Microsoft patched 116 CVEs in the July 2021 Patch Tuesday release, including 12 CVEs rated as critical, 103 rated as important and one rated as moderate. It’s only the second time in 2021 that Microsoft has included more than 100 vulnerabilities in Patch Tuesday, while it passed that milestone eight times in 2020.
This month’s Patch Tuesday release includes fixes for:
- Common Internet File System
- Dynamics Business Central Control
- Microsoft Bing
- Microsoft Dynamics
- Microsoft Exchange Server
- Microsoft Graphics Component
- Microsoft Office
- Microsoft Office Excel
- Microsoft Office SharePoint
- Microsoft Scripting Engine
- Microsoft Windows Codecs Library
- Microsoft Windows DNS
- Microsoft Windows Media Foundation
- Power BI
- Role: DNS Server
- Role: Hyper-V
- Visual Studio Code
- Visual Studio Code – .NET Runtime
- Visual Studio Code – Maven for Java Extension
- Windows Active Directory
- Windows Address Book
- Windows AF_UNIX Socket Provider
- Windows AppContainer
- Windows AppX Deployment Extensions
- Windows Authenticode
- Windows Cloud Files Mini Filter Driver
- Windows Console Driver
- Windows Defender
- Windows Desktop Bridge
- Windows Event Tracing
- Windows File History Service
- Windows Hello
- Windows HTML Platform
- Windows Installer
- Windows Kernel
- Windows Key Distribution Center
- Windows Local Security Authority Subsystem Service
- Windows MSHTML Platform
- Windows Partition Management Driver
- Windows PFX Encryption
- Windows Print Spooler Components
- Windows Projected File System, Windows Remote Access Connection Manager
- Windows Remote Assistance
- Windows Secure Kernel Mode
- Windows Security Account Manager
- Windows Shell
- Windows SMB
- Windows Storage Spaces Controller
- Windows TCP/IP
- Windows Win32K
Remote code execution (RCE) vulnerabilities accounted for 37.1% of the vulnerabilities patched this month, followed by Elevation of Privilege (EoP) at 27.6%.
Some of the most interesting vulnerabilities resolved in this update are:
CVE-2021-31206: A Microsoft Exchange Server RCE found during Pwn2Own.
CVE-2021-34448: An actively exploited scripting engine memory corruption vulnerability, requiring a victim to actively visit a malicious website or to click a malicious link.
CVE-2021-34494: A Windows DNS Server RCE, albeit restricted to DNS servers only.
CVE-2021-34458: A Windows Kernel RCE which permits a single root input/output virtualization (SR-IOV) device, assigned to a guest, to potentially tamper with PCIe associates.
The latest round of patches comes just a week after an emergency fix was issued by Microsoft to rectify a security flaw nicknamed “PrintNightmare.” Tracked under CVE-2021-1675 and CVE-2021-34527, the combination of RCE and a local privilege escalation flaw is already impacting some printers, and exploit code has been released.
In total, four of the vulnerabilities — CVE-2021-34527 (PrintNightmare), CVE-2021-34448, CVE-2021-31979, and CVE-2021-33771 — are listed as exploited in the wild.
Microsoft thanked researchers from Google Security, Checkmarx, the Trend Micro Zero Day Initiative, and Fortinet’s FortiGuard Lab, among other organizations, for reporting the now-patched security flaws. ZDI has reported 17 bugs, this month’s volume of fixes “is more than the last two months combined and on par with the monthly totals from 2020.”