On August Patch Tuesday, Microsoft released patches to fix 51 vulnerabilities across its product range, including 7 critical flaws, 37 vulnerabilities rated important, and three zero-day vulnerabilities, one of which is under active attack.
The three zero-day vulnerabilities include two which have been publicly disclosed but are not known to have been exploited in the wild. These are a critical remote code execution vulnerability in the Windows Print Spooler Driver, tracked as CVE-2021-36936, and a Windows LSA Spoofing vulnerability, tracked as CVE-2021-36942, with the latter associated with the PetitPotam NTLM relay attack vector. The actively exploited zero-day is tracked as CVE-2021-36948 and is a privilege escalation vulnerability in the Windows Update Medic Service.
The remaining critical flaws are:
- CVE-2021-26424 – Windows TCP/IP RCE vulnerability (CVSS 9.9)
- CVE-2021-26432 – Windows Services for NFS ONCRPC XDR Driver RCE vulnerability
- CVE-2021-34480 – Scripting Engine Memory Corruption vulnerability
- CVE-2021-34530 – Windows Graphics Component RCE vulnerability
- CVE-2021-34534 – Windows MSHTML Platform RCE vulnerability
- CVE-2021-34535 – Remote Desktop Client RCE vulnerability
In total, August 2021 Patch Tuesday updates correct 17 elevation of privilege vulnerabilities, 13 remote code execution bugs, 8 information disclosure flaws and 2 denial of service flaws.
As always, patches should be applied as soon as possible to prevent exploitation, with priority given to the critical and zero-day flaws.
Adobe Releases Patches for 29 Vulnerabilities
On Patch Tuesday, Adobe released patches to fix 29 security vulnerabilities in its Magento and Connect products, with Magneto receiving fixes for 26 CVEs and Adobe Connect receiving 3.
Magneto, an e-commerce platform, has received patches to fix 10 pre-authentication vulnerabilities, which include remote code execution, security bypass, privilege escalation, and file system read flaws. 16 of the flaws are rated critical, with the remainder rated important.
Adobe Connect, a remote training, web conferencing, presentation, and desktop sharing solution, received patches to fix a security bypass flaw and two cross-site scripting vulnerabilities, which could lead to remote code execution.