icetray - Fotolia
3 Windows zero-days fixed on July Patch Tuesday
Microsoft addressed 116 unique CVEs, including several corrections for Exchange Server, in this month's batch of security updates.
Administrators still facing the fallout from the PrintNightmare bug must contend with one of the bigger Patch Tuesday releases this year.
For July Patch Tuesday, Microsoft delivered security updates for 116 unique CVEs, including three Windows zero-days and five public disclosures, in a return to the triple-digit releases that were more commonplace in 2020. Despite the substantial number of vulnerabilities, admins can apply the cumulative update to Windows systems to eliminate the most serious threats without too much effort.
"The good news is all three of the zero-days and three out of five of the public disclosures are all in the operating system," said Chris Goettl, senior director of product management for security products at Ivanti. "If administrators handle that July OS update, they will take care of all those bugs in the one update this month."
Microsoft plugs three Windows zero-days
Two of the three zero-days for July Patch Tuesday are elevation-of-privilege vulnerabilities. Attackers who currently have a foothold in the environment typically use these bugs to spring an exploit to gain full system access.
CVE-2021-31979 is an elevation-of-privilege bug in the Windows kernel. The vulnerability is rated important and affects all supported Windows desktop and client systems. This bug also affects Windows Server 2008/R2 and Windows 7 systems, which left extended support. Microsoft, however, continues to correct security issues for those systems for customers who subscribe to the Extended Security Updates program.
CVE-2021-33771 is also an elevation-of-privilege vulnerability in the Windows kernel rated important. It differs from the other CVE in that it only affects desktop systems starting with Windows 8.1 and later versions, and server systems starting with Windows Server 2012 and later versions.
After a successful phishing attempt to gain access to a user's device, a proficient threat actor could wield one of these elevation-of-privilege bugs in their attack chain to complete the takeover, Goettl said.
The third Windows zero-day is a scripting engine memory corruption vulnerability (CVE-2021-34448) rated critical for all supported Windows systems. Users can trigger the exploit if they click on malicious content hosted on a website, or click on a link in an email and then open a specially crafted file.
"There's regular phishing attacks and then there's well-crafted phishing attacks. 97% of users cannot spot a well-crafted phishing attack," Goettl said.
Fixes delivered for public disclosures
Two of the public disclosures relate to issues with the Active Directory platform, which handles user authentication and other resource access functions.
CVE-2021-33779 is an Active Directory Federation Services security feature bypass vulnerability rated important for Windows Server 2016 and later versions. The patch strengthens the encryption of primary refresh tokens used for single sign-on with Azure Active Directory accounts.
CVE-2021-33781 is an Active Directory security feature bypass vulnerability rated important for Windows 10 and Windows 2019 and later versions. According to Microsoft, the update adds several security-related fixes and improvements, including revisions to the functionality behind the verification of usernames and passwords.
The third publicly disclosed bug, CVE-2021-34492 is a Windows certificate spoofing vulnerability rated important that affects Windows 7 and up for desktop systems and Windows Server 2008 and up for servers.
"Tricking the operating system to make it think that the certificate you're signing something with is valid when it's not, so you can bypass a lot of security capabilities, is pretty concerning," Goettl said.
Several vulnerabilities corrected for Exchange Server
After a brief respite last month, Microsoft's on-premises messaging platform, Exchange Server, returned to the spotlight with corrections for seven vulnerabilities. However, Microsoft's notes suggest the company patched three of the bugs in April but didn't include them in the Security Update Guide until this month. Those bugs are:
- CVE-2021-33766 -- an information disclosure vulnerability rated important for supported versions of Exchange Server.
- CVE-2021-34523 -- an elevation-of-privilege vulnerability rated important for supported Exchange Server versions. Information for this bug had been publicly disclosed.
- CVE-2021-34473 -- a remote-code execution vulnerability rated critical for supported versions of Exchange. Information for this flaw had been publicly disclosed.
"This is an informational change only," the company wrote in its release notes for the three CVEs. "Customers who have already installed the April 2021 update do not need to take any further action."
The following CVEs are new for Exchange Server in April Patch Tuesday:
- CVE-2021-31206 is a remote-code execution vulnerability rated important for supported Exchange Server versions. This bug surfaced in the annual Pwn2Own contest in April. Goettl recommended administrators prioritize this security update due to the visibility of the exploit at the hacking event, which could have drawn threat actors' attention.
- CVE-2021-31196 is a remote-code execution vulnerability rated important for supported versions of Exchange.
- CVE-2021-33768 is an elevation-of-privilege bug rated important. Microsoft's notes indicate the attack vector is adjacent, meaning an exploit cannot come directly from the internet but from a protocol tied to the target system, such as Bluetooth or "secure VPN to an administrative network zone."
- CVE-2021-34470 is an elevation-of-privilege bug rated important with the same attack vector as CVE-2021-33768. Microsoft said admins who manage Exchange Server 2016 or Exchange Server 2019 will see downloads for these versions in the June cumulative update due to a schema change.
Multiple Windows DNS server corrections issued
Administrators will also want to concentrate on prompt patch deployment for any Domain Name System (DNS) servers in their environments.
Microsoft released fixes for 13 CVEs related to this crucial server role. Of all the vulnerabilities, CVE-2021-33780 has one of the highest CVSS scores at 8.8, with an assessment of "Exploitation More Likely." While only rated as important, the bug does not require user interaction and affects all supported Windows Server versions.
Many admins can't wake up from PrintNightmare ordeal
Microsoft's security team released two blog posts to offer clarity on PrintNightmare, the vulnerability for which the company issued out-of-band updates on July 6 and July 7.
PrintNightmare is the name given to CVE-2021-34527, a remote-code execution vulnerability in the Windows print spooler that affects all supported server and desktop systems, including Windows 7 and Windows Server 2008. Initial confusion stemmed from IT pros who conflated this vulnerability with another print spooler bug, CVE-2021-1675, that had been corrected on June Patch Tuesday. Microsoft released eight revisions to the PrintNightmare CVE and produced an extensive FAQ section to resolve any misunderstandings.
"The security updates released on and after July 6, 2021 contain protections for a remote code execution exploit in the Windows Print Spooler service known as 'PrintNightmare,' documented in CVE-2021-34527, as well as for CVE-2021-1675," the company wrote.
Microsoft said applying the patch alone will not mitigate the problem. Admins must also make the following additions to the Windows registry:
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Printers\PointAndPrint
- NoWarningNoElevationOnInstall = 0 (DWORD) or not defined (default setting)
- UpdatePromptSettings = 0 (DWORD) or not defined (default setting)
The company offered two options in addition to the registry fix: Disable the print spooler service or disable inbound remote printing through Group Policy. Each workaround will disable the printing functionality on the system.
Open source web app projects hailed for quickly patching bugs