Thirteen of the patches involved a remote code execution vulnerability, while another eight revolved around information disclosure. The affected tools included .NET Core & Visual Studio, ASP.NET Core & Visual Studio, Azure, Windows Update, Windows Print Spooler Components, Windows Media, Windows Defender, Remote Desktop Client, Microsoft Dynamics, Microsoft Edge (Chromium-based), Microsoft Office, Microsoft Office Word, Microsoft Office SharePoint and more. One of the most prominent patches released in the latest batch covers the Windows Print Spooler Remote Code Execution vulnerability, which has been a major topic of discussion since it was discovered in June. Microsoft also faced backlash from the security community for bungling the release of patches meant to address the issue. The fixed zero-day bugs include:
CVE-2021-36948 Windows Update Medic Service Elevation of Privilege VulnerabilityCVE-2021-36942 Windows LSA Spoofing VulnerabilityCVE-2021-36936 Windows Print Spooler Remote Code Execution Vulnerability
According to Microsoft’s report, the Windows Update Medic Service Elevation of Privilege vulnerability is the only one that has been exploited in the wild. Still, they do not explain how, where, or by whom. Security expert Allan Liska said CVE-2021-36948 stood out to him because of its similarities to CVE-2020-17070, which was published in November 2020. “Obviously, it is bad that it is being exploited in the wild, but we saw almost the exact same vulnerability in November of 2020, but I can’t find any evidence that that was exploited in the wild,” Liska said. “So, I wonder if this is a new focus for threat actors.” Liska added that CVE-2021-26424 is a vulnerability to keep and an eye on because it’s a Windows TCP/IP Remote Code Execution vulnerability impacting Windows 7 through 10 and Windows Server 2008 through 2019. “While this vulnerability is not listed as publicly disclosed or exploited in the wild, Microsoft did label this as ‘Exploitation More Likely’, meaning that exploitation is relatively trivial. Vulnerabilities in the TCP/IP stack can be tricky. There was a lot of concern earlier this year around CVE-2021-24074, a similar vulnerability, but that has not been exploited in the wild,” Liska explained. “On the other hand, last year’s CVE-2020-16898, another similar vulnerability, has been exploited in the wild.” The LSA spoofing vulnerability is related to an advisory Microsoft sent out late last month about how to protect Windows domain controllers and other Windows servers from the NTLM Relay Attack known as PetitPotam. In July, French researcher Gilles Lionel discovered that the PetitPotam take on the NTLM Relay attack can “coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw function.” It was never found to have been exploited. The Zero Day Initiative noted that Adobe also released two patches addressing 29 CVEs in Adobe Connect and Magento. ZDI said it submitted eight of the bugs in the recent Microsoft report and explained that this is the smallest number of patches released by Microsoft since December 2019. They attributed the decline to resource constraints considering Microsoft devoted extensive time in July responding to events like PrintNightmare and PetitPotam. “Looking at the remaining Critical-rated updates, most are of the browse-and-own variety, meaning an attacker would need to convince a user to browse to a specially crafted website with an affected system,” ZDI said. “One exception would be CVE-2021-26432, which is a patch for the Windows Services for NFS ONCRPC XDR Driver. Microsoft provides no information on how the CVSS 9.8 rated vulnerability could be exploited, but it does note that it needs neither privileges or user interaction to be exploited.” The next Patch Tuesday is September 14.