As part of June Patch Tuesday, 50 vulnerabilities in Microsoft products were fixed, including six 0-day vulnerabilities in Windows.
Vulnerabilities that have been patched were found in Microsoft Office, .NET Core and Visual Studio, Edge browser, Windows Cryptographic Services, SharePoint, Outlook and Excel.
Six zero-day vulnerabilities that were already under attack were also addressed, with one of these problems clearly using a commercial exploit. The hackers were reported to have exploited the following bugs:
- CVE-2021-33742: Windows MSHTML Platform Remote Code Execution Vulnerability;
- CVE-2021-31955: Windows Kernel Information Disclosure Vulnerability;
- CVE-2021-31956: Windows NTFS Privilege Elevation Vulnerability;
- CVE-2021-31962: Kerberos AppContainer Bypass Vulnerability;
- CVE-2021-31199: Microsoft Enhanced Cryptographic Provider Privilege Escalation Vulnerability;
- CVE-2021-31201: Privilege escalation vulnerability in Microsoft Enhanced Cryptographic Provider.
Details of the vulnerabilities have not yet been disclosed to give users and administrators more time to install patches (before attackers could understand how these bugs can be exploited).
The fact that four of the six issues are privilege elevation vulnerabilities suggests that attackers may have exploited them as part of the infection chain to gain elevated permissions on target systems (to later execute malicious code or steal sensitive information).
However, a little more is known about the CVE-2021-33742 bug (an RCE vulnerability in the MSHTML component, which is part of the Internet Explorer browser). For example, Google analyst Shane Huntley writes on Twitter that this problem is not only used for attacks, but an exploit for it seems to have been developed by a professional commercial vulnerability broker. According to the expert, the exploit was used by government hackers to attack targets in Eastern Europe and in the Middle East.
Microsoft also writes that the patches for CVE-2021-31201 and CVE-2021-31199 are related to the RCE issue CVE-2021-28550, which was fixed by Adobe developers last month.
Traditionally, we note that “update Tuesday” affects not only Microsoft solutions. Other manufacturers have also released patches for their products this week.
Adobe: Announced updates for ten products, fixing 39 different bugs. First place went to After Effects with eight critical vulnerabilities that can be exploited to execute code (all rated 7.8 on the CVSS scale). Five critical issues have been fixed in Acrobat and Reader, all of which allow arbitrary code execution, and two critical flaws have been fixed in Photoshop.
Intel: Issued 29 security bulletins covering 79 different vulnerabilities. More than half of these problems were identified within the company, and another 40% were the result of the bug bounty program.
SAP: The company has submitted 17 security bulletins. Almost all of the bugs fixed were almost harmless, apart from a couple of major problems allowing remote code execution.
Android: Google has fixed over 50 vulnerabilities in its mobile OS, including several critical ones. The most serious of these, CVE-2021-0507, can be used for remote code execution. The bug affects Android 8.1, 9, 10 and 11, as well as another critical flaw, CVE-2021-0516, which can be used for privilege escalation.
Let me remind you that I talked about the fact that Hackers Bypass Firewalls Using Windows Feature.