Microsoft fixes seven critical bugs on light Patch Tuesday

Microsoft has resolved a total of 44 common vulnerabilities and exposures (CVEs), seven of which were rated as critical and only one of which was being actively exploited in the wild as a zero-day, in a lighter than usual Patch Tuesday release.

This is the second time in 2021 Microsoft has patched fewer than 50 CVEs, the last time being June.

It also marks a significant drop from July’s Patch Tuesday, which fixed 117 vulnerabilities, 13 of which were critical and four of which were being actively exploited at the time.

The patched zero-day being exploited is CVE-2021-36948, an elevation of privilege vulnerability in the Windows Update Medic Service that was reported internally by Microsoft’s security research teams.

According to Automox’s senior product marketing manager, Eric Feldman, this month’s vulnerabilities revolve around components in Windows that perform network communications, internet connections, printing, file repair, or remote connections.

“Several of these components have had a number of vulnerabilities reported so far this year. As the summer begins to wind down, returning to physical offices appears to be less likely for many segments of the workforce,” he said. “The trend is that remote work is here to stay, making the prioritisation of patching these components all the more vital.”

Breaking down the exploited vulnerability, which was marked as important, Automox’s director of product marketing, Jay Goodman, said Update Medic was a new service that allowed users to repair Windows Update components from a damaged state so that the device can continue to receive updates.

“The exploit is both low complexity and can be exploited without user interaction, making this an easy vulnerability to include in an adversaries toolbox,” he said, adding that because of its exploitation in the wild, organisations should prioritise a patch.

“Compounding the situation, remote code execution vulnerabilities are particularly problematic since they enable attackers to run malicious code on the exploited systems. When combined with other vulnerabilities allowing escalation of privileges, attackers can quickly and easily take full control of the target system and use it either to exfiltrate data or move laterally within the organisation’s infrastructure.”

None of the critical vulnerabilities have yet been exploited, but all revolve around remote code execution (RCE). These include CVE-2021-26432, -26424 -34480, -34530, -34534, -34535 and -36936.

Recorded Future’s senior security architect, Allan Liska, said that of these, CVE-2021-26424 was the one organisations should pay closest attention to.

“This is a Windows TCP/IP remote code execution vulnerability labelled critical by Microsoft. This vulnerability impacts Windows 7 through 10 and Windows Server 2008 through 2019,” he said.

“While this vulnerability is not listed as publicly disclosed or exploited in the wild, Microsoft did label this as ‘exploitation more likely’ meaning that exploitation is relatively trivial. Vulnerabilities in the TCP/IP stack can be tricky – some are easy to exploit while others are next to impossible, depending on where in the stack they are located.”

In terms of print spooler vulnerabilities, Chris Goettl, senior director of product mangement at Ivanti, noted that two of them (CVE-2021-34481 and -36936) were marked as publicly disclosed.

“CVE-2021-34481 is actually a re-release from July Patch Tuesday. After a more complete investigation, Microsoft made an additional update to address the vulnerability more completely. Normally a public disclosure is enough to put a vulnerability at higher risk of being exploited since details of the vulnerability had been made available prior to the update being released,” he said.

“In this case, right on the tails of multiple known exploited print spooler vulnerabilities, including PrintNightmare (CVE-2021-34527), the risk of these publicly disclosed vulnerabilities being exploited has increased.

“As a threat actor investigates code for vulnerabilities, they will potentially be looking for multiple ways to exploit a weak code area. White Hat researchers were able to uncover and report these additional exploits, so we should expect threat actors to be able to identify these additional vulnerabilities as well.”

Satnam Narang, staff research engineer at Tenable, added that Microsoft addressed a total of three vulnerabilities in Windows print spooler, two of which (CVE-2021-36947 and -36936) were rated as exploitation more likely. The latter vulnerability was identified as critical.

“Because of the ubiquitous nature of the Windows print spooler within networks, organisations should prioritise patching these flaws as soon as possible,” he said.