Report Name: Microsoft Patch Tuesday, July 2021
Generated: 2021-07-14 16:36:58

Product Name	Prevalence	U	C	H	M	L	Comment
Windows SMB	1				1		Windows SMB
Active Directory	0.9			1			Active Directory is a directory service developed by Microsoft for Windows domain networks
Windows Container Isolation FS Filter Driver	0.9				1		Windows Container Isolation FS Filter Driver
Windows DNS Server	0.9			9			Windows DNS Server
Windows Kernel	0.9		2	2	4		Windows Kernel
Windows TCP/IP Driver	0.9			3			A kernel mode driver
Bowser.sys	0.8			1			Windows сomponent
DirectWrite	0.8			1			Windows сomponent
GDI+	0.8				1		GDI+
Media Foundation	0.8				1		Windows component
Microsoft Defender	0.8			2			Anti-malware component of Microsoft Windows
Microsoft Exchange	0.8				1		Exchange
Microsoft Exchange Server	0.8			3	3		Microsoft Exchange Server
Storage Spaces Controller	0.8				6		Storage Spaces Controller
Windows ADFS	0.8			1			Windows component
Windows AF_UNIX Socket Provider	0.8			1			Windows component
Windows Address Book	0.8			1			Windows Address Book
Windows AppX Deployment Extensions	0.8				1		Windows component
Windows Authenticode	0.8				1		Windows component
Windows Certificate	0.8				1		Windows component
Windows Cloud Files Mini Filter Driver	0.8				1		Windows component
Windows Console Driver	0.8				1		Windows Console Driver
Windows DNS Snap-in	0.8			4			Windows component
Windows Event Tracing	0.8				1		Windows Event Tracing
Windows File History Service	0.8				1		Windows component
Windows Font Driver Host	0.8			1			Windows component
Windows GDI	0.8				2		Windows component
Windows HTML Platforms	0.8			1			Windows component
Windows Hello	0.8			1			Windows component
Windows InstallService	0.8				1		Windows component
Windows Installer	0.8				2		Windows Installer
Windows Kernel Memory	0.8				1		Windows component
Windows Key Distribution Center	0.8				1		Windows component
Windows LSA	0.8			2			Windows component
Windows MSHTML Platform	0.8			2			Windows component
Windows Media	0.8			1			Windows component
Windows Media Foundation	0.8			3			Windows Media Foundation
Windows Partition Management Driver	0.8				1		Windows component
Windows Projected File System	0.8				1		Windows component
Windows Remote Access Connection Manager	0.8				7		Windows component
Windows Remote Assistance	0.8				1		Windows component
Windows Secure Kernel Mode	0.8			1			Windows component
Windows Security Account Manager Remote Protocol	0.8			1			Windows component
HEVC Video Extensions	0.7			5			HEVC Video Extensions
Microsoft SharePoint	0.7			3	2		Microsoft SharePoint
Raw Image Extension	0.7			1			Raw Image Extension
Windows Desktop Bridge	0.7				1		Windows Desktop Bridge
Microsoft Excel	0.6			2			MS Office product
Microsoft Office	0.6			1			Microsoft Office
Microsoft Scripting Engine	0.6			1			Microsoft Scripting Engine
Microsoft Word	0.6			1			MS Office product
Windows Hyper-V	0.6			1	2		Hardware virtualization component of the client editions of Windows NT
Dynamics Business Central	0.4				1		Dynamics Business Central
Microsoft Office Online Server	0.3				1		Microsoft Office Online Server
Microsoft Visual Studio	0.3				1		Microsoft Visual Studio
Open Enclave SDK	0.3				1		Open Enclave SDK
Power BI	0.3				1		Power BI
Visual Studio Code	0.3				2		Integrated development environment
Visual Studio Code .NET Runtime	0.3				1		Integrated development environment
Microsoft Bing Search	0.2					1	Microsoft Bing Search
Windows AppContainer	0				1		Unclassified Product

