Microsoft patched 50 CVEs in its Patch Tuesday release in June 2021, five of which are classified as critical severity. Six have applicable Exploits.
Bharat Jogi, Senior Manager, Vulnerability and Threat Research at Qualys
“There are seven zero-day vulnerabilities in Microsoft’s June 2021 Patch Tuesday release, with exploits “in the wild” observed for six of them. As always, we recommend that companies install the fixes for these vulnerabilities as soon as possible, with the actively exploited vulnerabilities taking precedence. Two of these zero-days discovered by Kaspersky were exploited in conjunction with Google Chrome and formed the basis for a chain of exploits in targeted attacks on several companies last April, ” says Bharat Jogi, Senior Manager, Vulnerability and Threat Research at Qualys
Critical Microsoft vulnerabilities patched
- CVE-2021-31985 – Microsoft Defender Remote Code Execution Vulnerability
Microsoft has released patches that address a critical RCE vulnerability in its Defender product (CVE-2021-31985). This CVE has a high probability of exploitability and is rated by the manufacturer with a CVSSv3 baseline of 7.8.
- CVE-2021-31959 – Scripting Engine Memory Corruption Vulnerability
Microsoft has released patches that address a critical memory corruption vulnerability in the Chakra JScript scripting engine. This vulnerability affects Windows RT, Windows 7, Windows 8, Windows 10, Windows Server 2008 R2, Windows Server 2012 (R2), and Windows Server 2016.
- CVE-2021-31963 – Microsoft SharePoint Server Remote Code Execution Vulnerability
Microsoft has released patches that fix a critical RCE in SharePoint Server. This CVE is assigned a basic CVSSv3 rating of 7.1 by the manufacturer.
Six 0-day vulnerabilities patched with exploits “in the wild
The following vulnerabilities need to be patched immediately, since there are active exploits “in the wild” for them:
- CVE-2021-33742 – Windows MSHTML Platform Remote Code Execution Vulnerability
- CVE-2021-33739 – Microsoft DWM Core Library Elevation of Privilege Vulnerability
- CVE-2021-31956 – Windows NTFS Elevation of Privilege Vulnerability
- CVE-2021-31955 – Windows Kernel Information Disclosure Vulnerability
- CVE-2021-31201 – Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability
- CVE-2021-31199 – Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability
Adobe addressed 41 CVEs in this patch Tuesday, 21 of which are considered critical. They concern the products Acrobat and Reader, Adobe Photoshop, Creative Cloud Desktop Application, RoboHelp Server, Adobe After Effects and Adobe Animate.
Patch Tuesday Dashboard
The latest updated Patch Tuesday Dashboards are available in the Dashboard Toolbox: 2021 Patch Tuesday Dashboard .
Webinar Series: This Month in Patches
To help customers take advantage of the seamless integration between Qualys VMDR and Patch Management and reduce the average time to address critical vulnerabilities, the Qualys Research team is hosting a monthly webinar series This Month in Patches .
It discusses how to patch some of the most important vulnerabilities in the previous month:
- VMware vCenter Server Multiple Vulnerabilities
- Ubuntu XStream Vulnerabilities
- Microsoft Patch Tuesday-June 2021
About Patch Tuesday
Patch Tuesday QIDs are published under Security Alerts, usually in the late evening of Patch Tuesday, followed shortly after by the PT dashboards.