Download Ransomware Q2 Index Update

July: Microsoft Patches 117 Security Vulnerabilities

Posted on 16th Jul, 2021 | By Pavithra Shankar

Microsoft patched 117 unique security vulnerabilities this July. We analyzed all 117  weaknesses and spotlighted the most important vulnerabilities that ought to be fixed on priority.


Microsoft Patches: Overview

This July, Microsoft patched 117 vulnerabilities discovered earlier in 2021, including six publicly disclosed bugs.

Of these 117, Microsoft has fixed key vulnerabilities, including the following:

  • 43 CVEs classified as RCE bugs

  • 32 CVEs with privilege escalation capabilities

  • 12 CVEs linked to denial of service (DoS)

  • 14 CVEs with information disclosure issues

  • 8 CVEs associated with a security feature bypass

  • 7 CVEs with spoofing flaws

Zero-Day Vulnerabilities

Microsoft had released patches for nine zero-day vulnerabilities this month (CVE-2021-34492, CVE-2021-34523, CVE-2021-34473, CVE-2021-33779, CVE-2021-33781, CVE-2021-34527, CVE-2021-33771, CVE-2021-34448, CVE-2021-31979). Currently, six of these CVEs have publicly known exploits, and four are under active attack and must be prioritized for patching.

RCE/PE Vulnerabilities

The most notable update is Microsoft's patch for the "PrintNightmare" vulnerability” (CVE-2021-34527) in its print spooler function, which may allow an attacker to execute remote malware. CISA had also issued an alert to this vulnerability. Microsoft attempted to patch this flaw with an out-of-band version earlier this month, but the flaw is still considered to be exploitable.

Read more: How to detect CVE-2021-34527?

In addition, Microsoft stated seven vulnerabilities ( CVE-2021-34520, CVE-2021-34467, CVE-2021-34468, CVE-2021-34449, CVE-2021-33780, CVE-2021-33771, and CVE-2021-31979) are more likely to be exploited. Of these seven, four CVEs are RCE bugs and three with privilege escalation capabilities.

Microsoft has patched six serious vulnerabilities in Exchange Server where CVE-2021-34473 and CVE-2021-34523 had previously been addressed in Microsoft's April security update and discovered by National Security Agency (NSA). Considering back-to-back updates for the past months, these two vulnerabilities should be monitored closely and fixed immediately.

Severity Scores

Notably, 13 vulnerabilities have been marked critical that are classified as RCE bugs.

Product Analysis

In this round-up, patches were issued for 16 products. Windows’ Server accounted for 71 vulnerabilities, of which 19 were categorized with privilege escalation and 21 with RCE capabilities. 


Table: Microsoft July Security Update 2021

As cyber threats are increasingly targeting vulnerable systems, we recommend Microsoft users to deploy the available updates as quickly as possible.

CSW’s Patch Watch helps organizations and their overworked security teams patch the most critical vulnerabilities and improve their security posture.  Get on our mailing list for more information about emerging threats.

 

Does your organization have a patch management program? Talk to CSW experts to prioritize weaknesses that need immediate attention!

 

Test your defense to know how secure you are…