It is once again Patch Tuesday. This one could be interesting as the White Hat Conference Pwn2Own is just wrapping up. Much was found, but luckily, as a White-Hat, everyone is given a shot to patch before the information is released. A lot of new stuff is out there though, so patch soon. This month, 114 exploits are being closed, with 19 listed as critical. Well done, Pwn2Own participants. Many of these are remote code executions, so you might want to start your testing ASAP. Four of these exploits are known, and one is being actively exploited.
*Highlights Magazine is a trademark of "Highlights For Children". Lowlights Magazine is a dripping satire and should be recognized as such.
Some highlights (or lowlights)
CVE-2021-28333: I am specifying this critical patch randomly. Many critical patches don’t have unique information. These CVE’s range from 28329 to 28343. They are all remote execution vulnerabilities that attack RPC. Just because they are similar does not mean they are not serious. These alone make patching ASAP your best bet.
CVE-2021-28480: Here, you have a 9.8 rated exploit that impacts Exchange. If you have on-prem Exchange, make sure you are patching. This is a remote code execution that does not require any user interaction. A worm-able Exchange exploit sounds pretty bad. This is the highest-rated CVE this Patch Tuesday, and patching should be a top priority.
CVE-2021-28310: This is the lowest-ranked exploit I plan to highlight, but it is actively being exploited. It requires either having access to the machine or getting someone to run a program where the user can elevate their privileges. With these, your best defense is a well-educated workforce. However, constant vigilance does allow in some human error. So, let’s patch and take that off their shoulders.
Non-Windows news
I normally stick to Windows releases on Patch Tuesdays. However, there has been some fallout for Chrome and Chromium-based browsers. One of the major exploits discovered was a remote execution vulnerability that attacked the V8 JavaScript Engine. This has been found and patched, but not yet integrated into the latest browser versions. The risk of open source is a patch gap between the time of code input to patch the exploit and its release. For example, someone went in and reverse engineered what was found at Pwn2Own and released it early. There is a new update coming to Chrome today, and it is a safe bet that this will close the exploit, but as of right now this exploit is now in the wild and not patched.
In review
This month was always likely to be a bad patch Tuesday if you invite a bunch of White Hats to break into stuff and offer them tens of thousands of dollars to do it. You are going to find some new and interesting exploits. This one was successful and resulted in some fantastic exploits that now need to be collapsed. Now that we covered the "why you should patch", let’s go over the "how". PDQ can help you have your Windows patching on a schedule (that you never have to look at) in less than 15 minutes.
