Microsoft July Patch Tuesday: 117 vulnerabilities, including PrintNightmare

Just in case you thought Microsoft was taking a summer vacation from patch issuance, think again. When you’re hot, you’re hot — and despite record high temperatures in some areas of North America, the folks at the MSRC in Redmond have been hard at work this month, creating patches for 117 vulnerabilities — over twice the number patched in June. Thirteen of the July fixes are rated critical — including the dangerous PrintNightmare vulnerability — and nine are for zero-day vulnerabilities. Worse, exploitation in the wild has been detected for four of those. All this adds up to a busy Patch Tuesday for IT professionals since you’re not going to want to delay getting your systems updated as soon as possible.

The updates span 52 different products, features, and roles.

Let’s take a look at this month’s critical and important updates.

Overview

As usual, you can download the Excel spreadsheet from the Microsoft Security Update Guide website for a full list of the July releases. You’ll find that these apply to a longer-than-usual list of Microsoft products and features, including:

Common Internet File System, Dynamics Business Central Control, Microsoft Bing, Microsoft Dynamics, Microsoft Exchange Server, Microsoft Graphics Component, Microsoft Office, Microsoft Office Excel, Microsoft Office SharePoint, Microsoft Scripting Engine, Microsoft Windows Codecs Library, Microsoft Windows DNS, Microsoft Windows Media Foundation, OpenEnclave, Power BI, Role: DNS Server, Role: Hyper-V, Visual Studio Code, Visual Studio Code – .NET Runtime, Visual Studio Code – Maven for Java Extension, Windows Active Directory, Windows Address Book, Windows AF_UNIX Socket Provider, Windows AppContainer, Windows AppX Deployment Extensions, Windows Authenticode, Windows Cloud Files Mini Filter Driver, Windows Console Driver, Windows Defender, Windows Desktop Bridge, Windows Event Tracing, Windows File History Service, Windows Hello, Windows HTML Platform, Windows Installer, Windows Kernel, Windows Key Distribution Center, Windows Local Security Authority Subsystem Service, Windows MSHTML Platform, Windows Partition Management Driver, Windows PFX Encryption, Windows Print Spooler Components, Windows Projected File System, Windows Remote Access Connection Manager, Windows Remote Assistance, Windows Secure Kernel Mode, Windows Security Account Manager, Windows Shell, Windows SMB, Windows Storage Spaces Controller, Windows TCP/IP, and Windows Win32K.

Many of the CVEs that are addressed include mitigations, workarounds, or FAQs that may be relevant to specific cases, so be sure to check those out if you are unable to install the updates due to compatibility or other reasons.

As usual, in this blog post, we’ll focus on the critical issues since they pose the greatest threat.

The most high-profile issue patched this month is the Windows Print Spooler remote code execution issue revealed weeks ago. Several proof-of-concept exploits were released that take advantage of it, and it was recommended to disable the print spooler service or disable inbound remote printing through Group Policy to mitigate the issue until the patch could be released. On July 6, Microsoft released an out-of-band update to address the issue on some (but not all) versions of Windows and released the patch for the remaining supported versions of Windows the next day, July 7.

Critical and exploited vulnerabilities

A number of critical Windows vulnerabilities are on the list this month. Once again, we have a large number of vulnerabilities that are classed as zero-day, meaning they became public before a patch was released.

Vulnerabilities (including PrintNightmare) being exploited in the wild

The following vulnerabilities have already been exploited in the wild:

• CVE-2021-31979 – This is an important Windows Kernel Elevation of Privilege vulnerability that affects Windows 7, Windows RT 8.1, Windows 8.1, Windows 10 (supported versions), Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 20H2, and 21H1 (server core installations included). The attacker can exploit the vulnerability by accessing the target system locally (for example, keyboard, console) or remotely (for example, SSH); or the attacker can rely on user interaction by another person to perform actions required to exploit the vulnerability.) No user interaction is required and no special access conditions are required. The exploit can result in total loss of confidentiality, integrity, and availability.
• CVE-2021-33771– This is another important Windows Kernel Elevation of Privilege vulnerability that affects Windows RT 8.1, Windows 8.1, Windows 10 (supported versions), Windows Server 2012, 2012 R2, 2016, 2019, 20H2, and 21H1 (server core installations included). The attacker can exploit the vulnerability by accessing the target system locally (for example, keyboard, console), or remotely (for example, SSH); or the attacker can rely on user interaction by another person to perform actions required to exploit the vulnerability. ). No user interaction is required and no special access conditions are required. The exploit can result in total loss of confidentiality, integrity, and availability.
• CVE-2021-34448 – This is a critical Scripting Engine Memory Corruption vulnerability that affects Windows 7, Windows RT 8.1, Windows 8.1, Windows 10 (supported versions), Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 20H2, and 21H1 (server core installations included). A successful attack depends on conditions beyond the attacker’s control, and user interaction is required. However, the attacker does not require any access to settings or files to carry out an attack. The exploit can result in total loss of confidentiality and integrity.
• CVE-2021-34527 (aka PrintNightmare) – This is the critical Windows Print Spooler RCE vulnerability that affects Windows 7, Windows RT 8.1, Windows 8.1, Windows 10 (supported versions), Windows Server 2004, 2008, 2008 R2, 2012, 2012 R2, 2016, and 20H2 (server core installations included). No user interaction is required and no special access conditions are required. The exploit can result in total loss of confidentiality, integrity, and availability.

