July 2021's security patch bonanza: Windows kernel under active attack, RCEs in Exchange, DNS, hyper-v

Four Microsoft software vulnerabilities are under active attack, including the notorious Windows Print Spooler bug, a Windows kernel bug, and a scripting engine memory corruption vulnerability, Redmond said in its July 2021 security patches update -- releasing fixes for 117 CVEs, 44 of which were remote code execution (RCE) bugs and 13 of which were rated critical. Adobe, meanwhile, patched 29 CVEs, with SAP, Citrix, Siemens and others all releasing fixes.

https://twitter.com/orange_8361/status/1415316011335647234

Among the latter was the fix for an unusual RCE bug in the Windows kernel that impacts Virtual Machines. Allocated  CVE-2021-34458 and rated as an extremely high CVSS 9.9, it’s one to take a close look at. (Found internally by Microsoft it's not yet under attack, but is likely to draw heightened interest from Black Hats reverse engineering patches). The bug affects systems with single root input/output virtualization (SR-IOV) devices.

As Chad McNaughton, Technical Community Manager, Automox noted, it is a network-level, low-complexity vulnerability "requiring low privileges and no user interaction... [it] allows an SR-IOV device which is assigned to a guest to potentially interfere with its PCIe siblings which are attached to other guests or to the root. In short, SR-IOV devices allow your virtual machines to share resources on a single, physical interface on your server. Those that host virtual machines from a Windows instance or manage a server that includes the required hardware with SR-IOV devices could be affected by this vulnerability and should deploy the security update within 72 hours.

Sysadmins and other folks will be pleased to know that the latest fix for CVE-2021-34527 (PrintNightmare) appears to fix a bug in an earlier hotfix that stopped several types of printer working, including those from vendor Zebra, among others.

As ever, the Zero Day Initiative (ZDI) remains an excellent port of call for IT professionals seeking a crisp round up of the CVEs and some guidance on what to prioritise for patching, and at The Stack we recommend its write-ups highly.

Some of the worse bugs below.