Microsoft Patches 6 Vulnerabilities Currently Under AttackNone Are Rated Critical, But Analysts Say Patching Each Is Important
Microsoft's June Patch Tuesday contained patches for six zero-day vulnerabilities being exploited in the wild, including two flaws detected by Kaspersky that were being exploited by a new threat group named PuzzleMaker.
That Microsoft rates the zero-day vulnerabilities as just "important" and not "critical" does not mean they should be given a lower priority by IT admin teams, says Chris Goettl, senior director of product management at the endpoint security firm Ivanti.
"This brings an important prioritization challenge to the forefront this month - severity ratings and scoring systems like CVSS may not reflect the real-world risk in many cases," Goettl says. "Adopting a risk-based vulnerability management approach and using additional risk indicators and telemetry on real-world attack trends is vital to stay ahead of threats like modern ransomware."
Microsoft issued security fixes for 50 vulnerabilities in Windows, .NET Core and Visual Studio, Microsoft Office, Microsoft Edge (Chromium-based and EdgeHTML), SharePoint Server, Hyper-V, Visual Studio Code - Kubernetes Tools, Windows HTML Platform, and Windows Remote Desktop.
For the first time since March, no Microsoft Exchange Server flaws were fixed in the company's monthly security rollup.
The six zero-day vulnerabilities, all rated as "important" or "low," that are being exploited are tracked as: CVE-2021-33742, CVE-2021-33739, CVE-2021-31199, CVE-2021-31201, CVE-2021-31955 and CVE-2021-31956. In addition, CVE-2021-31968 received a patch, but is not being exploited, according to Microsoft.
Jerry Gamblin, director of security research at Kenna Security, while not downplaying the importance of the danger inherent with these vulnerabilities, notes admins should not overreact to the fact that they are zero-days.
"Security teams should not panic about the six zero-days identified by Microsoft in today's Patch Tuesday as we have not yet seen independent confirmation of these specific exploits. Organizations should patch on their regular schedule," he says.
Breaking Down the Zero-Days
"The Windows OS updates this month are the top priority and resolve all of the zero-day vulnerabilities that Microsoft has resolved. Prioritize the OS update to reduce this risk quickly," says Goettl.
CVE-2021-33742 is a remote code vulnerability in Windows MSHTML Platform, rated "important," that could allow an attacker to execute code on a target system if a user views specially crafted web content.
"Since the vulnerability is in the Trident (MSHTML) engine itself, many different applications are impacted - not just Internet Explorer," notes Trend Micro's Zero Day Initiative blog. "It's not clear how widespread the active attacks are, but considering the vulnerability impacts all supported Windows versions, this should be at the top of your test and deploy list."
Satnam Narang, staff research engineer at Tenable, notes that the attack complexity for exploiting this vulnerability is high, which means an attacker would need to perform additional legwork to exploit this flaw. It appears that was the case, though details of in-the-wild exploitation are not yet known.
CVE-2021-33739 is a flaw in Desktop Window Manager Core that could lead to privilege escalation via the execution of a malicious script or executable by an authenticated user.
Christopher Hass, director of information security and research with the endpoint security company Automox, notes that there are currently no workarounds available, so patching is "critical to protect yourselves from this vulnerability."
CVE-2021-31199 and CVE-2021-31201 are linked to Adobe Reader and were first reported under active attack in May. Both are privilege escalation vulnerabilities that exist within the Microsoft Enhanced Cryptographic Provider.
Microsoft has indicated organizations must install the June patch bundle to protect themselves against these CVEs, says Tyler Reguly, manager of security research and development at Tripwire.
CVE-2021-31968 is the lone zero-day flaw that attackers are not exploiting in the wild. If exploited, however, it could allow a remote, unauthenticated attacker to perform a distributed denial-of-service attack against Windows Remote Desktop Services, says Trend Micro.
Kaspersky's Zero-Day Discoveries
Kaspersky researchers contributed to this month's Patch Tuesday by uncovering the information disclosure vulnerability CVE-2021-31955 and the escalation of privilege flaw CVE-2021-31956 in April. Kaspersky found these vulnerabilities while investigating a series of attacks the company attributed to a group called PuzzleMaker. Kaspersky found the vulnerabilities were part of a chain of Google Chrome and Microsoft Windows zero-day exploits.
"The elevation of privilege exploit was fine-tuned to work against the latest and most prominent builds of Windows 10 (17763 - RS5, 18362 - 19H1, 18363 - 19H2, 19041 - 20H1, 19042 - 20H2) and it exploits two distinct vulnerabilities in the Microsoft Windows OS kernel," Kaspersky says.
Kaspersky reported the flaws to Microsoft on April 20.