Vulnerability Type	Criticality	U	C	H	M	L	Comment
Remote Code Execution	1.0			38	4		Remote Code Execution
Security Feature Bypass	0.9			8			Security Feature Bypass
Denial of Service	0.7			10	2		Denial of Service
Memory Corruption	0.6			1			Memory Corruption
Elevation of Privilege	0.5		2		30		Elevation of Privilege
Information Disclosure	0.4				14		Information Disclosure
Spoofing	0.4				6	1	Spoofing

Urgent (0)

Critical (2)

1. Elevation of Privilege - Windows Kernel (CVE-2021-31979) - Critical [622]

Description:

qualys: CVE-2021-31979 – Windows Kernel Elevation of Privilege Vulnerability

tenable: CVE-2021-31979 and CVE-2021-33771 are EoP vulnerabilities in the Windows kernel. Both vulnerabilities received a CVSSv3 score of 7.8 and have been exploited in the wild as zero-days, according to Microsoft’s Threat Intelligence Center and Security Response Center. A local, authenticated attacker could exploit these vulnerabilities to run processes with elevated permissions. Similar zero-day vulnerabilities were patched in April 2020, which were observed under active exploitation by Google Project Zero.

2. Elevation of Privilege - Windows Kernel (CVE-2021-33771) - Critical [622]

Description:

tenable: CVE-2021-31979 and CVE-2021-33771 are EoP vulnerabilities in the Windows kernel. Both vulnerabilities received a CVSSv3 score of 7.8 and have been exploited in the wild as zero-days, according to Microsoft’s Threat Intelligence Center and Security Response Center. A local, authenticated attacker could exploit these vulnerabilities to run processes with elevated permissions. Similar zero-day vulnerabilities were patched in April 2020, which were observed under active exploitation by Google Project Zero.

High (57)

3. Memory Corruption - Microsoft Scripting Engine (CVE-2021-34448) - High [572]

Description:

qualys: CVE-2021-34448 – Scripting Engine Memory Corruption Vulnerability

tenable: CVE-2021-34448 is a memory corruption vulnerability in the Microsoft Scripting Engine which has been exploited in the wild as a zero-day, according to Microsoft. An attacker would need to entice a victim into visiting a malicious website in order to successfully exploit this vulnerability. Because exploitation requires user interaction, this vulnerability only received a CVSSv3 score of 6.8.

rapid7: Exploitation of CVE-2021-34448 has been observed in the wild by researchers. There are no details on the frequency or spread of this exploit. This vulnerability requires the user to visit a link to download a malicious file. As with other vulnerabilities that require user interaction, strong security hygiene is the first line of defense.

zdi: CVE-2021-34448 - Scripting Engine Memory Corruption Vulnerability. This bug is also listed as under active exploit, but there’s no indication of how widespread the attack is. The vulnerability allows an attacker to execute their code on an affected system if a user browses to a specially crafted website. The code execution would occur at the logged-on user level. This is also a case where CVSS doesn’t quite offer a true glimpse of the threat. Microsoft lists the attack complexity as high, which knocks this from a high severity (>8) to a medium severity (6.8). However, if there are already active attacks, does complexity matter? Regardless, treat this as critical since it could allow code execution on every supported version of Windows.

4. Remote Code Execution - Windows Kernel (CVE-2021-34458) - High [508]

Description:

zdi: CVE-2021-34458 - Windows Kernel Remote Code Execution Vulnerability. It’s rare to see remote code execution in a kernel bug, but this is that rare exception. This bug impacts systems hosting virtual machines with single root input/output virtualization (SR-IOV) devices. It’s not clear how widespread this configuration is, but considering this bug rates as a CVSS 9.9, it’s not one to ignore. If you have virtual machines in your environment, test and patch quickly.

