Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

05:42 PM
Connect Directly

Microsoft Patches 6 Zero-Days Under Active Attack

The June 2021 Patch Tuesday fixes 50 vulnerabilities, six of which are under attack and three of which were publicly known at the time of disclosure.

Microsoft today deployed patches for 50 vulnerabilities, including six zero-days under active attack, the company reports.

Related Content:

Microsoft CISO Shares Remote Work Obstacles & Lessons Learned

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: How Can I Test the Security of My Home-Office Employees' Routers?

Fifty is a relatively small number for Microsoft's monthly security releases – most of its 2020 rollouts exceeded 100 – but this Patch Tuesday packs a punch. The CVEs that were addressed affect Microsoft Windows, Office, Edge browser, SharePoint Server, .NET Core and Visual Studio, Hyper-V, Visual Studio Code – Kubernetes Tools, Windows HTML Platform, and Windows Remote Desktop.

The six flaws being exploited in the wild include one remote code execution bug, an information disclosure vulnerability, and four elevation-of-privilege flaws. One of these is classified as Critical; the other five are categorized Important. Two zero-days were publicly known at the time of disclosure; one vulnerability patched today is publicly known but not under attack.

Critical zero-day CVE-2021-33742, a remote code execution bug in the Windows MSHTML platform, has a CVSS score of 7.5 and was publicly known at the time it was patched. Attackers could successfully exploit this and execute code on a target system if they can convince a victim to view specially crafted Web content. Microsoft notes an attack requires some user interaction, though an attacker does not require access to files or settings in order to succeed.

"Since the vulnerability is in the Trident (MSHTML) engine itself, many different applications are impacted – not just Internet Explorer," writes Dustin Childs of the Zero-Day Initiative in a blog post. "It's not clear how widespread the active attacks are, but considering the vulnerability impacts all supported Windows versions, this should be at the top of your test and deploy list."

Microsoft credits Clément Lecigne of Google's Threat Analysis Group for discovering the flaw.

CVE-2021-33739, another publicly known zero-day, is considered Important with a CVSS score of 8.4. This is an elevation-of-privilege vulnerability in Microsoft's DWM Core Library that requires low attack complexity, no privileges, and no user interaction to successfully exploit.

"The attacker would most likely arrange to run an executable or script on the local computer," Microsoft writes in the disclosure. There are many ways they could do this, it says; for example, a phishing attack in which the victim clicks an executable file attached to an email. Microsoft credits Jinquan (@jq0904) with DBAPPSecurity Lieying Lab with discovering the vulnerability.

Two of the zero-days patched today, CVE-2021-31955 and CVE-2021-31956, were found by Boris Larin (oct0xor) of Kaspersky Lab and used as part of an exploit chain, along with a Chrome zero-day, in active attacks observed on April 14–15 that researchers say were "highly targeted."

CVE-2021-31955 is an information disclosure vulnerability in the Windows kernel with a CVSS score of 5.5. Exploitation of this would review low complexity, low privileges, and no user interaction, Microsoft reports. If successful, an attacker could access the contents of kernel memory from a user mode process.

The other flaw used in this chain, CVE-2021-31956, is an elevation of privilege vulnerability in Windows NTFS with a CVSS score of 7.8. Similarly, this also requires low complexity, low privileges, and no user interaction to exploit.

There are a couple of paths an attacker might take with this one, Microsoft says: They could first log on to the target system; from there, they could run a specially crafted application to exploit the flaw and take control. Alternatively, they could use an email or instant message to convince a local user to open a malicious file.

CVE-2021-31199 and CVE-2021-31201, the final two zero-days exploited this month, are elevation of privilege vulnerabilities in the Microsoft Enhanced Cryptographic Provider. Both have a CVSS score of 5.2 and are classified as Important, with low attack complexity, low privileges, and no user interaction required for an exploit. Both vulnerabilities are related to Adobe CVE-2021-28550, a zero-day affecting Windows and macOS patched last month.

"It's common to see privilege escalation paired with code execution bugs, and it seems these two vulnerabilities were the privilege escalation part of those exploits," Childs writes, though he notes it's "a bit unusual" to see a gap between patches for different parts of an active attack.

CVE-2021-31968, a denial-of-service (DoS) vulnerability in Windows Remote Desktop Services, is publicly known but not seen exploited in the wild. This is one of five DoS bugs patched this month; others, which were not previously known, exist in Microsoft Defender, .NET Core and Visual Studio, Server for NFS, and Windows Hyper-V.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Google's new See No Evil policy......
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-20
The Quiz And Survey Master – Best Quiz, Exam and Survey Plugin WordPress plugin before 7.1.18 did not sanitise or escape its result_id parameter when displaying an existing quiz result page, leading to a reflected Cross-Site Scripting issue. This c...
PUBLISHED: 2021-06-18
RIOT-OS 2021.01 before commit 44741ff99f7a71df45420635b238b9c22093647a contains a buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS contains a buffer overflow in the set_range test in TestBitmap which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS in test-crypto.cpp contains a stack buffer overflow which could allow attackers to obtain sensitive information.
PUBLISHED: 2021-06-18
SerenityOS before commit 3844e8569689dd476064a0759d704bc64fb3ca2c contains a directory traversal vulnerability in tar/unzip that may lead to command execution or privilege escalation.