Six Windows Zero Days Patched As Part of June Patch Tuesday
Microsoft fixed 50 vulnerabilities this week, including six zero days in Windows components currently being exploited in the wild.
In what’s becoming a banner year for zero days, Microsoft gave administrators six new ones to fix in its software yesterday.
As is Windows admins didn’t already have enough on their plates this year, the company reiterated that attackers are already exploiting the vulnerabilities in the wild and that defenders should prioritize fixing the issues as soon as possible.
By some counts, there's been at least 41 zero days uncovered so far in 2021. Not just in Microsoft products, but in Apple, VMware, and Adobe products, not to mention Android vulnerabilities impacting Qualcomm GPU and Arm components.
Google's Project Zero, the company's team tasked with rooting out zero-day bugs, has been keeping a spreadsheet of zero-day exploits detected in the wild that includes most of those 41 but omits several due to their scope. It also hasn't been updated to reflect yesterday's vulnerabilities, patched as part of Microsoft's Patch Tuesday updates.
The six vulnerabilities patched on Tuesday were largely elevation of privilege flaws, two of them existing in Microsoft's Microsoft Enhanced Cryptographic Provider, one in the company's Desktop Window Manager, and one in Windows NTFS, Microsoft's journaling file system. The other two bugs include an information disclosure bug in Windows Kernel and a remote code execution bug in Windows HTML component.
Two of the vulnerabilities, the Windows Kernel Information Disclosure vulnerability (CVE-2021-31955) and the NTFS Elevation of Privilege (CVE-2021-31956) were apparently abused as early as April as part of a recent campaign some researchers are dubbing PuzzleMaker.
According to researchers with Kaspersky, using a zero day in the Google Chrome web browser to obtain remote code execution and the two vulnerabilities, attackers were able to elevate privilege and obtain system privileges at some companies in April.
The company, which suggests that victims were likely highly targeted, also said that attackers, once in, dropped a remote shell which allowed them to download and upload files and create processes. On Microsoft’s CVE pages for the bugs, Kaspersky's Boris Larin, a security researcher at the company, is credited with discovering them.
While not under active attack, it's worth noting that details around another vulnerability, a Windows Remote Desktop Services denial of service (CVE-2021-31968) have been publicly disclosed, meaning exploitation could be imminent.
Also, while not a zero day, experts at the SANS Internet Storm Center are encouraging users to look at two other troubling vulnerabilities, CVE-2021-31962, a vulnerability that could let an attacker bypass Kerberos authentication and CVE-2021-31985, a remote code execution affecting Windows Defender.
While the effectiveness of the Common Vulnerability Scoring System (CVSS) has been debated lately, it's worth noting that the Kerberos bypass was assessed the highest CVSS rating this month, 9.4, higher than any of the scores given to the zero-days. The Windows Defender vulnerability, as SANS points out, requires no authentication and has a low complexity, meaning it could be appealing for some attackers to exploit.
The Zero Day Initiative, which parses through patches issued by Microsoft and Adobe monthly, also stressed that the Kerberos bug should be "given the highest priority."
The zero days were six of the 50 total vulnerabilities patched by Microsoft on Tuesday. Other issues, including vulnerabilities in Microsoft Office, .NET Core & Visual Studio, the Edge browser, Windows Cryptographic Services, SharePoint, Outlook, and Excel, to name a few, were also resolved this week.