Tim Lovegrove
Security Analyst
Welcome to the June Patch Roundup blog, where we cover the latest in patch releases and vulnerability information from Microsoft, Adobe, Cisco and the other major vendors.
Microsoft
Microsoft have blessed admins with one of the lightest Patch Tuesday releases in a long time, with just 49 vulnerabilities addressed this month, plus CVE-2021-33741 which was patched out-of-band earlier in the week. Despite the relatively low number of CVE’s, six of these have been observed being actively exploited, making it as important as ever that systems are updated promptly.
CVE-2021-33742 is likely the most serious, being a bug in MSHTML that allows a malicious web page to serve and execute malicious code on the user’s device. MSHTML is used in the Internet Explorer emulation mode in the legacy, non-Chromium version of Edge, as well as other components of the Windows ecosystem. While these applications may be deprecated, the underlying components are still present across all versions of Windows, making this a serious and widespread vulnerability.
A bypass for the AppContainer security feature (CVE-2021-31962) is also serious enough to warrant quick deployment of the updates. AppContainer is an isolation technology intended to sandbox processes and applications such as browsers in order to prevent them running malicious code in other parts of the operating system. The ability to escape or bypass this sandbox presents an attacker with the opportunity to gain a foothold on the machine and further their attack.
Similarly, CVE-2021-33739 is an Elevation of Privilege attack on the DWM (Desktop Window Manager) component that has an active exploit with confirmed functional code. Microsoft’s description of a potential attack outlines code being supplied by a script or executable which the user is tricked into running via a phishing campaign, making user awareness a key part of the protection as well as the update itself.
On a lighter note, we’re starting to hear rumours of Windows 11 surfacing. Details are currently scant, but a new feature roll-up (21H2) is due later in the year, and there is speculation that this update could be substantial enough to warrant moving the OS along to the “Windows 11” moniker. Windows 10 is now 6 years into its lifecycle, the point where most Microsoft OSes go into “extended support” and the longest Microsoft have gone with a desktop OS. Microsoft say they’re still committed to Windows 10 as their main OS but more information is likely to arrive on the 24th June at a public event being run by Microsoft.
Adobe
Adobe released a substantial round of updates this month as well, with updates to Acrobat/Reader, Photoshop, After Effects, Creative Cloud and others. Adobe rate most of these at Priority 3, however the updates to Reader/Acrobat and Experience Manager are rated at Priority 2, meaning they contain fixes for Critical bugs but that there is currently no public exploit code for those vulnerabilities.
Cisco
Cisco have released a number of updates through June to address issues across WebEx, Firepower Threat Defence software, SD-WAN and ASR 5000. With no workarounds available for any of the bugs, the only route to address these is to install the updates. The most widespread of these are likely to be the WebEx bugs, which allow a maliciously crafted WebEx Recording File (WRF) to execute arbitrary code with the user’s privileges, suggesting a phishing attack could be used to deliver the malicious file.