Microsoft this week released 50 updates to fix vulnerabilities in the Windows and Office ecosystems. The good news is that there are no updates to Adobe or Exchange Server this month. The bad news is that there are solutions for six Day zero exploits, including a critical update to the Web Rendering Core Component (MSHTML) for Windows. We have added this month’s Windows updates to our “Patch Now” program, while Microsoft Office and Development Platform updates can be rolled out under their standard release regimes. The updates also include changes to Microsoft Hyper-V, the cryptographic libraries, and Windows. DCOM, all of which require some testing before implementation.
You can find this information summarized in our infographic.
Key test scenarios
No high-risk changes have been reported on the Windows platform this month. For this patch cycle, we divided our testing guide into two sections:
Changes to the Microsoft OLE and DCOM components are the most technically challenging and require the most business experience to debug and implement. DCOM services are not easy to build and can be difficult to maintain. As a result, they are not the first choice for most companies to develop internally.
If there is a DCOM server (or service) within your IT group, it has to be there, and some core business element will depend on it. To manage the risks of this June update, I recommend that you have your list of applications with DCOM components ready, that you have two builds (pre and post update) ready for a side-by-side comparison, and enough time to complete, test and update. your base code if necessary.
Every month, Microsoft includes a list of known issues related to the operating system and platforms included in this update cycle. Here are some key issues related to the latest versions of Microsoft, including:
- Like last month, system and user certificates may be lost when upgrading a device from Windows 10 version 1809 or later to a newer version of Windows 10. Microsoft has not released any advice other than passing to a later version of Windows 10.
- There is a problem with the Japanese input method editor (I ME) which is generating wrong Furigana text. These problems are quite common with Microsoft updates. IMEs are quite complex and have been a problem for Microsoft for years. Expect an update on this Japanese character issue later this year.
- In a related problem, after installing KB4493509, devices with some Asian language packs installed may see the error “0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND”. To resolve this issue, you will need to uninstall and then reinstall your language packs.
There have been multiple reports that ESU systems were unable to complete Windows updates from the past month. If you are running an older system, you will need to purchase an ESU key. Most importantly, you need to activate it (for some, a key step is missing). You can learn more about activating your ESU upgrade key online.
You can also find Microsoft’s summary of known issues for this release on a single page.
As of now, for this June cycle, there were two major updates to the previously released updates:
- CVE-2020-0835: This is an update to the Windows Defender antimalware feature in Windows 10. Windows Defender is updated monthly and usually generates a new CVE entry each time. Therefore, an update to a Defender CVE entry is unusual (rather than just creating a new CVE entry for each month). This update is (thankfully) to the associated documentation. No additional action is required.
- CVE-2021-28455This hotfix refers to another documentation update related to the Microsoft Red Jet database. This update (unfortunately) adds Microsoft Access 2013 and 2016 to the affected list. If you use the Jet “Red” database (check your middleware), you will have to test and upgrade your systems.
As a side note to the Windows Defender update, given everything that is happening this month (six public exploits!), I recommend that you make sure Defender is up to date. Microsoft has released some additional documentation on how to verify and enforce compliance for Windows defender. Why not do it now? It’s free and Defender is pretty good.
Mitigations and solutions
So far, it doesn’t appear that Microsoft has released any mitigation or workarounds for this June release.
Each month, we divide the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Internet Explorer and Edge);
- Microsoft Windows (both desktop and server);
- Microsoft Office;
- Microsoft Exchange;
- Microsoft development platforms ( ASP.NET Core, .NET Core and Chakra Core);
- Adobe (retired ???)
We seem to be back to our usual pace now of minimal updates for Microsoft’s browsers, as we only have one update for the Microsoft Chromium project (CVE-2021-33741). Microsoft has rated this browser update as important as it can only cause an elevated privilege security issue and requires user interaction. Instead of using the Microsoft Security Portal To get better intelligence on these browser updates, I have found the Microsoft Chromium Release Notes Pages a better source of documentation related to patches. Given the nature of how Chrome installs on Windows desktops, we expect very little impact from the update. Add this browser update to your standard launcher.
Microsoft Windows 10
This month, Microsoft released 27 updates to the Windows ecosystem, with three rated critical and the rest rated important. This is a relatively low number compared to previous months. However (and this is important) I am pretty sure that we have never seen so many vulnerabilities exploited or publicly disclosed. This month there are six confirmed exploited including: CVE-2021-31955, CVE-2021-31956, CVE-2021-33739, CVE-2021-33742, CVE-2021-31199 other CVE-2021-31201.
To add to this month’s issues, two issues have also been publicly revealed, including CVE-2021-33739 other CVE-2021-31968. This is a lot, especially for a month. The patch that worries me the most is CVE-2021-33742. It is considered critical as it can lead to arbitrary code execution on the target system and affects a core element of Windows (MSHTML). This web rendering component was a frequent (and favorite) target of attackers as soon as Internet Explorer (IE) was launched. Almost all of the (many, many) security issues and corresponding patches that affected IE were related to the way the MSHTML component interacted with the Windows (Win32) subsystems or worse, the Microsoft scripting object .
Attacks on this component can lead to deep access to compromised systems and are difficult to debug. Even if we didn’t have all the confirmed or publicly disclosed exploits this month, I would still add this Windows update to the “Patch Now” launcher.
Like last month, Microsoft released 11 updates rated Important and one rated Critical for this release cycle. Again, we are seeing Microsoft SharePoint updates as the main focus, with the critical patch CVE-2021-31963. Compared to some of the very disturbing news this month for Windows updates, these Office patches are relatively complex to exploit and do not expose highly vulnerable vectors like Outlook preview panels to attack.
There have been a number of informational updates to these patches over the past few days and it appears that there may be an issue with SharePoint Server blended updates; Microsoft posted the following error “DataFormWebPart can crash when accessing an external URL and generates ‘8scdc’ event tags in SharePoint Unified System of Records (ULS) logs. “You can get more information about this problem with KB 5004210.
Plan to restart your SharePoint servers and add these Office updates to your standard launcher.
There are no Microsoft Exchange updates for this cycle. This is a welcome relief from the past few months where critical updates required urgent patches that have business-wide implications.
Microsoft development platforms
This is an easy month for updates to Microsoft development platforms (.NET and Visual Studio) with only two updates rated as important:
- CVE-2021-31938– A complex and difficult to complete attack that requires local access and user interaction when using the Kubernetes tool extensions.
- CVE-2021-31957: This ASP.NET The vulnerability is a bit more serious (it affects servers, rather than an extension of the tool). That said, it is still a complex attack that Microsoft has fully resolved.
Add the Visual Studio update to your standard developer launcher. I would add the ASP.NET update to your priority release schedule due to increased exposure to the internet.