This month’s Patch Wednesday release includes 116 CVEs, 12 of which are rated critical. This is the second time in 2021 that Microsoft has patched more than 100 CVEs and this month’s release contains the highest number of patches so far this year. In this month’s release, Microsoft patched six vulnerabilities in Exchange Server.
Please find below a comment from Satnam Narang, Staff Research Engineer, Tenable and a full analysis by Tenable here.
“Notable in this release was CVE-2021-34473, a remote code execution flaw, and CVE-2021-34523, an elevation of privilege vulnerability, both of which Microsoft says were addressed as part of its security updates from April 2021. However, these CVEs were somehow omitted from that release. CVE-2021-34473 is more likely to be exploited according to Microsoft’s Exploitability Index. Organisations that applied the April 2021 Security Updates have addressed CVE-2021-34473 and CVE-2021-34523.
“In the April 2021 Patch Tuesday release, Microsoft patched four other critical Exchange Server vulnerabilities that were credited to the NSA, which followed an out-of-band patch in March that addressed four zero-days in Exchange Server that had been exploited in the wild, including ProxyLogon. Since the discovery of ProxyLogon, researchers and attackers alike have continued to poke around in Exchange Server for additional flaws. In fact, CVE-2021-31196, another remote code execution vulnerability in Exchange Server patched in the July release, is credited to Orange Tsai of the DEVCORE team. The DEVCORE team is credited with the discovery of ProxyLogon.” — Satnam Narang, Staff Research Engineer, Tenable