Patch Tuesday just went by, and several tech giants have released security updates patching a massive number of security vulnerabilities. Microsoft, in particular, released 117 patches, 13 of which were for critical bugs, 103 for important ones and one for a moderate issue.
Following suit, Adobe released a bunch of security updates patching 29 CVE bugs in Acrobat and Reader, Dimension, Illustrator, Framemaker and Bridge, with 10 of them being critical. 15 of these bugs were found reported through the ZDI program, several of them being detected by ZDI researchers Mat Powell and Joshua Smith.
Intel has also released a BIOS update allowing system manufacturers to fix a local escalation-of-privilege bug on machines powered by its Xeon processors. VMWare has also put out two patches, one fixing an authentication bypass vulnerability on ESXi and another patching a DLL hijacking bug in ThinApp. SAP’s NetWeaver AS Java also got an update fixing an authentication based vulnerability in the software’s LM Configuration Wizard.
Patches out, but bugs already being exploited
Four of the bugs that Microsoft actively patched are already being exploited.
- CVE-2021-34527: This is a remode code execution vulnerebility in Windows Print Spooler the exploit code for which is already floating around on the internet. The flaw is also known as Printnightmare.
- CVE-2021-34448: Allows remote code execution through maliciously crafted webpages via Microsoft’s Scripting Engine.
- CVE-2021-31979 and CVE-2021-33771: These are privilege escalation flaws in the Windows Kernal that can be exploited to gain admin access.
Here’s a list of some critical CVE bugs that Microsoft fixed. All of these vulnerabilities are remote code execution (RCE) type flaws.
|CVE Code||Vulnerability||CVSS Score||Exploit available publically||Has been exploited|
|CVE-2021-34527||Windows Print Spooler Remote Code Execution Vulnerability||8.8||Yes||Yes|
|CVE-2021-34448||Scripting Engine Memory Corruption Vulnerability||6.8||No||Yes|
|CVE-2021-34473||Microsoft Exchange Server Remote Code Execution Vulnerability||9.1||Yes||No|
|CVE-2021-34474||Dynamics Business Central Remote Code Execution Vulnerability||8||No||No|
|CVE-2021-34464||Microsoft Defender Remote Code Execution Vulnerability||7.8||No||No|
|CVE-2021-34522||Microsoft Defender Remote Code Execution Vulnerability||7.8||No||No|
|CVE-2021-34439||Microsoft Windows Media Foundation Remote Code Execution Vulnerability||7.8||No||No|
|CVE-2021-34503||Microsoft Windows Media Foundation Remote Code Execution Vulnerability||7.8||No||No|
|CVE-2021-34494||Windows DNS Server Remote Code Execution Vulnerability||8.8||No||No|
|CVE-2021-34450||Windows Hyper-V Remote Code Execution Vulnerability||8.5||No||No|
|CVE-2021-34458||Windows Kernel Remote Code Execution Vulnerability||9.9||No||No|
|CVE-2021-33740||Windows Media Remote Code Execution Vulnerability||7.8||No||No|
|CVE-2021-34497||Windows MSHTML Platform Remote Code Execution Vulnerability||6.8||No||No|
Zero Day Initiative has done a terrible roundup of all of Microsoft’s fixes in their post here.
Luckily, none of the bugs resolved by Adobe this month is listed as publicly known or under active exploitation. The updates for Acrobat and Reader fixed 19 different bugs, a bunch of which could cause remote code execution via a malicious PDF file. Dimension also had a similar code execution flaw.
Three bugs for Illustrator were also fixed patching remote code execution flaws. Five fixes were put out for Bridge, and a single CVE vulnerability was fixed for Framemaker.
Intel is looking to fix CVE-2021-0144, a vulnerability in the customer build-time configuration for the Intel BIOS Shared SW Architecture Design. As mentioned above, this vulnerability allows a privileged user to enable an escalation of privilege via local access potentially. The following Intel processors are currently vulnerable to the bug.
- 2nd Generation Intel® Xeon® Scalable Processors
- Intel® Xeon® Scalable Processors
- Intel® Core™ X-series Processors
- Intel® Xeon® Processor W Family
- Intel® Xeon® Processor D Family
- Intel® Xeon® Processor E5 v4 Family
- Intel® Xeon® Processor E5 v3 Family
You can check out Intel’s advisory here.
In the News: Apple launches official MagSafe Battery Pack for $99
Someone who writes/edits/shoots/hosts all things tech and when he’s not, streams himself racing virtual cars. You can reach out to Yadullah at [email protected], or follow him on Instagram or Twitter.