5. Remote Code Execution - Windows DNS Server (CVE-2021-33780) - High [494]

Description:

qualys: CVE-2021-33780 – Windows DNS Server Remote Code Execution Vulnerability

qualys: Microsoft released patches addressing a critical RCE vulnerability in DNS Server (CVE-2021-33780). This CVE has a high likelihood of exploitability and is assigned a CVSSv3 base score of 8.8 by the vendor.

tenable: CVE-2021-33746, CVE-2021-33754, CVE-2021-33780, CVE-2021-34494 and CVE-2021-34525 are RCE vulnerabilities found in Windows DNS Server. While CVE-2021-33746 and CVE-2021-33754 were given CVSSv3 scores of 8.0, the remainder were scored as 8.8 because user interaction is not required. Based on the scores provided, exploitation of these flaws would require a low privileged account, presumably with the ability to send crafted DNS requests across the network, to target an affected DNS Server. Microsoft specifically calls out in the advisories for CVE-2021-33780 and CVE-2021-34494 that a host is only affected if it is configured as a DNS server, though the remaining CVEs do not provide this clarity. Even without the clarification on these CVEs, we recommend applying the necessary cumulative patches to all applicable hosts.

rapid7: Administrators should focus their efforts on the 11 vulnerabilities in Windows DNS server to reduce the most risk. The two most important of these vulnerabilities are CVE-2021-34494 and CVE-2021-33780. Exploitation of either of these vulnerabilities would result in Remote Code Execution with SYSTEM privileges without any user interaction via the network. Given the network exposure of DNS servers these vulnerabilities could prove to be troublesome if an exploit were to be developed. Microsoft lists CVE-2021-33780 as “Exploitation More Likely” so it may only be a matter of time before attackers attempt to make use of these flaws.

6. Remote Code Execution - Windows DNS Server (CVE-2021-34494) - High [494]

Description:

qualys: CVE-2021-34494 – Windows DNS Server Remote Code Execution Vulnerability

qualys: Microsoft released patches addressing a critical RCE vulnerability in Windows DNS Server (CVE-2021-34494). This CVE has a high likelihood of exploitability and is assigned a CVSSv3 base score of 8.8 by the vendor. This is only exploitable to DNS servers only; however, it could allow remote code execution without user interaction.

tenable: CVE-2021-33746, CVE-2021-33754, CVE-2021-33780, CVE-2021-34494 and CVE-2021-34525 are RCE vulnerabilities found in Windows DNS Server. While CVE-2021-33746 and CVE-2021-33754 were given CVSSv3 scores of 8.0, the remainder were scored as 8.8 because user interaction is not required. Based on the scores provided, exploitation of these flaws would require a low privileged account, presumably with the ability to send crafted DNS requests across the network, to target an affected DNS Server. Microsoft specifically calls out in the advisories for CVE-2021-33780 and CVE-2021-34494 that a host is only affected if it is configured as a DNS server, though the remaining CVEs do not provide this clarity. Even without the clarification on these CVEs, we recommend applying the necessary cumulative patches to all applicable hosts.

rapid7: Administrators should focus their efforts on the 11 vulnerabilities in Windows DNS server to reduce the most risk. The two most important of these vulnerabilities are CVE-2021-34494 and CVE-2021-33780. Exploitation of either of these vulnerabilities would result in Remote Code Execution with SYSTEM privileges without any user interaction via the network. Given the network exposure of DNS servers these vulnerabilities could prove to be troublesome if an exploit were to be developed. Microsoft lists CVE-2021-33780 as “Exploitation More Likely” so it may only be a matter of time before attackers attempt to make use of these flaws.

zdi: CVE-2021-34494 - Windows DNS Server Remote Code Execution Vulnerability. This bug is currently not under active attack, but considering the severity, there are those who will work to change that status. This bug could allow remote code execution at a privileged service level on a listening network port without user interaction. Microsoft does mention low privileges are needed, but depending on the server configuration, these could be easily gained. This bug is restricted to DNS Servers only, but if there’s one system you don’t want wormed, it’s probably your DNS server. Definitely test and deploy this one quickly.

