July 2021 Patch Tuesday has seen Microsoft release patches to fix 116 vulnerabilities across its range of products: 12 critical flaws, 3 actively exploited vulnerabilities, 8 zero-days, 103 important bugs, and one rated moderate. Microsoft also released an out-of-band patch earlier this month to fix the PrintNightmare flaw CVE-2021-34527, an PoC exploit for which is in the public domain.
The actively exploited flaws are CVE-2021-34448, a critical scripting engine memory corruption vulnerability, and two ‘important’ Windows kernel elevation-of-privilege vulnerabilities, CVE-2021-31979 and CVE-2021-33771. The PrintNightmare flaw is also under active exploitation.
The following 4 flaws have been rated important and are publicly known, although they have not yet been exploited: CVE-2021-33781 (AD security feature bypass), CVE-2021-34523 (MS Exchange Server elevation of privilege), CVE-2021-33779 (Windows ADFS security feature bypass), CVE-2021-34492 (Windows certificate spoofing). The other publicly disclosed vulnerability, rated critical, is CVE-2021-34473 (MS Exchange Server RCE)
The remaining critical vulnerabilities are:
- CVE-2021-34439 – Microsoft Windows Media Foundation RCE vulnerability
- CVE-2021-34450 – Windows Hyper-V RCE vulnerability
- CVE-2021-34458- Windows Kernel RCE vulnerability
- CVE-2021-34464 – Microsoft Defender RCE vulnerability
- CVE-2021-34474 – Dynamics Business Central Control RCE vulnerability
- CVE-2021-34494 – Windows DNS Server RCE vulnerability
- CVE-2021-34497 Windows MSHTML Platform
- CVE-2021-34503 – Microsoft Windows Media Foundation RCE vulnerability
- CVE-2021-34522 – Microsoft Defender RCE vulnerability
- CVE-2021-33740 – Microsoft Windows Codecs Library: Windows Media RCE vulnerability
Microsoft has also confirmed that a remote code execution vulnerability affecting Microsoft Exchange Server – CVE-2021-34473 – was actually fixed on April Patch Tuesday but was not disclosed at the time. The bug is being exploited in the wild, but if the April updates have been applied, the issue will have been resolved.
Adobe Releases Patches for 28 Vulnerabilities; 22 Critical
Adobe has released 28 patches to correct flaws in 6 of its products, including 22 critical flaws. Adobe Acrobat and Reader are the worst affected products with 14 critical and 5 important vulnerabilities fixed.
Adobe Bridge has patches released to fix 4 critical flaws and one moderate vulnerability, two critical flaws and 1 important vulnerability have been fixed in Adobe Illustrator, and Adobe Dimension and Adobe Framemaker have each had a patch released to correct 1 critical flaw.
None of the flaws are believed to have been exploited in the wild, but prompt patching is strongly advisable. Most of the critical flaws are remote code execution vulnerabilities.