Skip to content

Microsoft Patch Tuesday arrives with a truckload of security updates

  • by
  • 3 min read

Patch Tuesday just went by, and several tech giants have released security updates patching a massive number of security vulnerabilities. Microsoft, in particular, released 117 patches, 13 of which were for critical bugs, 103 for important ones and one for a moderate issue. 

Following suit, Adobe released a bunch of security updates patching 29 CVE bugs in Acrobat and Reader, Dimension, Illustrator, Framemaker and Bridge, with 10 of them being critical. 15 of these bugs were found reported through the ZDI program, several of them being detected by ZDI researchers Mat Powell and Joshua Smith.

Intel has also released a BIOS update allowing system manufacturers to fix a local escalation-of-privilege bug on machines powered by its Xeon processors. VMWare has also put out two patches, one fixing an authentication bypass vulnerability on ESXi and another patching a DLL hijacking bug in ThinApp. SAP’s NetWeaver AS Java also got an update fixing an authentication based vulnerability in the software’s LM Configuration Wizard.

In the News: REvil ransomware gang mysteriously disappears; site goes offline.


Patches out, but bugs already being exploited

Four of the bugs that Microsoft actively patched are already being exploited.

  • CVE-2021-34527: This is a remode code execution vulnerebility in Windows Print Spooler the exploit code for which is already floating around on the internet. The flaw is also known as Printnightmare.
  • CVE-2021-34448: Allows remote code execution through maliciously crafted webpages via Microsoft’s Scripting Engine. 
  • CVE-2021-31979 and CVE-2021-33771: These are privilege escalation flaws in the Windows Kernal that can be exploited to gain admin access. 

Here’s a list of some critical CVE bugs that Microsoft fixed. All of these vulnerabilities are remote code execution (RCE) type flaws.

CVE CodeVulnerabilityCVSS ScoreExploit available publicallyHas been exploited
CVE-2021-34527Windows Print Spooler Remote Code Execution Vulnerability8.8YesYes
CVE-2021-34448Scripting Engine Memory Corruption Vulnerability6.8NoYes
CVE-2021-34473Microsoft Exchange Server Remote Code Execution Vulnerability9.1YesNo
CVE-2021-34474Dynamics Business Central Remote Code Execution Vulnerability8NoNo
CVE-2021-34464Microsoft Defender Remote Code Execution Vulnerability7.8NoNo
CVE-2021-34522Microsoft Defender Remote Code Execution Vulnerability7.8NoNo
CVE-2021-34439Microsoft Windows Media Foundation Remote Code Execution Vulnerability7.8NoNo
CVE-2021-34503Microsoft Windows Media Foundation Remote Code Execution Vulnerability7.8NoNo
CVE-2021-34494Windows DNS Server Remote Code Execution Vulnerability8.8NoNo
CVE-2021-34450Windows Hyper-V Remote Code Execution Vulnerability8.5NoNo
CVE-2021-34458Windows Kernel Remote Code Execution Vulnerability9.9NoNo
CVE-2021-33740Windows Media Remote Code Execution Vulnerability7.8NoNo
CVE-2021-34497Windows MSHTML Platform Remote Code Execution Vulnerability6.8NoNo

Zero Day Initiative has done a terrible roundup of all of Microsoft’s fixes in their post here

Luckily, none of the bugs resolved by Adobe this month is listed as publicly known or under active exploitation. The updates for Acrobat and Reader fixed 19 different bugs, a bunch of which could cause remote code execution via a malicious PDF file. Dimension also had a similar code execution flaw. 

Adobe also patched a bunch of CVE bugs across its product line

Three bugs for Illustrator were also fixed patching remote code execution flaws. Five fixes were put out for Bridge, and a single CVE vulnerability was fixed for Framemaker.

Intel is looking to fix CVE-2021-0144, a vulnerability in the customer build-time configuration for the Intel BIOS Shared SW Architecture Design. As mentioned above, this vulnerability allows a privileged user to enable an escalation of privilege via local access potentially. The following Intel processors are currently vulnerable to the bug.

  • 2nd Generation Intel® Xeon® Scalable Processors
  • Intel® Xeon® Scalable Processors
  • Intel® Core™ X-series Processors
  • Intel® Xeon® Processor W Family
  • Intel® Xeon® Processor D Family
  • Intel® Xeon® Processor E5 v4 Family
  • Intel® Xeon® Processor E5 v3 Family

You can check out Intel’s advisory here

In the News: Apple launches official MagSafe Battery Pack for $99

Yadullah Abidi

Yadullah Abidi

Yadullah is a Computer Science graduate who writes/edits/shoots/codes all things cybersecurity, gaming, and tech hardware. When he's not, he streams himself racing virtual cars. He's been writing and reporting on tech and cybersecurity with websites like Candid.Technology and MakeUseOf since 2018. You can contact him here: yadullahabidi@pm.me.

>