Microsoft patches seven zero-days in Patch Tuesday update

Six zero-days have been observed in active attacks

Microsoft's June 2021 Patch Tuesday update addresses a total of 50 vulnerabilities across various products and platforms: five rated as 'Critical', and 45 deemed 'Important'.

The security update includes patches for Microsoft Office, Excel, SharePoint, Outlook, Edge browser, Windows Cryptographic Services, .NET Core & Visual Studio, Microsoft DWM Core Library, Microsoft Scripting Engine, Windows Defender, Windows HTML Platform, Windows Kernel and Windows Remote Desktop, among others products.

The update also includes patches for seven zero-day bugs, of which six are being actively exploited in the wild.

Potentially the most serious of these zero-days is CVE-2021-33742, a remote code execution (RCE) vulnerability with a CVSS score of 7.5. An attacker could exploit the bug to to execute arbitrary code remotely via the MSHTML Platform. The code would then run after a maliciously crafted file or webpage is opened and parsed by MSHTML.

Another patched zero-day is CVE-2021-31955, an information disclosure bug in the Windows Kernel; an attacker could use this to steal information like kernel addresses from the system. Kaspersky researchers discovered the flaw, and said in a report that a new threat group known as PuzzleMaker is using this bug today, in combination with another zero-day, CVE-2021-31956, to launch highly targeted attacks.

Other zero-days fixed in the June update are:

• CVE-2021-33739: Microsoft DWM Core Library Elevation of Privilege Vulnerability with CVSS 8.4
• CVE-2021-31199: Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability with CVSS 5.2
• CVE-2021-31201: Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability with CVSS 5.2

One more zero-day disclosed in the update, but not yet observed in active attacks, is CVE-2021-31968, a denial-of-service flaw impacting Remote Desktop Services. This vulnerability carries a CVSS score of 7.5 and goes back to Windows 7, according to Microsoft.

Commenting on Microsoft's June 2021 Patch Tuesday update, Kevin Breen, Director of Cyber Threat Research at Immersive Labs said: "At first glance, I thought this Patch Tuesday was going to be a light one - until I started digging into the technical details and uncovered (with some difficulty) a number of 'exploitation detected' vulnerabilities.

"This tag means attackers are actively using them, so for me, it's the most important piece of information we need to prioritise [in] the patches. Sure, there are CVEs listed with a score of 9.4 - but a CVE with a score of 5.2 that is being actively exploited must take centre stage and be patched as a matter of priority above the rest."

Bharat Jogi, senior manager, vulnerability and threat research, Qualys, noted: "There are seven zero-day vulnerabilities among Microsoft's June Patch Tuesday release, with six of them having exploitations observed in the wild."

"As always, we encourage companies to apply the fixes for these vulnerabilities ASAP, prioritising the actively exploited ones. Two of these zero-days, which Kaspersky discovered, were used in conjunction with Google Chrome and were at the root of a chain of exploits in highly targeted attacks against multiple companies this past April."

Microsoft addressed 55 security vulnerabilities in the May 2021 Patch Tuesday update, , of which four were rated as Critical, 50 Important and one as Moderate.