 Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34491 Win32k Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-34504 Windows Address Book Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33785 Windows AF_UNIX Socket Provider Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-34459 Windows AppContainer Elevation Of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34462 Windows AppX Deployment Extensions Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-33782 Windows Authenticode Spoofing Vulnerability Important 5.5 No No Spoofing
CVE-2021-33784 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34488 Windows Console Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34461 Windows Container Isolation FS Filter Driver Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-33759 Windows Desktop Bridge Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-33745 Windows DNS Server Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2021-34442 Windows DNS Server Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-34444 Windows DNS Server Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2021-34499 Windows DNS Server Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2021-33746 Windows DNS Server Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2021-33754 Windows DNS Server Remote Code Execution Vulnerability Important 8 No No RCE
CVE-2021-33780 Windows DNS Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-34525 Windows DNS Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-33749 Windows DNS Snap-in Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-33750 Windows DNS Snap-in Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-33752 Windows DNS Snap-in Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-33756 Windows DNS Snap-in Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-33774 Windows Event Tracing Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-34455 Windows File History Service Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34438 Windows Font Driver Host Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-34498 Windows GDI Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34496 Windows GDI Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-34466 Windows Hello Security Feature Bypass Vulnerability Important 5.7 No No SFB
CVE-2021-34446 Windows HTML Platform Security Feature Bypass Vulnerability Important 8 No No SFB
CVE-2021-33755 Windows Hyper-V Denial of Service Vulnerability Important 6.3 No No DoS
CVE-2021-33758 Windows Hyper-V Denial of Service Vulnerability Important 7.7 No No DoS
CVE-2021-34511 Windows Installer Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-33765 Windows Installer Spoofing Vulnerability Important 6.2 No No Spoofing
CVE-2021-31961 Windows InstallService Elevation of Privilege Vulnerability Important 6.1 No No EoP
CVE-2021-34514 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34500 Windows Kernel Memory Information Disclosure Vulnerability Important 6.3 No No Info
CVE-2021-34508 Windows Kernel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-33764 Windows Key Distribution Center Information Disclosure Vulnerability Important 5.9 No No Info
CVE-2021-33788 Windows LSA Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-33786 Windows LSA Security Feature Bypass Vulnerability Important 8.1 No No SFB
CVE-2021-34447 Windows MSHTML Platform Remote Code Execution Vulnerability Important 6.8 No No RCE
CVE-2021-34493 Windows Partition Management Driver Elevation of Privilege Vulnerability Important 6.7 No No EoP
CVE-2021-33743 Windows Projected File System Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-33761 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-33773 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34445 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-34456 Windows Remote Access Connection Manager Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-33763 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-34454 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-34457 Windows Remote Access Connection Manager Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-34507 Windows Remote Assistance Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2021-33744 Windows Secure Kernel Mode Security Feature Bypass Vulnerability Important 5.3 No No SFB
CVE-2021-33757 Windows Security Account Manager Remote Protocol Security Feature Bypass Vulnerability Important 5.3 No No SFB
CVE-2021-33783 Windows SMB Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-31183 Windows TCP/IP Driver Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-33772 Windows TCP/IP Driver Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-34490 Windows TCP/IP Driver Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-34519 Microsoft SharePoint Server Information Disclosure Vulnerability Moderate 5.3 No No Info

Looking at the remaining patches, you’ll note seven patches for Exchange Server, but only some of these are actually new. One of the new ones is CVE-2021-31206, which was disclosed during the last Pwn2Own contest. There are also new patches for elevation of privilege bugs that could be exploited in a man-in-the-middle attack or be network adjacent. The real surprise in this month’s Exchange patches are the three bugs patched in April but not documented until today. Silent patches have caused many problems in the past and represent significant risks to enterprises. While the goal should be for administrators to install every patch, this is simply not feasible for most networks. Network defenders need as much information as possible to prioritize their resources. If they are not provided guidance on installing the patch, or information from the vendor on the severity of the patch, their uninformed decision could have negative consequences.

Taking a look at the remaining Critical-rated bugs, there are two updates for Defender code execution bugs, although you likely won’t need to take any action. Microsoft regularly updates the Malware Protection Engine, so if your system is connected to the Internet, it should have already received an update. There are also RCE bugs in Dynamics 365 Business Central, Windows Media Foundation, MSHTML, and Hyper-V.

Moving to the Important-rated RCE bugs, there are quite a few impacting the Windows DNS Server. Most of these would require an administrator to view a malicious record in the DNS Snap-in to be exploited. There are also a few that have no user interaction and require only low-level privileges. Two of the patches fix denial-of-service (DoS) bugs in the server. Shutting DNS down is nearly as severe as taking it over. In all cases, the DNS Server must be enabled for a system to be impacted by these bugs. The Important RCEs category is rounded out by fixes for Office components, SharePoint Server, and HEVC Video Extensions.

There are a total of 32 Elevation of Privilege (EoP) patches in this month’s release. In addition to the ones previously mentioned, six of these fix EoP bugs in the Windows Storage Spaces Controller. There are also fixes for EoP vulnerabilities in the kernel, Remote Access Connection Manager, Installer service, partition management, and projected file system.

We’ve already mentioned quite a few DoS bugs in this release, and there are a few more to look out for. The first is a bug in the Local Security Authority (LSA). Microsoft doesn’t detail the impact of the bug, but a DoS on LSA implies users can’t authenticate. There are three DoS vulnerabilities in the TCP/IP stack. Again, no details from Microsoft, but it appears an attacker could shut down all networking on a device. Finally, there are fixes for DoS bugs in bowser.sys and the Windows AF_UNIX Socket Provider.

There are 14 patches fixing information disclosure bugs this month, including the single Moderate-rated fix for a bug in SharePoint Server. This bug could disclose PII and, in some cases, requires multiple packages to be completely addressed. Most of the other bugs only lead to leaks consisting of unspecified memory contents. Two notable exceptions impact KDC and SMB. The KDC has a weak encryption algorithm that could be used to decrypted and expose information related to a user or service's active session. The SMB bug could allow an attacker unauthorized file system access, meaning they could read files on the affected system.

Eight security feature bypasses are fixed in this month’s release. The patch for ADFS fixes a bug in the Primary Refresh Tokens, which are normally stored in the TPM. The tokens aren’t encrypted properly. Attackers could extract and potentially decrypt the token for reuse until the token expires or is renewed. There’s a bug in LSA that could allow a read-only domain controller (RODC) to delegate rights by granting itself a ticket. This ticket isn’t validated by a domain controller, which could lead to a read-only DC getting Read/Write privileges. A patch for the Security Account Manager adds Advanced Encryption Standard (AES) encryption as the preferred method when using the MS-SAMR protocol. Microsoft will be releasing KB5004605 with additional configuration details in the future. At the time of release, it’s mentioned, but not live yet. Frustratingly, no details are available about the other bypasses, which includes the patches for two publicly known bugs and Windows Hello.

This month’s release is rounded out by seven patches to address spoofing bugs in SharePoint Server, Bing Search, Visual Studio, Office, Authenticode, Installer, and bug that could allow certificate spoofing. In late June, Microsoft reported they were investigating reports regarding a malicious actor trying to leverage the Windows Hardware Compatibility Program (WHCP) process. While they indicated there was no evidence of certificate exposure, it’s possible this patch resulted from that investigation. They do mark the bug as publicly known, but there’s no documentation confirming the link. No details are available about any of the other spoofing patches.

As usual, the servicing stack advisory (ADV990001) was revised for multiple versions of Windows this month. No new advisories were released this month.

Looking Ahead

The next Patch Tuesday falls on August 10, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!