Microsoft today released updates to patch at least 116 security holes in its Windows operating systems and related software. At least four of the vulnerabilities addressed today are under active attack, according to Microsoft.
Thirteen of the security bugs quashed in this month’s release earned Microsoft’s most-dire “critical” rating, meaning they can be exploited by malware or miscreants to seize remote control over a vulnerable system without any help from users.
Another 103 of the security holes patched this month were flagged as “important,” which Microsoft assigns to vulnerabilities “whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources.”
Among the critical bugs is of course the official fix for the PrintNightmare print spooler flaw in most versions of Windows (CVE-2021-34527) that prompted Microsoft to rush out a patch for a week ago in response to exploit code for the flaw that got accidentally published online. That patch seems to have caused a number of problems for Windows users. Here’s hoping the updated fix resolves some of those issues for readers who’ve been holding out.
CVE-2021-34448 is a critical remote code execution vulnerability in the scripting engine built into every supported version of Windows — including server versions. Microsoft says this flaw is being exploited in the wild.
Both CVE-2021-33771 and CVE-2021-31979 are elevation of privilege flaws in the Windows kernel. Both are seeing active exploitation, according to Microsoft.
Chad McNaughton, technical community manager at Automox, called attention to CVE-2021-34458, a remote code execution flaw in the deepest areas of the operating system. McNaughton said this vulnerability is likely to be exploited because it is a “low-complexity vulnerability requiring low privileges and no user interaction.”
Another concerning critical vulnerability in the July batch is CVE-2021-34494, a dangerous bug in the Windows DNS Server that earned a CVSS score (severity) of 9.8 out of a possible 10.
“Both core and full installations are affected back to Windows Server 2008, including versions 2004 and 20H2,” said Aleks Haugom, also with Automox.
“DNS is used to translate IP addresses to more human-friendly names, so you don’t have to remember the jumble of numbers that represents your favorite social media site,” Haugom said. “In a Windows Domain environment, Windows DNS Server is critical to business operations and often installed on the domain controller. This vulnerability could be particularly dangerous if not patched promptly.”
Microsoft also patched six vulnerabilities in Exchange Server, an email product that has been under siege all year from attackers. Satnam Narang, staff research engineer at Tenable, noted that while Microsoft says two of the Exchange bugs tackled this month (CVE-2021-34473 and CVE-2021-34523) were addressed as part of its security updates from April 2021, both CVEs were somehow omitted from that April release. Translation: If you already applied the bevy of Exchange updates Microsoft made available in April, your Exchange systems have protection against these flaws.
Other products that got patches today include Microsoft Office, Bing, SharePoint Server, Internet Explorer, and Visual Studio. The SANS Internet Storm Center as always has a nice visual breakdown of all the patches by severity.
Adobe also issued security updates today for Adobe Acrobat and Reader, as well as Dimension, Illustrator, Framemaker and Adobe Bridge.
Chrome and Firefox also recently have shipped important security updates, so if you haven’t done so recently take a moment to save your tabs/work, completely close out and restart the browser, which should apply any pending updates.
The usual disclaimer:
Before you update with this month’s patch batch, please make sure you have backed up your system and/or important files. It’s not uncommon for Windows updates to hose one’s system or prevent it from booting properly, and some updates even have been known to erase or corrupt files.
So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.
And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.
As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips. Also, check out AskWoody, which keeps a close eye out for specific patches that may be causing problems for users.