Patch Tuesday is back, and it appears to be a doozy. The total number is low with fifty total exploits being patched, and only five of those are listed as critical. However, six of these are already being used, and three of them are publicly known already. So, what we lack in numbers, we are more than making up for with immediate threats.
CVE-2021-31962 - Let’s start with the highest CVEE score, coming in at a 9.4 out of 10. The good news is that this is not one that was publicly disclosed and is not currently exploited. The bad news is this is a bad actor to bypass Kerberos authentication and authenticate as a service principal name. This can even be exploited over the network, which means it could potentially be wormable, because it requires no user interaction. This vulnerability, alone, is a great reason to start updating your test lab ASAP.
CVE-2021-33742 - This critical exploit is rated lower at a 7.4, but it is already actively being exploited and is publicly known. The attacker uses MSHTMLl to exploit a Remote Code Execution. It does require user interaction to be successful. Side note: IE11 and legacy Edge are both depreciated, but MSHTML is still supported, so if you have removed those applications it does not mean you are not at risk. Any legacy application could be built on this. Even if you had been very thorough in removing old browsers, this is not an exploit to ignore, especially where it has already been taken advantage of.
CVE-2021-33739 - This exploit is both actively being used and is publicly known, which is far from ideal, especially as it is ranked as critical, with an 8.5 out of 10. This exploit allows an attacker to elevate privileges through a vulnerability in DWM Core (Desktop Windows Management), a library that allows Windows to render several effects like transparent windows and taskbar thumbnails. This is something that you can’t disable in Windows 10, so all Windows devices are likely at risk. It does require local access to exploit, meaning they need to be able to reach the machine or get a user to fall for some kind of phishing scheme.
This is the first time since I have been doing Patch Tuesday updates where I have felt like Windows patching has been more reactionary than proactive. This is not to say that the work being done by the security community has been lax, but that I don’t recall this many already known, or publicly disclosed exploits in a single month in some time.
With a potentially wormable exploit, and several other high-risk threats involving widely used applications and services, you might want to get your test patched as soon as you are able. If you are using PDQ Deploy and PDQ Inventory you could have had your lab patched while you read this blog. They will even circle back around and install in production once your testing window is completed.
Jordan had spent his life wondering why tasks he didn’t like to do had no options to complete themselves. Eventually he had to make that happen on his own. It turned out that he enjoyed making tasks complete themselves, and PDQ thought that is something he should talk about on the internet while drinking most Thursdays on the PDQ webcast.