7. Remote Code Execution - Windows Kernel (CVE-2021-34508) - High [494]

Description:

8. Remote Code Execution - Windows DNS Server (CVE-2021-34525) - High [494]

Description:

tenable: CVE-2021-33746, CVE-2021-33754, CVE-2021-33780, CVE-2021-34494 and CVE-2021-34525 are RCE vulnerabilities found in Windows DNS Server. While CVE-2021-33746 and CVE-2021-33754 were given CVSSv3 scores of 8.0, the remainder were scored as 8.8 because user interaction is not required. Based on the scores provided, exploitation of these flaws would require a low privileged account, presumably with the ability to send crafted DNS requests across the network, to target an affected DNS Server. Microsoft specifically calls out in the advisories for CVE-2021-33780 and CVE-2021-34494 that a host is only affected if it is configured as a DNS server, though the remaining CVEs do not provide this clarity. Even without the clarification on these CVEs, we recommend applying the necessary cumulative patches to all applicable hosts.

9. Remote Code Execution - Windows DNS Server (CVE-2021-33746) - High [481]

Description:

tenable: CVE-2021-33746, CVE-2021-33754, CVE-2021-33780, CVE-2021-34494 and CVE-2021-34525 are RCE vulnerabilities found in Windows DNS Server. While CVE-2021-33746 and CVE-2021-33754 were given CVSSv3 scores of 8.0, the remainder were scored as 8.8 because user interaction is not required. Based on the scores provided, exploitation of these flaws would require a low privileged account, presumably with the ability to send crafted DNS requests across the network, to target an affected DNS Server. Microsoft specifically calls out in the advisories for CVE-2021-33780 and CVE-2021-34494 that a host is only affected if it is configured as a DNS server, though the remaining CVEs do not provide this clarity. Even without the clarification on these CVEs, we recommend applying the necessary cumulative patches to all applicable hosts.

10. Remote Code Execution - Windows DNS Server (CVE-2021-33754) - High [481]

Description:

tenable: CVE-2021-33746, CVE-2021-33754, CVE-2021-33780, CVE-2021-34494 and CVE-2021-34525 are RCE vulnerabilities found in Windows DNS Server. While CVE-2021-33746 and CVE-2021-33754 were given CVSSv3 scores of 8.0, the remainder were scored as 8.8 because user interaction is not required. Based on the scores provided, exploitation of these flaws would require a low privileged account, presumably with the ability to send crafted DNS requests across the network, to target an affected DNS Server. Microsoft specifically calls out in the advisories for CVE-2021-33780 and CVE-2021-34494 that a host is only affected if it is configured as a DNS server, though the remaining CVEs do not provide this clarity. Even without the clarification on these CVEs, we recommend applying the necessary cumulative patches to all applicable hosts.

11. Remote Code Execution - Windows DNS Snap-in (CVE-2021-33749) - High [475]

Description:

12. Remote Code Execution - Windows DNS Snap-in (CVE-2021-33750) - High [475]

Description:

13. Remote Code Execution - Windows DNS Snap-in (CVE-2021-33752) - High [475]

Description:

14. Remote Code Execution - Windows DNS Snap-in (CVE-2021-33756) - High [475]

Description:

15. Remote Code Execution - Microsoft Exchange Server (CVE-2021-34473) - High [475]

Description:

tenable: CVE-2021-31196, CVE-2021-31206 and CVE-2021-34473 are RCE vulnerabilities in Microsoft Exchange Server. CVE-2021-34473 is the highest rated, receiving a CVSSv3 score of 9.1 and is more likely to be exploited according to Microsoft’s Exploitability Index. It was also patched as part of the April 2021 Patch Tuesday release, though Microsoft says the CVE was “inadvertently omitted” from the security update guide despite being patched. Exchange Server has become a very popular target since March, when Microsoft patched four zero-day vulnerabilities, including CVE-2021-26855 (ProxyLogon) in an out-of-band release. In fact, CVE-2021-31196 was disclosed to Microsoft by Orange Tsai of the DEVCORE team, who was also responsible for disclosing ProxyLogon and other Exchange Server vulnerabilities earlier this year. For organizations that run Exchange Server on-prem, it is important to apply available patches sooner rather than later, especially with the increased targeting of vulnerable servers.

