Microsoft’s June Patch Wednesday, addressed 49 CVEs. Of those, six have been observed as being exploited in the wild, and five are rated as critical. Remote Code Execution vulnerabilities account for 34% of the flaws, with elevation of privilege accounting for 26%. Below is a comment by Satnam Narang, Staff Research Engineer, Tenable and further analysis can be found here.
“This month’s Patch Wednesday release addressed 49 CVEs, five of which are rated critical. This is the third time in 2021 that Microsoft has patched less than 60 CVEs and this month’s release contains the lowest number of patches in a month so far this year.
“Microsoft patched six zero-day vulnerabilities that have been exploited in the wild, including four elevation of privilege vulnerabilities, one information disclosure vulnerability and one remote code execution vulnerability.
“CVE-2021-33742 is a remote code execution vulnerability in the Microsoft Windows MSHTML Platform. While this vulnerability does not require special privileges, the attack complexity for exploiting this vulnerability is high, which means an attacker would need to perform additional legwork to successfully exploit this flaw. It appears that was the case, though details of in-the-wild exploitation are not yet known.
“CVE-2021-31955 is an information disclosure vulnerability in the Windows Kernel, while CVE-2021-31956 is an elevation of privilege vulnerability in Windows NTFS. Details about the in-the-wild exploitation of these vulnerabilities are not yet known. While both vulnerabilities require the attacker to be authenticated to the target system, it is likely that they have been leveraged either post-compromise by the attackers directly or through the use of a malicious file opened by a local user.
“CVE-2021-33739 is an elevation of privilege zero-day vulnerability in the Microsoft Desktop Window Manager (DWM) Core Library. For context, Microsoft patched two elevation of privilege vulnerabilities in February (CVE-2021-1732) and April (CVE-2021-28310) which appear to be linked to a threat actor known as BITTER APT. In the case of CVE-2021-28310, researchers linked the flaw to the dwmcore.dll file. Given that CVE-2021-33739 is credited to the same researchers who found CVE-2021-1732 in February, and was discovered in the same core library as CVE-2021-28310, it is feasible this is another zero-day being leveraged by the same BITTER APT group.
“While these vulnerabilities have already been exploited in the wild as zero-days, it is still vital that organisations apply these patches as soon as possible. Unpatched flaws remain a problem for many organisations months after patches have been released.”– Satnam Narang, Staff Research Engineer, Tenable