Credit to Author: Greg Lambert| Date: Fri, 11 Jun 2021 11:27:00 -0700
Microsoft this week pushed out 50 updates to fix vulnerabilities across both the Windows and Office ecosystems. The good news is that there are no Adobe or Exchange Server updates this month. The bad news is that there are fixes for six zero-day exploits, including a critical update to the core web rendering (MSHTML) component for Windows. We’ve added this month’s Windows updates to our “Patch Now” schedule, while the Microsoft Office and development platform updates can be deployed under their standard release regimes. Updates also include changes to Microsoft Hyper-V, the cryptographic libraries and Windows DCOM, all of which require some testing before deployment.
You can find this information summarized in our infographic.
There are no reported high-risk changes to the Windows platform this month. For this patch cycle, we divided our testing guide into two sections:
Changes to Microsoft OLE and DCOM components are the most technically challenging and require the most business expertise to debug and deploy. DCOM services are not easy to build and can be difficult to maintain. As a result, they are not the first choice for most enterprises to develop in-house.
If there is a DCOM server (or service) within your IT group, it means it has to be there — and some core business element will depend on it. To manage the risks of this June update, I recommend that you have your list of applications with DCOM components ready, that you have two builds (pre- and post-update) ready for a side-by-side comparison and enough time to fully test and update your code base if need be.
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update cycle. Here are a few key issues that relate to the latest builds from Microsoft, including:
There have been a number of reports of ESU systems being unable to complete last month’s Windows updates. If you are running an older system, you will have to purchase an ESU key. Most importantly, you have to activate it (for some, a key missing step). You can find out more about activating your ESU update key online.
You can also find Microsoft’s summary of known issues for this release in a single page.
As of now for this June cycle, there were two major updates to previous released updates:
As an extra note to the update to Windows Defender, given all the things going on this month (six public exploits!), I highly recommend that you ensure Defender is up to date. Microsoft has published some additional documentation on how to check and enforce compliance for Windows defender. Why not do so now? It’s free and Defender is pretty good.
So far, it does not appear that Microsoft has published any mitigations or workarounds for this June release.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
It seems like we are back to our usual rhythm now of minimal updates to Microsoft’s browsers, as we have only a single update to the Microsoft Chromium project (CVE-2021-33741). This browser update has been rated as important by Microsoft as it can only lead to an elevated privilege security issue and requires user interaction. Rather than using the Microsoft security portal to gain better intelligence on these browser updates, I have found the Microsoft Chromium release notes pages a better source of patch related documentation. Given the nature of how Chrome installs on Windows desktops, we expect very little impact from the update. Add this browser update to your standard release schedule.
This month, Microsoft released 27 updates to the Windows ecosystem, with three rated as critical and the rest rated as important. This is a relatively low number compared to previous months. However, (and this is big) I am pretty sure that we have never seen so many vulnerabilities publicly exploited or publicly disclosed. This month there are six confirmed as exploited including: CVE-2021-31955, CVE-2021-31956, CVE-2021-33739, CVE-2021-33742, CVE-2021-31199 and CVE-2021-31201.
To add to this month’s troubles, two issues have also been publicly disclosed, including CVE-2021-33739 and CVE-2021-31968. This is a lot — especially for one month. The one patch that I am most concerned about is CVE-2021-33742. It is rated as critical, as it can lead to arbitrary code execution on the target system and affects a core element of Windows (MSHTML). This web rendering component was a frequent (and favorite) target for attackers as soon as Internet Explorer (IE) was released. Almost all of the (many, many) security issues and corresponding patches that affected IE were related to how the MSHTML component interacted with the Windows subsystems (Win32) or, even worse, the Microsoft scripting object.
Attacks to this component can lead to deep access to compromised systems and are hard to debug. Even if we did not have all of the publicly disclosed or confirmed exploits this month, I would still add this Windows update to the “Patch Now” release schedule.
Very much like last month, Microsoft released 11 updates rated as important and one rated as critical for this release cycle. Again, we are seeing updates to Microsoft SharePoint as the primary focus, with the critical patch CVE-2021-31963. Compared with some of the very concerning news this month for Windows updates, these Office patches are relatively complex to exploit and do not expose highly vulnerable vectors like Outlook Preview panes to attack.
There have been a number of informational updates to these patches over the past few days and it appears there may be an issue with the combined updates to SharePoint Server; Microsoft published the following error, “DataFormWebPart may be blocked by accessing an external URL and generates ‘8scdc’ event tags in SharePoint Unified Logging System (ULS) logs.” You can find out more about this issue with KB 5004210.
Plan on rebooting your SharePoint servers and add these Office updates to your standard release schedule.
There are no updates to Microsoft Exchange for this cycle. This is a welcome relief from the past few months where critical updates required urgent patches that have enterprise-wide implications.
This is an easy month for updates to Microsoft development platforms (.NET and Visual Studio) with just two updates rated as important:
Add the Visual Studio update to your standard developer release schedule. I would add the ASP.NET update to your priority release schedule due to greater exposure to the internet.