Other vulnerabilities exposed prior to patch release

The remaining five zero-day vulnerabilities (which did not yet have any known exploits detected in the wild) include:

• CVE-2021-34473 – Microsoft Exchange Server Remote Code Execution Vulnerability. This is rated critical and affects Exchange Server 2013, 2016, and 2019. The attack vector is the network stack and is considered “remotely exploitable.” No special access conditions or user interaction are required. The exploit can result in total loss of confidentiality and integrity.
• CVE-2021-34492 – Windows Certificate Spoofing Vulnerability. This is rated important and affects all currently supported versions of Windows server and client operating systems. No special access conditions are required but user interaction is required. The exploit can result in total loss of confidentiality and integrity.
• CVE-2021-34523 – Microsoft Exchange Server Elevation of Privilege Vulnerability. This is rated important and affects Exchange Server 2013, 2016, and 2019. The attack vector is local; the attacker can exploit the vulnerability by accessing the target system locally (for example, keyboard, console), or remotely (for example, SSH); or the attacker can rely on user interaction by another person to perform actions required to exploit the vulnerability. No special access conditions or user interaction are required. The exploit can result in total loss of confidentiality and integrity.
• CVE-2021-33779 – Windows ADFS Security Feature Bypass Vulnerability. This rated important and affects Windows Server 2004, 2016, 2019, and 20H2 (including server core installations). The attack vector is the network stack and is considered “remotely exploitable.” No special access conditions or user interaction are required. The exploit can result in total loss of confidentiality and integrity.
• CVE-2021-33781 – Active Directory Security Feature Bypass Vulnerability. This is rated important and affects Windows 10 (multiple versions), Windows Server 2004, 2019, and 20H2 (including server core installations). The attack vector is the network stack and is considered “remotely exploitable.” No special access conditions or user interaction are required. The exploit can result in total loss of confidentiality and integrity.

Other critical vulnerabilities patched

The following vulnerabilities are all rated critical but had not been disclosed or exploited prior to patch release:

