Microsoft June Security Patch Bundle Addresses 49 Vulnerabilities
Microsoft released patches for 49 common vulnerabilities and exposures (CVEs) in its products on Tuesday, according to security researcher counts.
Five CVEs in this month's bundle were rated "Critical" by researchers, with the rest deemed "Important." Those labels may seem helpful, although Microsoft doesn't use them. It uses Common Vulnerability Scoring System (CVSS) numbers from 1 to 10, plus boilerplate descriptions, in its voluminous and unfathomable "Security Update Guide."
Windows, Office .NET Core and Visual Studio are getting patches this month. Software as disparate as Paint 3D and Microsoft Intune also are in the mix, which includes lots of Windows components. Even Windows Defender anti-virus is getting a patch, although it's likely to have already been updated through its automated update mechanism.
An abbreviated summary of products getting patches can be found in Microsoft's June "Release Notes."
Zero Days and Known Flaws
This relatively light June security patch load is somewhat overshadowed by this month's bundle bringing patches for six CVEs that were known to have been exploited before this update Tuesday release. They are considered to be under active attack. Researchers typically refer to these vulnerabilities, which are said to be not known beforehand by software companies, as "zero-day" flaws.
Also, three CVEs in this month's bundle were publicly known before Microsoft's Tuesday disclosure and patch release. That circumstance is conceived as upping risks for organizations.
Organizations that apply the June Windows security patches will have addressed the Microsoft zero-day vulnerabilities, noted Chris Goettl, senior director of product management at IT solutions firm Ivanti, in an e-mailed comment. However, it's possible for organizations to be lulled because some of these CVEs have middle-of-the-pack CVSS ratings, he noted:
This brings an important prioritization challenge to the forefront this month -- severity ratings and scoring systems like CVSS may not reflect the real-world risk in many cases. Adopting a risk-based vulnerability management approach and using additional risk indicators and telemetry on real-world attack trends is vital to stay ahead of threats like modern ransomware.
Six Zero Day Flaws
The six zero-day vulnerabilities in this month's patch bundle, per Trend Micro's Zero Day Initiative blog, include:
- CVE-2021-33742 (CVSS 7.5), a Critical remote code execution issue in Windows MSHTML, which is Internet Explorer's Trident engine. Microsoft is still maintaining the Trident engine despite Internet Explorer's planned end next year on Windows 10. All Windows systems are affected, even if an organization isn't using IE.
- CVE-2021-33739 (CVSS 8.4), an Important elevation-of-privilege vulnerability in the Microsoft DWM Core Library, which requires attacker access to run a script on a machine.
- CVE-2021-31199 and CVE-2021-31201 (CVSS 5.2), which are Important elevation-of-privilege vulnerabilities in a Windows cryptographic provider. Dustin Childs of the Zero Day Initiative lumped these two vulnerabilities together because they are associated with an Adobe Reader flaw (CVE-2021-28550) that was "under attack last month." He suggested Microsoft's two patches this month were addressing "the privilege escalation part of those [Adobe Reader] exploits," since remote code execution attacks typically get followed by privileged escalation attempts.
- CVE-2021-31955 (CVSS 5.5), an information disclosure vulnerability in the Windows kernel.
- CVE-2021-31956 (CVSS 7.8), an elevation-of-privilege vulnerability in Windows NTFS.
The Zero Day Initiative post by Childs is notable for tallying the June Microsoft security patch bundle as addressing 50 CVEs, rather than 49 CVEs. Security researchers typically come up with different Microsoft patch count tallies.
As usual, it's the security researchers at various security solutions firms that offer the best guidance on Microsoft's update Tuesday security patch releases.
Experts at security solutions provider Automox offered comments and published a June index ranking Microsoft's patches, as well as patches for Adobe and Mozilla products. Automox put priority patching on the six zero-day Microsoft vulnerabilities, plus the Critical ones this month:
While Automox recommends that all critical vulnerabilities are patched within a 72-hour window, the fact that many of this month's critical vulnerabilities have no workarounds raises our recommendation to patching these systems with the highest priority.
Cybersecurity researchers at Tenable published a blog post illustrating the effects of Microsoft's June patches in graphic form. Satnam Narang, staff research engineer at Tenable, urged applying the fixes as soon as possible since "unpatched flaws remain a problem for many organizations months after patches have been released."
The relatively low patch count from Microsoft this month shouldn't "diminish the importance of speedily applying the updates," especially given the six zero-day vulnerabilities, according to Adam Bunn, Rapid7's lead software engineer for VRM. He also pointed to an Important (CVSS 9.4) Kerberos AppContainer security bypass vulnerability getting patched this month, namely CVE-2021-31962.
"Additionally, enterprises should take action on CVE-2021-31962 if they use Kerberos in their environment as it may allow an attacker to bypass Kerberos authentication altogether," Bunn stated via e-mail.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.