Microsoft has released August Patch Tuesday security updates with a total of 44 vulnerabilities in the family of Windows and Mac operating systems and related products. In the release by Microsoft, 7 were rated as Critical and 37 as Important. The products covered in August’s security update include Microsoft Office, Windows Cryptographic Services, .NET Core & Visual Studio, Microsoft Azure Active Directory Connect, etc.
Microsoft has also released patches for three zero-day vulnerabilities. One among them is being actively exploited in the wild.
CVE-2021-36936 – Windows Print Spooler Remote Code Execution Vulnerability. According to Microsoft, it has a high chance of exploitation since the attacker would only need a low level of access. The vulnerability is due to improper input validation in the Windows Print Spooler, which was disclosed publicly.
CVE-2021-36942 – Windows LSA Spoofing Vulnerability. The flaw is due to incorrect processing of user-supplied data in the Windows LSA. It allows an unauthenticated attacker to trick a domain controller into authenticating with another server combining with an NTLM Relay Attack. This spoofing vulnerability has received a combined CVSSv3 score of 9.3.
CVE-2021-36948 – Windows Update Medic Service Elevation of Privilege Vulnerability. This is the only zero-day vulnerability exploited in the wild this month. The flaw is due to an improper boundary check within the Windows Update Medic Service. It allows local attackers to execute arbitrary code with elevated privileges on the system. The vulnerability has received a CVSSv3 score of 7.8.
The remaining critical vulnerabilities addressed other than zero-days are,
CVE-2021-34530 – Windows Graphics Component Remote Code Execution Vulnerability. The flaw is due to an input validation error in the Windows Graphics Component. The bug allows attackers to social-engineer a victim into opening a specially crafted file and thus achieve remote code execution.
CVE-2021-34480 – Scripting Engine Memory Corruption Vulnerability. The flaw is due to an improper boundary check in the Scripting Engine. The bug allows attackers to social-engineer a victim into opening a specially crafted file or site, thus triggering remote code execution.
CVE-2021-34535 – Remote Desktop Client Remote Code Execution Vulnerability. According to Microsoft, it has a high chance of exploitation. The exploitation scenarios involve a victim making a remote desktop connection to an attacker-controlled server and a victim on the Hyper-V host makes a connection to a malicious VM. The vulnerability has received a CVSSv3 score of 8.8.
CVE-2021-34534 – Windows MSHTML Platform Remote Code Execution Vulnerability. The flaw is due to an input validation error in the rendering engine (mshtml.dll) called Trident used by Internet Explorer. The vulnerability has less exploitation since the attacker would need to pull off a highly complex attack with user interaction.
CVE-2021-26432 – Windows Services for NFS ONCRPC XDR Driver Remote Code Execution Vulnerability. The flaw is due to an input validation error in the Windows Services for NFS ONCRPC XDR Driver. It has a high chance of exploitation due to its low complexity status. The attacker would not need to have privileges or user interaction to exploit. The bug is categorized as ‘wormable’.
CVE-2021-26424 – Windows TCP/IP Remote Code Execution Vulnerability. The flaw is improperly implemented an unknown code block of the component TCP/IP Stack. The vulnerability has received a CVSSv3 score of 9.9 and has a high chance of exploitation due to its low complexity status. A specially crafted TCP/IP packet can be sent to a vulnerable Hyper-V server by a guest Hyper-V OS and completely take over the Hyper-V host.
Microsoft security bulletin summary for August 2021
- Microsoft Office
- Microsoft Browsers
- Microsoft Windows
- Remote Desktop Client
- .NET Core
- Visual Studio
- Microsoft Azure
- Windows Bluetooth Service
- Microsoft Dynamics
Product: Microsoft Windows
CVEs/Advisory: CVE-2021-26424, CVE-2021-26425, CVE-2021-26426, CVE-2021-26431, CVE-2021-26432, CVE-2021-26433, CVE-2021-34480, CVE-2021-34481, CVE-2021-34483, CVE-2021-34484, CVE-2021-34486, CVE-2021-34487, CVE-2021-34530, CVE-2021-34533, CVE-2021-34534, CVE-2021-34535, CVE-2021-34536, CVE-2021-34537, CVE-2021-36926, CVE-2021-36927, CVE-2021-36932, CVE-2021-36933, CVE-2021-36934, CVE-2021-36936, CVE-2021-36937, CVE-2021-36938, CVE-2021-36942, CVE-2021-36945, CVE-2021-36947, CVE-2021-36948
Impact: Elevation of Privilege, Information Disclosure, Remote Code Execution, Spoofing
Severity: Critical, Important, Moderate
KBs: 4023814, 5005030, 5005031, 5005033, 5005036, 5005040, 5005043, 5005076, 5005094, 5005099, 5005106
Product: Microsoft Dynamics
CVEs/Advisory: CVE-2021-34524, CVE-2021-36946, CVE-2021-36950
Impact: Remote Code Execution, Spoofing
KBs: 5005369, 5005368, 5005374, 5005373, 4618795, 5005239, 5005370
Product: Microsoft Azure
CVEs/Advisory: CVE-2021-26428, CVE-2021-26429, CVE-2021-26430, CVE-2021-33762, CVE-2021-36943, CVE-2021-36949
Impact: Denial of Service, Information Disclosure, Elevation of Privilege