Virtual Administrator’s July 2021 Patch Recommendations

Patch Recommendations

This month Microsoft released patches for 117 vulnerabilities with 13 rated “Critical”, 103 “Important” and 1 “Moderate” in severity.

All patches have been approved in our patch policy.

117 vulnerabilities this month. Of course, the big news this month was the PrintNightmare (CVE-2021-34527) out-of-band patch KB5004945 released on July 6th. That patch had known issues with certain printers – primarily receipt or label printers that connect via USB. July’s cumulative update includes the PrintNightmare patch but without the printer problems. However, the amount of protection the patch provides has been questioned.  Also this month… Scripting Engine Memory Corruption (CVE-2021-34448) remote code execution (RCE) vulnerability in the scripting engine built into every supported version of Windows.  Virtual machines bug CVE-2021-34458 is a RCE vulnerability in the Windows Kernel Remote Code Execution Vulnerability.  This flaw affects systems hosting virtual machines with single root input/output virtualization (SR-IOV) devices. CVE-2021-34494 is a DNS Server RCE vulnerability. New Cumulative Updates for Exchange Server 2013 (KB5004778), Exchange Server 2016 (KB5004779) and Exchange Server 2019 (KB5004780). New standalone SSUs for Windows 7/Server 2008 R2 and Windows 10/Server 1909

PrintNightmare, Critical Windows Print Spooler Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

https://us-cert.cisa.gov/ncas/current-activity/2021/06/30/printnightmare-critical-windows-print-spooler-vulnerability

The OOB patch caused problems with some printers. The July cumulative update includes a new PrintNightmare patch without the known issues. However, the patch can be bypassed for those devices that still have this registry setting enabled to achieve remote code execution and local privilege escalation.

ClubMSP has posted scripts to disable/enable the print spooler service.

Heads-Up!  On July 15th Microsoft disclosed a new Windows Print Spooler vulnerability tracked as CVE-2021-34481. There is no patch for this yet. The guidance is to disable the Print Spooler service.  Unlike PrintNightmare this vulnerability can only be exploited locally to elevate privileges.

Windows Print Spooler Elevation of Privilege Vulnerability

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34481

FYI:

Update on Adobe Flash Player End of Support

https://blogs.windows.com/msedgedev/2020/09/04/update-adobe-flash-end-support/

As of July 2021, the KB4577586 “Update for Removal of Adobe Flash Player” will be included in the Latest Cumulative Update for Windows 10, versions 1607 and Windows 10, version 1507. The KB will also be included in the Monthly Rollup and the Security Only Update for Windows 8.1, Windows Server 2012, and Windows Embedded 8 Standard.

Disclosed: CVE-2021-33779, CVE-2021-33781, CVE-2021-34473, CVE-2021-34492, CVE-2021-34523, CVE-2021-34527

Exploited: CVE-2021-31979, CVE-2021-33771, CVE-2021-34448, CVE-2021-34527

Security Update Guide

https://portal.msrc.microsoft.com/en-us/security-guidance

Morphus Labs patch dashboard here: https://patchtuesdaydashboard.com

We will no longer listing “affected software” in this post. Previously Microsoft listed affected “software”. This month the list includes “products, features and roles” which makes the list too long. If you look at the month’s Release Notes on the Security Update Guide page you can view this list.

Microsoft Security Advisories

ADV990001 | Latest Servicing Stack Updates (Published:11/13/2018 | Last Updated:07/13/2021)

https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV990001

Reason for Revision: A Servicing Stack Update has been released for some versions of Windows.

ADV200011 | Microsoft Guidance for Addressing Security Feature Bypass in GRUB (Published:06/29/2020 | Last Updated:07/13/2021)

https://msrc.microsoft.com/update-guide/vulnerability/ADV200011

Reason for Revision: Corrected information in the FAQ and Mitigations sections to indicate that the currently available mitigation options also address the following vulnerabilities: CVE-2020-14372, CVE-2020-25632, CVE-2020-25647, CVE-2020-27749,

CVE-2020-27779, CVE-2021-3418, CVE-2021-20225, CVE-2021-20233, which were released on March 2, 2021.

NOTE: The Windows 10 20H2 and Windows 10 2004 Security Stack Update is included in the Update Package as of the March 2021 release. If you have not yet updated to the current release, the previous Security Stack Update for these versions is KB4598481. This version needs to be installed before updating to the March 2021 update.

Known Issues

There are no new known issues this month – so far.  The Cumulative Updates for Exchange Server 2013 (KB5004778), Exchange Server 2016 (KB5004779) and Exchange Server 2019 (KB5004780) have the same four potential issues that have been previously outlined in the other Cumulative Updates released earlier this year. See: https://support.microsoft.com/en-us/topic/description-of-the-security-update-for-microsoft-exchange-server-2019-july-13-2021-kb5004780-fc5b3fa1-1f7a-47b0-8014-699257256bb5

Microsoft continues to list unresolved older problems under the Known Issues for new patches. So if you have not yet experienced one of these issues it is unlikely it will occur now.

