A raft of critical-rated vulnerabilities being fixed in Microsoft’s midsummer Patch Tuesday, including at least two bugs the company has knowledge are being actively exploited, means that everyone needs to take speedy action to update their Windows computers.
Among the 117 bugs the company will fix in this month’s release are 13 that can lead to remote code execution (RCE) affecting a variety of products. Microsoft’s guidance also revealed that two of those bugs, tagged as CVE-2021-34448 and CVE-2021-34527, have been exploited by threat actors in the course of attacks.
The two bugs with active exploits affect the Windows scripting engine and the Print Spooler service, respectively, with the exploit against the latter known by its nickname, PrintNightmare, a bug for which Microsoft released an early (“out of band”) patch that reportedly doesn’t fully protect computers whose owners applied it. The monthly update applies a slightly newer fix to address some issues with the early PrintNightmare release, and Microsoft has published additional technical guidance to help users determine if their machines are vulnerable and to take additional measures to lock them down.
In addition to the two critical RCEs, Microsoft will also fix the bugs underlying five other vulnerabilities that are publicly known about, but have not yet (as far as Microsoft is aware) been exploited: a pair of security feature bypass problems in Active Directory, two privilege escalation in Exchange Server (one of which Microsoft believes is more likely to be exploited, and has a severity rating of Critical), and the ability to spoof a security certificate in Windows.
All told, it was a banner month for fixes, with a total of 44 patches to address RCEs, the most serious type of vulnerability. Nine of those repairs apply to Windows DNS servers, an unusually high number for this mature technology. Among those, at least four involve the DNS Snap-In to Remote Server Admin Tools, or RSAT. Microsoft’s notes on the bugs, CVE-2021-33749, CVE-2021-33750, and CVE-2021-33752 reveal the limitations (and the method) of exploitation: “An administrator would need to view a malicious record in the DNS Snap-in to allow exploitation [of] this vulnerability.”
A few of the fixes involve hardening the encryption used when passwords are transmitted over the network, such as when a user changes their password or logs in to a remote machine. These updates may make it harder for attackers to use open-source tools such as Mimikatz to sniff the administrator passwords from internal networks, a behavior that has become de rigeur for ransomware attackers in large attacks. The patches make a stronger encryption algorithm the default in several circumstances where sniffing network traffic could reveal sensitive information.
Three of the fixes address RCEs in the Exchange email server software, three target RCEs in Sharepoint cloud server software, and five resolve RCEs in the Windows HEVC (high efficiency video codec) Extensions, used by Windows 10 to display ultra-high-definition video on modern computers. Five other RCE bugs fixed this month affect Windows Media Player (or its Media Foundation subcomponents), three of which are classified as Critical.
Microsoft has published guidance about how to check whether you have the updated HEVC package installed, using the following PowerShell command.
Get-AppxPackage -Name Microsoft.HEVCVideoExtension*
Waking up from the PrintNightmare
Microsoft released what they refer to as an “out of band” patch for the PrintNightmare exploit at the very beginning of July, after CISA published a bulletin about the bug. While some speculated that PrintNightmare took advantage of an incomplete repair of CVE-2021-1675 Microsoft had released in June, the new bug was assigned a different code of CVE-2021-34527 to distinguish between the two.
Sophos began looking for active exploitation of PrintNightmare as soon as we were able to review a the exploit code. Our first detections of what we believe to be people actively exploiting the bug were found in telemetry on July 5th, and we escalated a case on July 6th that looked more like an attacker than just a hobbyist testing out the exploit.
In one instance, the target of the attack confirmed that they were not engaged in any kind of penetration testing or assessment of their network. We recovered telemetry from several machines that indicate the attacker had been using an openly available proof-of-concept exploit against CVE-2021-1675.
We found Registry modifications that mimic some of the path conventions used in the PoC, and a payload file named 1.dll (MD5: 45942ad78a041108de18a9661ea1067b21e6c041, file not disclosed) in the location where Microsoft stores the printer drivers. We also retrieved logs that revealed the DLL was used to execute a PowerShell command the attacker used to download a second file.
The attackers executed the second file, a PowerShell script that delivered Mimikatz to the infected machine, and other telemetry indicates that the attackers also created a user account (“net1“) with administrator-level permissions and a password of 123456abc! and leveraged that account to pull down a credential-stealing script from Github.
All of this is to say, don’t wait one minute longer than absolutely necessary to install these updates.
As you can every month, Microsoft offers the updates as manual downloads on the Windows Catalog website, if your computer isn’t downloading them automatically through Windows Update, or if you just want to get them faster.
We may update this report with additional information as it becomes available after Microsoft’s Patch Tuesday NDA expires.
Other platforms’ bugs
Microsoft also released notes about an update to Bing Search for Android. Users who click a malicious or deliberately malformed link in the Android version of Bing Search could inadvertently end up on a website they didn’t intend to visit.
Software developers who have integrated the Open Enclave SDK into their products or code may wish to update to incorporate the new fixes that prevent a privilege escalation.
Here is a list of protection released by SophosLabs in response to this advisory to complement any existing protection and generic exploit mitigation capabilities in our products.