6 zero-days make this a ‘Patch Now’ Patch Tuesday

Microsoft this week pushed out 50 updates to fix vulnerabilities across both the Windows and Office ecosystems. The good news is that there are no Adobe or Exchange Server updates this month. The bad news is that there are fixes for six zero-day exploits, including a critical update to the core web rendering (MSHTML) component for Windows. We’ve added this month’s Windows updates to our “Patch Now” schedule, while the Microsoft Office and development platform updates can be deployed under their standard release regimes. Updates also include changes to Microsoft Hyper-V, the cryptographic libraries and Windows DCOM, all of which require some testing before deployment.

You can find this information summarized in our infographic.

Key testing scenarios

There are no reported high-risk changes to the Windows platform this month. For this patch cycle, we divided our testing guide into two sections:

• Microsoft released a “high-risk” update to how DCOM servers communicate with their clients via RPC. The biggest change is to the RPC authentication security level — check to make sure each call registers correctly with at least RPC_C_AUTHN_LEVEL_PKT_INTEGRITY level security.
• For any apps that use the CryptImportKey function and dependencies on the Microsoft Base DSS Cryptographic Provider, confirm that there are no issues.
• Because of changes to how Windows 10 handles error logs, verify that Event Tracing is working and that your common log file paths are still valid.

Changes to Microsoft OLE and DCOM components are the most technically challenging and require the most business expertise to debug and deploy. DCOM services are not easy to build and can be difficult to maintain. As a result, they are not the first choice for most enterprises to develop in-house.

If there is a DCOM server (or service) within your IT group, it means it has to be there — and some core business element will depend on it. To manage the risks of this June update, I recommend that you have your list of applications with DCOM components ready, that you have two builds (pre- and post-update) ready for a side-by-side comparison and enough time to fully test and update your code base if need be.

Known issues

Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update cycle. Here are a few key issues that relate to the latest builds from Microsoft, including:

• Just like last month, system and user certificates might be lost when updating a device from Windows 10 version 1809 or later to a newer version of Windows 10. Microsoft has not released any further advice, other than moving to a later version of Windows 10.
• There is a problem with the Japanese Input Method Editor (IME) that is generating incorrect Furigana text. These problems are quite common with Microsoft updates. IMEs are pretty complex and have been an issue for Microsoft for years. Expect an update to this Japanese character issue later this year.
• In a related issue, after installing KB4493509, devices with some Asian language packs installed may see the error, “0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND.” To resolve this issue, you will need to uninstall and then reinstall your language packs.

There have been a number of reports of ESU systems being unable to complete last month’s Windows updates. If you are running an older system, you will have to purchase an ESU key. Most importantly, you have to activate it (for some, a key missing step). You can find out more about activating your ESU update key online.

You can also find Microsoft’s summary of known issues for this release in a single page.

Major revisions

As of now for this June cycle, there were two major updates to previous released updates:

• CVE-2020-0835: This is an update to the Windows Defender anti-malware feature in Windows 10. Windows Defender is updated on a monthly basis and usually generates a new CVE entry each time. So, an update to a Defender CVE entry is unusual (rather than just creating a new CVE entry for each month). This update is (fortunately) to the associated documentation. No further action is required.
• CVE-2021-28455: This revision refers to another documentation update regarding the Microsoft Red Jet database. This update (unfortunately) adds Microsoft Access 2013 and 2016 to the affected list. If you use the Jet “Red” database (check your middleware), you are going to have to test and update your systems.

As an extra note to the update to Windows Defender, given all the things going on this month (six public exploits!), I highly recommend that you ensure Defender is up to date. Microsoft has published some additional documentation on how to check and enforce compliance for Windows defender. Why not do so now? It’s free and Defender is pretty good.

Mitigations and workarounds

So far, it does not appear that Microsoft has published any mitigations or workarounds for this June release.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

• Browsers (Internet Explorer and Edge);
• Microsoft Windows (both desktop and server);
• Microsoft Office;
• Microsoft Exchange;
• Microsoft Development platforms ( ASP.NET Core, .NET Core and Chakra Core);
• Adobe (retired???)

Browsers

It seems like we are back to our usual rhythm now of minimal updates to Microsoft’s browsers, as we have only a single update to the Microsoft Chromium project (CVE-2021-33741). This browser update has been rated as important by Microsoft as it can only lead to an elevated privilege security issue and requires user interaction. Rather than using the Microsoft security portal to gain better intelligence on these browser updates, I have found the Microsoft Chromium release notes pages a better source of patch related documentation. Given the nature of how Chrome installs on Windows desktops, we expect very little impact from the update. Add this browser update to your standard release schedule.

Microsoft Windows 10

This month, Microsoft released 27 updates to the Windows ecosystem, with three rated as critical and the rest rated as important. This is a relatively low number compared to previous months. However, (and this is big) I am pretty sure that we have never seen so many vulnerabilities publicly exploited or publicly disclosed. This month there are six confirmed as exploited including: CVE-2021-31955, CVE-2021-31956, CVE-2021-33739, CVE-2021-33742, CVE-2021-31199 and CVE-2021-31201.

To add to this month’s troubles, two issues have also been publicly disclosed, including CVE-2021-33739 and CVE-2021-31968. This is a lot — especially for one month. The one patch that I am most concerned about is CVE-2021-33742. It is rated as critical, as it can lead to arbitrary code execution on the target system and affects a core element of Windows (MSHTML). This web rendering component was a frequent (and favorite) target for attackers as soon as Internet Explorer (IE) was released. Almost all of the (many, many) security issues and corresponding patches that affected IE were related to how the MSHTML component interacted with the Windows subsystems (Win32) or, even worse, the Microsoft scripting object.

Attacks to this component can lead to deep access to compromised systems and are hard to debug. Even if we did not have all of the publicly disclosed or confirmed exploits this month, I would still add this Windows update to the “Patch Now” release schedule.

Microsoft Office 

Very much like last month, Microsoft released 11 updates rated as important and one rated as critical for this release cycle. Again, we are seeing updates to Microsoft SharePoint as the primary focus, with the critical patch CVE-2021-31963. Compared with some of the very concerning news this month for Windows updates, these Office patches are relatively complex to exploit and do not expose highly vulnerable vectors like Outlook Preview panes to attack.

There have been a number of informational updates to these patches over the past few days and it appears there may be an issue with the combined updates to SharePoint Server; Microsoft published the following error, “DataFormWebPart may be blocked by accessing an external URL and generates ‘8scdc’ event tags in SharePoint Unified Logging System (ULS) logs.” You can find out more about this issue with KB 5004210.

Plan on rebooting your SharePoint servers and add these Office updates to your standard release schedule.

Microsoft Exchange

There are no updates to Microsoft Exchange for this cycle. This is a welcome relief from the past few months where critical updates required urgent patches that have enterprise-wide implications.

Microsoft development platforms

This is an easy month for updates to Microsoft development platforms (.NET and Visual Studio) with just two updates rated as important:

• CVE-2021-31938: A complex and difficult attack to complete that requires local access and user interaction when using the Kubernetes tool extensions.
• CVE-2021-31957: This ASP.NET vulnerability is a little more serious (it affects servers, instead of a tool extension). That said, it is still a complex attack that has been completely resolved by Microsoft.

Add the Visual Studio update to your standard developer release schedule. I would add the ASP.NET update to your priority release schedule due to greater exposure to the internet.