• CVE-2021-34474 – Dynamics Business Central Remote Code Execution Vulnerability. This affects Dynamics 365 Business Central 202 and 2021. The attack vector is the network stack and the vulnerability is remotely exploitable. A successful attack depends on conditions beyond the attacker’s control. No user interaction is required. The exploit can result in total loss of confidentiality, integrity, and availability.
• CVE-2021-34464 – Microsoft Defender Remote Code Execution Vulnerability. This affects the Microsoft malware protection engine. The attack vector is local; the attacker can exploit the vulnerability by accessing the target system locally (for example, keyboard, console), or remotely (for example, SSH); or the attacker can rely on user interaction by another person to perform actions required to exploit the vulnerability. No special access conditions are needed but user interaction is required. The exploit can result in total loss of confidentiality, integrity, and availability.
• CVE-2021-34522 – Microsoft Defender Remote Code Execution Vulnerability. This affects the Microsoft malware protection engine. The attack vector is local; the attacker can exploit the vulnerability by accessing the target system locally (for example, keyboard, console), or remotely (for example, SSH); or the attacker can rely on user interaction by another person to perform actions required to exploit the vulnerability. No special access conditions are needed but user interaction is required. The exploit can result in total loss of confidentiality, integrity, and availability.
• CVE-2021-34439 – Windows Hyper-V Remote Code Execution Vulnerability. This affects Windows 10 and Server 2004, 2019, and 20H2. The attack vector is the network stack and the vulnerability is remotely exploitable. A successful attack depends on conditions beyond the attacker’s control. No user interaction is required. The exploit can result in total loss of confidentiality, integrity, and availability.
• CVE-2021-34458 – Windows Kernel Remote Code Execution Vulnerability. This affects Windows Server 2004, 2016, 2019, and 20H2 (including server core installations). The attack vector is the network stack and the vulnerability is remotely exploitable. No special access conditions or user interaction are required. The exploit can result in total loss of confidentiality, integrity, and availability.
• CVE-2021-33740 – Windows Media Remote Code Execution Vulnerability. This affects Windows 10 and Server 2004 and 2019. The attack vector is local; the attacker can exploit the vulnerability by accessing the target system locally (for example, keyboard, console), or remotely (for example, SSH); or the attacker can rely on user interaction by another person to perform actions required to exploit the vulnerability. No special access conditions are needed but user interaction is required. The exploit can result in total loss of confidentiality, integrity, and availability.
• CVE-2021-34497 – Windows MSHTML Platform Remote Code Execution Vulnerability. This affects Windows 7, Windows RT 8.1, Windows 8.1, Windows 10 (supported versions), Windows Server 2008, 2008 R2, 2012, 2012 R2, 2016, 2019, 20H2, and 21H1 (server core installations included). The attack vector is the network stack and the vulnerability is remotely exploitable. A successful attack depends on conditions beyond the attacker’s control. User interaction is required. The exploit can result in total loss of confidentiality and integrity.
• CVE-2021-34439 – Microsoft Windows Media Foundation Remote Code Execution Vulnerability. This affects Windows 10 and Server 2016 (including server core installation). The attack vector is local; the attacker can exploit the vulnerability by accessing the target system locally (for example, keyboard, console), or remotely (for example, SSH); or the attacker can rely on user interaction by another person to perform actions required to exploit the vulnerability. No special access conditions are needed but user interaction is required. The exploit can result in total loss of confidentiality, integrity, and availability.
• CVE-2021-34503 – Microsoft Windows Media Foundation Remote Code Execution Vulnerability. This affects Windows 10 and Server 2019. The attack vector is local; the attacker can exploit the vulnerability by accessing the target system locally (for example, keyboard, console), or remotely (for example, SSH); or the attacker can rely on user interaction by another person to perform actions required to exploit the vulnerability. No special access conditions are needed but user interaction is required. The exploit can result in total loss of confidentiality, integrity, and availability.
• CVE-2021-34494 – Windows DNS Server Remote Code Execution Vulnerability. This affects currently supported versions of Windows Server (including server core installation). The attack vector is the network stack and the vulnerability is remotely exploitable. No special access conditions or user interaction are required. The exploit can result in total loss of confidentiality, integrity, and availability.

Important and moderate updates

In addition to the critical and zero-day updates listed above, this month’s patches address another 97 important vulnerabilities and one vulnerability, a Microsoft SharePoint Server Information Disclosure vulnerability that’s rated moderate.

Applying the updates

Most organizations will deploy Microsoft and third-party software updates automatically to their servers and managed client systems using a patch management system of their choice, such as GFI’s LanGuard. Automated patch management saves time and reduces the risk of botched installations.

Most home users will receive the updates via the Windows Update service built into the operating system.

Microsoft provides direct downloads for those who need to install the updates manually. You can download these from the Microsoft Update Catalog. Following are links to the downloadable updates for the most recent versions of Windows:

KB5004289 – monthly rollup for Windows 7 SP1 and Server 2008 R2

KB5004298 – monthly rollup for Windows 8.1 and Server 2012 R2

KB5004238 – Windows 10 v 1607 and Server 2016

KB5004244 – Windows 10 v 1809 and Server 2019

KB5004245 – Windows 10 v 2004, 20H2, and 21H1

Known issues

Before installing updates, you should always research whether there are known issues that could affect your particular machines and configurations before rolling out an update to your production systems. There are a large number of such known issues that impact this month’s updates. A full list of links to the KB articles detailing these issues can be found here in the release notes for this month’s updates.

Malicious Software Removal Tool (MSRT) update

The MSRT is used to find and remove malicious software from Windows systems, and its definitions are updated regularly. The updates are normally installed via Windows Update, but if you need to download and install them manually, you’ll find the links for the 32- and 64-bit versions in Remove specific prevalent malware with Windows Malicious Software Removal Tool (KB890830) (microsoft.com)

Third-party releases

In addition to Microsoft’s security updates, this month’s Patch Tuesday brought six updates from Adobe to address 60 vulnerabilities across their products (Acrobat, Reader, Dreamweaver, Photoshop, Illustrator, Animate, and Magento CMS). These include one vulnerability, CVE-2021-21017, which has already been used in “limited” attacks.