Skip to main content
Patch ManagementPatch Tuesday

June Patch Tuesday 2021 Includes 50 Fixes and 6 Weaponized Vulnerabilities

By June 9, 2021June 22nd, 2022No Comments
||

June Patch Tuesday 2021 Includes 50 Fixes and 6 Weaponized Vulnerabilities

June Patch Tuesday 2021 has arrived with 50 vulnerabilities and 6 zero-days exploited. Tackle the latest Microsoft updates, critical patches, and vulnerabilities of the month.

[vc_empty_space]
[vc_single_image image=”38813″ img_size=”full”]

Microsoft Releases 50 Fixes Including 6 Weaponized Vulnerabilities

There are 5 Critical and 45 Important fixes this month for Microsoft Windows, .NET Core and Visual Studio, Microsoft Office, Microsoft Edge (Chromium-based and EdgeHTML), SharePoint Server, Hyper-V, Visual Studio Code – Kubernetes Tools, Windows HTML Platform, and Windows Remote Desktop.

Year 2 Extended Support – Windows 7 and Windows Server 2008 (including R2) have received some updates this month, with one currently Weaponized.

  1. Windows 7 – 2 Critical and 12 Important vulnerabilities fixed
  2. Windows 2008 R2 – 1 Critical and 11 Important vulnerabilities fixed

Both Windows 7 and 2008 are vulnerable to CVE-2021-33742, Windows MSHTML Platform Remote Code Execution Vulnerability which is currently Weaponized. It carries a CVSS score of 7.5 and can be exploited over any network without privileges.

Robert Brown, Head of Customer Success for Syxsense said, “We are very concerned about CVE-2021-31948, CVE-2021-31950, CVE-2021-31964 which are all related to Microsoft SharePoint Server. These spoofing vulnerabilities carry a CVSS score of 7.6 but if exploited can be used to jump into another technology running on the system. These should be urgently resolved.”

Top June 2021 Patches and Vulnerabilities

Based on the Vendor Severity and CVSS Score, we have made a few recommendations below. As usual, we recommend entering the CVE numbers below into your patch management solution and deploying as soon as possible. 

1. CVE-2021-33739 Microsoft DWM Core Library Elevation of Privilege Vulnerability

The vulnerability exists due to improper privilege management within the Microsoft DWM Core Library. A remote attacker can trick the victim to run a specially crafted executable or script and execute arbitrary code on the system.

Syxscore

  • Vendor Severity: Important
  • CVSS: 8.4
  • Weaponized: Yes
  • Public Aware: Yes
  • Countermeasure: No

Syxscore Risk Alert

  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges: None
  • User Interaction: None
  • Scope (Jump Point): No

2. CVE-2021-33742 MSHTML Platform Remote Code Execution Vulnerability

The vulnerability exists due to a boundary error when processing HTML content within Windows MSHTML Platform. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.

Syxscore

  • Vendor Severity: Critical
  • CVSS: 7.5
  • Weaponized: Yes
  • Public Aware: Yes
  • Countermeasure: No

Syxscore Risk Alert

  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges: None
  • User Interaction: Required
  • Scope (Jump Point): No

3. CVE-2021-31977 Windows Hyper-V Denial of Service Vulnerability

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.  By sending a specially crafted message to the Hyper-V host virtualization stack, a guest VM could cause a reference count in the host virtualization stack to be leaked.

Syxscore

  • Vendor Severity: Important
  • CVSS: 8.6
  • Weaponized: No
  • Public Aware: No
  • Countermeasure: No

Syxscore Risk Alert

  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges: None
  • User Interaction: None
  • Scope (Jump Point): Yes
[vc_single_image image=”38151″ img_size=”full” onclick=”custom_link” link=”https://www.syxsense.com/start-a-free-trial-of-syxsense/”]

Syxsense Recommendations

Based on the vendor severity and CVSS Score, we have made a few recommendations below which you should prioritize this month. Please pay close attention to any of these which are publicly aware or weaponized.