A good resource for known issues with Windows 10 patches. Find the version and click on “Known issues”.

Windows message center

https://docs.microsoft.com/en-us/windows/release-health/windows-message-center

 

Monthly Rollup/Security Only/Windows 10/Server 2016,2019 KBs

Links are https://support.microsoft.com/en-us/help/####### with the KB number only.

 

Security and Quality Rollup

  • KB5004289 – Windows 7, Windows Server 2008 R2 (ESU)
  • KB5004298 – Windows 8.1, Windows Server 2012 R2
  • KB5004294 – Windows Server 2012
  • KB5004305 – Windows Server 2008 (ESU)

Security Only Update

  • KB5004307 – Windows 7, Windows Server 2008 R2 (ESU)
  • KB5004285 – Windows 8.1, Windows Server 2012 R2
  • KB5004302 – Windows Server 2012
  • KB5004299 – Windows Server 2008 (ESU)

 

Cumulative Update for Windows 10

  • KB5004249 – Original release version 1507 (OS Build 10240)
  • None – Version 1511 (OS Build 10586)
  • KB5004238 – Version 1607 “Anniversary Update” (OS Build 14393)
  • None – Version 1703 “Creators Update” (OS Build 15063)
  • None – Version 1709 “Fall Creators Update” (OS Build 16299)
  • None – Version 1803 “Spring Creators Update” (OS Build 17134)
  • KB5004244 – Version 1809 “October 2018 Update” (OS Build 17763)
  • None – Version 1903 “May 2019 Update” (OS Build 18362)
  • KB5004245 – Version 1909 “November 2019 Update” (OS Build 18363)
  • KB5004237 – Version 2004 “May 2020 Update” (OS Build 19041)
  • KB5004237 – Version 20H2 “October 2020 Update” (OS Build 19042)
  • KB5004237 – Version 21H1 “May 2021 Update” (OS Build 19043)

Note: Server 2016 uses the same KB as Windows 10 Version 1607. Server 2019 uses the same KB as Windows 10 Version 1809.

  • KB5004233 – Cumulative security update for Internet Explorer

 

July 2021 updates for Microsoft Office

https://support.microsoft.com/en-us/topic/july-2021-updates-for-microsoft-office-66ce3834-9a67-411c-95d1-c453490dddff

 

Notable CVEs

CVE-2021-34448 | Scripting Engine Memory Corruption Vulnerability (Cumulative Update/Monthly Rollup/IE Cumulative)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34448

In a web-based attack scenario, an attacker could host a website (or leverage a compromised website that accepts or hosts user-provided content) that contains a specially crafted file that is designed to exploit the vulnerability. However, an attacker would have no way to force the user to visit the website. Instead, an attacker would have to convince the user to click a link, typically by way of an enticement in an email or Instant Messenger message, and then convince the user to open the specially crafted file.

 

CVE-2021-34458 | Windows Kernel Remote Code Execution Vulnerability (Cumulative Update)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34458

This issue allows a single root input/output virtualization (SR-IOV) device which is assigned to a guest to potentially interfere with its Peripheral Component Interface Express (PCIe) siblings which are attached to other guests or to the root.

You will be vulnerable if you implement the following:

1) Your Windows instance is hosting virtual machines

2) Your Server includes the required hardware with SR-IOV devices

 

CVE-2021-34473 | Microsoft Exchange Server Remote Code Execution Vulnerability (KB5001779)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34473

 

CVE-2021-34494 | Windows DNS Server Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34494

This vulnerability is only exploitable if the server is configured to be a DNS server.

 

CVE-2021-34523 | Microsoft Exchange Server Elevation of Privilege Vulnerability (KB5001779)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34523

 

CVE-2021-34527 | Windows Print Spooler Remote Code Execution Vulnerability (Cumulative Update/Monthly Rollup)

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34527

UPDATE July 6, 2021: Microsoft has completed the investigation and has released security updates to address this vulnerability. Please see the Security Updates table for the applicable update for your system. We recommend that you install these updates immediately. If you are unable to install these updates, see the FAQ and Workaround sections in this CVE for information on how to help protect your system from this vulnerability. See also KB5005010: Restricting installation of new printer drivers after applying the July 6, 2021 updates.

Note that the security updates released on and after July 6, 2021 contain protections for CVE-2021-1675 and the additional remote code execution exploit in the Windows Print Spooler service known as “PrintNightmare”, documented in CVE-2021-34527.