Microsoft has released 117 security fixes for software including a remote code execution (RCE) vulnerability in Exchange Server found by participants of the Pwn2Own competition.
The Redmond giant’s latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, includes fixes for 117 flaws tackling RCEs, privilege escalation, spoofing, memory corruption, and information disclosure. Thirteen are considered critical and nine are zero-days — with four under active exploit.
Products impacted by Microsoft’s latest security update, issued on July 13, include Microsoft Office, SharePoint, Excel, Microsoft Exchange Server, Windows Defender, Windows Kernel, and Windows SMB.
Read on:
Some of the most interesting vulnerabilities resolved in this update are:
- CVE-2021-31206: A Microsoft Exchange Server RCE found during Pwn2Own.
- CVE-2021-34448: An actively exploited scripting engine memory corruption vulnerability, requiring a victim to actively visit a malicious website or to click a malicious link.
- CVE-2021-34494: A Windows DNS Server RCE, albeit restricted to DNS servers only.
- CVE-2021-34458: A Windows Kernel RCE which permits a single root input/output virtualization (SR-IOV) device, assigned to a guest, to potentially tamper with PCIe associates.
The latest round of patches comes just a week after an emergency fix was issued by Microsoft to rectify a security flaw nicknamed “PrintNightmare.” Tracked under CVE-2021-1675 and CVE-2021-34527, the combination of RCE and a local privilege escalation flaw is already impacting some printers, and exploit code has been released.
In total, four of the vulnerabilities — CVE-2021-34527 (PrintNightmare), CVE-2021-34448, CVE-2021-31979, and CVE-2021-33771 — are listed as exploited in the wild.
Microsoft thanked researchers from Google Security, Checkmarx, the Trend Micro Zero Day Initiative, and Fortinet’s FortiGuard Lab, among other organizations, for reporting the now-patched security flaws, A number of vulnerabilities were also reported by Microsoft Threat Intelligence Center (MSTIC).
According to the Zero Day Initiative (ZDI), which reported 17 of the bugs, this month’s volume of fixes “is more than the last two months combined and on par with the monthly totals from 2020.”
Last month, Microsoft resolved 50 vulnerabilities in the June batch of security fixes. These included seven zero-day bugs, six of which were reported by the Redmond giant as being actively exploited.
A month prior, the tech giant tackled 55 security flaws during May Patch Tuesday. Four of which were deemed critical, and three were zero-days.
Alongside Microsoft’s Patch Tuesday round, other vendors, too, have published security updates which can be accessed below.