Reference Description Vendor Severity CVSS Score Weaponised Publicly Aware Countermeasure Syxsense Recommended
CVE-2021-33739 Microsoft DWM Core Library Elevation of Privilege Vulnerability Important 8.4 Yes Yes No Yes
CVE-2021-31956 Windows NTFS Elevation of Privilege Vulnerability Important 7.8 Yes No No Yes
CVE-2021-33742 Windows MSHTML Platform Remote Code Execution Vulnerability Critical 7.5 Yes Yes No Yes
CVE-2021-31955 Windows Kernel Information Disclosure Vulnerability Important 5.5 Yes No No Yes
CVE-2021-31199 Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability Important 5.2 Yes No No Yes
CVE-2021-31201 Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability Important 5.2 Yes No No Yes
CVE-2021-31968 Windows Remote Desktop Services Denial of Service Vulnerability Important 7.5 No Yes No Yes
CVE-2021-31962 Kerberos App Container Security Feature Bypass Vulnerability Important 9.4 No No No Yes
CVE-2021-31977 Windows Hyper-V Denial of Service Vulnerability Important 8.6 No No No Yes
CVE-2021-33741 Microsoft Edge (Chromium-based) Elevation of Privilege Vulnerability Important 8.2 No No No Yes
CVE-2021-31980 Microsoft Intune Management Extension Remote Code Execution Vulnerability Important 8.1 No No No Yes
CVE-2021-31954 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important 7.8 No No No Yes
CVE-2021-31948 Microsoft SharePoint Server Spoofing Vulnerability Important 7.6 No No No Yes
CVE-2021-31950 Microsoft SharePoint Server Spoofing Vulnerability Important 7.6 No No No Yes
CVE-2021-31964 Microsoft SharePoint Server Spoofing Vulnerability Important 7.6 No No No Yes
CVE-2021-31985 Microsoft Defender Remote Code Execution Vulnerability Critical 7.8 No No No
CVE-2021-31967 VP9 Video Extensions Remote Code Execution Vulnerability Critical 7.8 No No No
CVE-2021-31942 3D Viewer Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2021-31943 3D Viewer Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2021-31939 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2021-31940 Microsoft Office Graphics Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2021-31941 Microsoft Office Graphics Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2021-31945 Paint 3D Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2021-31946 Paint 3D Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2021-31983 Paint 3D Remote Code Execution Vulnerability Important 7.8 No No No
CVE-2021-31969 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2021-31953 Windows Filter Manager Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2021-31973 Windows GPSVC Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2021-31951 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2021-31952 Windows Kernel-Mode Driver Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2021-1675 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No No
CVE-2021-31974 Server for NFS Denial of Service Vulnerability Important 7.5 No No No
CVE-2021-31975 Server for NFS Information Disclosure Vulnerability Important 7.5 No No No
CVE-2021-31976 Server for NFS Information Disclosure Vulnerability Important 7.5 No No No
CVE-2021-31958 Windows NTLM Elevation of Privilege Vulnerability Important 7.5 No No No
CVE-2021-31938 Microsoft Vs Code Kubernetes Tools Extension Elevation of Privilege Vulnerability Important 7.3 No No No
CVE-2021-31966 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 7.2 No No No
CVE-2021-31963 Microsoft SharePoint Server Remote Code Execution Vulnerability Critical 7.1 No No No
CVE-2021-26420 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 7.1 No No No
CVE-2021-31971 Windows HTML Platform Security Feature Bypass Vulnerability Important 6.8 No No No
CVE-2021-31949 Microsoft Outlook Remote Code Execution Vulnerability Important 6.7 No No No
CVE-2021-31959 Scripting Engine Memory Corruption Vulnerability Critical 6.4 No No No
CVE-2021-31957 .NET Core and Visual Studio Denial of Service Vulnerability Important 5.9 No No No
CVE-2021-31965 Microsoft SharePoint Server Information Disclosure Vulnerability Important 5.7 No No No
CVE-2021-31972 Event Tracing for Windows Information Disclosure Vulnerability Important 5.5 No No No
CVE-2021-31978 Microsoft Defender Denial of Service Vulnerability Important 5.5 No No No
CVE-2021-31960 Windows Bind Filter Driver Information Disclosure Vulnerability Important 5.5 No No No
CVE-2021-31970 Windows TCP/IP Driver Security Feature Bypass Vulnerability Important 5.5 No No No
CVE-2021-31944 3D Viewer Information Disclosure Vulnerability Important 5 No No No
CVE-2021-26414 Windows DCOM Server Security Feature Bypass Important 4.8 No No No
[vc_separator css=”.vc_custom_1552427883977{padding-top: 20px !important;padding-bottom: 20px !important;}”]

Experience the Power of Syxsense

Syxsense is a cloud-based solution that helps organizations manage and secure their endpoints with ease. Automatically deploy OS and third-party patches as well as Windows 10 Feature Updates for Microsoft, Mac, and Linux devices.

[vc_btn title=”Start a Free Trial” style=”gradient-custom” gradient_custom_color_1=”#da4453″ gradient_custom_color_2=”#8a2387″ shape=”round” size=”lg” align=”center” link=”url:https%3A%2F%2Fwww.syxsense.com%2Fstart-a-free-trial-of-syxsense%2F|||” css=”.vc_custom_1586908107967{margin-top: 15px !important;}”][vc_separator css=”.vc_custom_1552427883977{padding-top: 20px !important;padding-bottom: 20px !important;}”]

Leave a Reply