Microsoft’s Patch Tuesday release this week is important to the Windows ecosystem; It includes 117 patches that handle four publicly reported and four exploited vulnerabilities. The good news: This month’s Microsoft Office and Development Platform (Visual Studio) patches are relatively straightforward and can be added to standard patch release programs with minimal risk, and there are no browser updates. Unfortunately, we have a really serious printer problem (CVE-2021-34527) that was thrown out of bounds (OOB) and has been updated at least twice in the last few days. That means you need to pay immediate attention to Windows updates and add all Windows desktop patches to your “Patch Now” program.
There were several updates throughout the week and we expect more on the spooler vulnerabilities in the coming days. Unfortunately, this large and wide-ranging series of patches will require significant testing due to the core system and the kernel changes that come with it. For more information you can consult the Windows 10 Health Dashboard. You can also find more information about the risk of deploying these Patch Tuesdays at this infographic.
Key test scenarios
No high-risk changes have been reported on the Windows platform. However, there is a reported functional change and an additional feature added this month:
- Test your printers, in order to potentially stop all necessary spooler services.
- Verify that printing via LOB applications works as expected.
- Test that Word and PowerPoint files can be downloaded and opened.
I think with the five kernel updates and a particular focus on the server patch CVE-2021-34458, this month,]a complete LOB application test will be required.
Every month Microsoft includes a list of known issues related to the operating system and platforms included in the latest update cycle. I have mentioned some key issues related to the latest versions of Microsoft, including:
- Devices with Windows installations created from custom offline media or custom ISO images may have Microsoft Edge Legacy removed by this update, but not automatically replaced by the new Microsoft Edge. To avoid this issue, be sure to first embed the SSU released on March 29, 2021 or later into your custom offline media or ISO image before embedding the LCU.
- ESU Updates (Windows 7 and Server 2008): After installing this update and restarting your device, you may receive the error “Failed to configure Windows updates.” You may receive this notice if you have not activated your ESU MAK add-on key. For more information on activation, you can find more in this Microsoft blog post.
Fixed issues with previous patches
- June update : After installing KB5003671 or KB5003681 on Windows 8.1 or Windows Server 2012 R2, applications that access the event logs on remote devices may not be able to connect. This issue can occur if the local or remote version has not yet installed the updates released on June 8, 2021 or later. Affected applications use certain legacy event log APIs. You may receive an error when trying to connect. Last June, there was a known issue apparently by design.
At this point in the July update cycle, there have been three major updates from previously released updates:
- CVE-2021-31940 other CVE-2021-31941: These previous update reviews are informational updates related to the availability of MAC desktop software. If you are a Windows user, no further action is required.
- CVE-2020-17049: Microsoft is releasing security updates to implement the enforcement phase of this vulnerability. Active Directory domain controllers are now able to enforce the mode. At this point, the PerformTicketSignature registry key setting will be ignored and the enforcement mode cannot be overridden. Now you know.
Mitigations and solutions
As of now, it doesn’t appear that Microsoft has released any mitigation or workarounds for this July release.
Each month, we divide the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge).
- Microsoft Windows (both desktop and server).
- Microsoft Office.
- Microsoft Exchange.
- Microsoft development platforms (ASP.NET Core, .NET Core and Chakra Core).
- Adobe (retired?).
Strictly speaking, there are no browser updates for July Patch Tuesday. However, Microsoft released an update to its Edge browser last June that addressed two vulnerabilities that could lead to elevation of privilege scenarios. As these updates were part of the Chromium project, they were released on June 24 as part of the Edge Stable channel (Version 91.0.864.59). We have not seen any impact on Chromium-dependent browsers or controls as a result of these updates.
If you allow automatic updates for Microsoft Edge, no further action is required at this time. You can read more about these versions on the Microsoft Edge Security update page. found here.
Before even starting the discussion about this month’s Windows updates, add Alles of these Windows updates to your “Patch Now” program. This is a great update for Microsoft with 90 patches for Windows desktops only. Nine of these patches are rated critical, all of which relate to the Remote Desktop feature in Windows.
Unfortunately, four vulnerabilities addressed in this update have been publicly disclosed (including CVE-2021-34527) and the exploitation of four others in the wild has been reported. Two of these exploited issues relate to Windows kernel elevation of privilege scenarios. This makes it a difficult update to test, given the urgency of the print queue “crisis” and the need for rapid deployment of these updates. There will be problems with this update.
And we’re not done with the Windows updates for July yet. In fact, Microsoft just released updates to its previously updated patches with CVE-2021-33481 other CVE-2021-34527 getting major reviews yesterday. You can read more about spooler issues on the Microsoft Security Blog. found here. The current recommendation is to disable the spooler service for your servers. This is a powerful medicine for what appears to be a very serious problem.
Add this Windows update to your “Patch Now” program and get ready for more urgent updates.
Compared to what is happening in the desktop and server environment this month, the Microsoft Office updates seem relatively benign. Microsoft has released 10 patches that affect all currently supported versions of Office, nine of them rated Important and one rated Moderate by Microsoft. These updates affect the usual suspects with security vulnerabilities in Word, Excel and Sharepoint that lead to possible spoofing or issues of elevation of privilege. Add these Microsoft Office updates to your standard patch schedule.
Microsoft Exchange Server
While we don’t see the concern (and urgency) with Microsoft Exchange as we have seen in recent months, Microsoft has released six updates rated Important and a single update rated Critical (CVE-2021-34473). This critical update addresses a low complexity network attack that does not require user intervention. And it is Microsoft’s second attempt to resolve this vulnerability (the first attempt was in April) that could lead to arbitrary code execution on the target server. Given this concern, we have added the Microsoft Exchange updates for the month of July to the “Patch Now” program.
Microsoft development platforms
Microsoft has released five updates, all rated as important to the Microsoft Visual Studio development platform. This month also includes a single GitHub notice (CVE-2021-33767) which is related to the Open Enclave SDK. All of these updates should have minimal impact on their respective platforms and can be added to the standard development upgrade regime.
Microsoft hasn’t released any (additional) updates to the Adobe ecosystem this month. However, given the important and urgent nature of the OOB Printer UpgradesAll other patches related to printers and printing should be noted. This month Adobe has released (APSB21-51) 10 critical updates and two additional major updates for all supported versions of Adobe Reader (Acrobat DC, Reader DC, Reader 2020, Acrobat 2017, and Acrobat 2017). Since these patches address reported vulnerabilities that include low complexity, “no user” remote code execution, we recommend that you add these Adobe Reader updates to your “Patch Now” program.
I’d also like to add that this month’s update, like previous Flash-related updates, will force the removal of Flash from the target system. Performing this update will remove Adobe Flash from the machine.
For more information, see the Update on end of support for Adobe Flash Player.