tenable: CVE-2021-33768, CVE-2021-34470 and CVE-2021-34523 are EoP vulnerabilities in Microsoft Exchange Server. CVE-2021-34523 is the highest rated Exchange Server EoP, receiving a CVSSv3 score of 9.0, though it is less likely to be exploited according to Microsoft’s Exploitability Index, as an attacker would need to have already established a presence on the vulnerable Exchange Server first before they could elevate privileges. Just like CVE-2021-34473, CVE-2021-34523 was patched as part of the April 2021 Patch Tuesday release and is another vulnerability that Microsoft says was omitted from its release notes inadvertently. CVE-2021-33768 was also disclosed to Microsoft by Orange Tsai. For organizations that run Exchange Server on-prem, it is important to apply available patches sooner rather than later, especially with the increased targeting of vulnerable servers.

rapid7: Only 4 of the 7 Exchange CVEs being disclosed this month are new. The two most severe vulnerabilities were patched in back in April and were mistakenly not disclosed. This means that if you applied the April 2021 updates you will not need to take any action for CVE-2021-34473, CVE-2021-34523, or CVE-2021-33766. Of the 4 newly patched vulnerabilities the most notable is CVE-2021-31206, a remote code execution flaw discovered in the recent Pwn2Own competition.

16. Remote Code Execution - Microsoft Exchange Server (CVE-2021-31206) - High [462]

Description:

tenable: CVE-2021-31196, CVE-2021-31206 and CVE-2021-34473 are RCE vulnerabilities in Microsoft Exchange Server. CVE-2021-34473 is the highest rated, receiving a CVSSv3 score of 9.1 and is more likely to be exploited according to Microsoft’s Exploitability Index. It was also patched as part of the April 2021 Patch Tuesday release, though Microsoft says the CVE was “inadvertently omitted” from the security update guide despite being patched. Exchange Server has become a very popular target since March, when Microsoft patched four zero-day vulnerabilities, including CVE-2021-26855 (ProxyLogon) in an out-of-band release. In fact, CVE-2021-31196 was disclosed to Microsoft by Orange Tsai of the DEVCORE team, who was also responsible for disclosing ProxyLogon and other Exchange Server vulnerabilities earlier this year. For organizations that run Exchange Server on-prem, it is important to apply available patches sooner rather than later, especially with the increased targeting of vulnerable servers.

rapid7: Only 4 of the 7 Exchange CVEs being disclosed this month are new. The two most severe vulnerabilities were patched in back in April and were mistakenly not disclosed. This means that if you applied the April 2021 updates you will not need to take any action for CVE-2021-34473, CVE-2021-34523, or CVE-2021-33766. Of the 4 newly patched vulnerabilities the most notable is CVE-2021-31206, a remote code execution flaw discovered in the recent Pwn2Own competition.

zdi: Looking at the remaining patches, you’ll note seven patches for Exchange Server, but only some of these are actually new. One of the new ones is CVE-2021-31206, which was disclosed during the last Pwn2Own contest. There are also new patches for elevation of privilege bugs that could be exploited in a man-in-the-middle attack or be network adjacent. The real surprise in this month’s Exchange patches are the three bugs patched in April but not documented until today. Silent patches have caused many problems in the past and represent significant risks to enterprises. While the goal should be for administrators to install every patch, this is simply not feasible for most networks. Network defenders need as much information as possible to prioritize their resources. If they are not provided guidance on installing the patch, or information from the vendor on the severity of the patch, their uninformed decision could have negative consequences.

17. Remote Code Execution - Windows Media (CVE-2021-33740) - High [462]

Description:

18. Remote Code Execution - Windows Font Driver Host (CVE-2021-34438) - High [462]

Description:

19. Remote Code Execution - Windows Media Foundation (CVE-2021-34439) - High [462]

Description:

20. Remote Code Execution - Windows Media Foundation (CVE-2021-34441) - High [462]

Description:

21. Remote Code Execution - Microsoft Defender (CVE-2021-34464) - High [462]

Description:

tenable: CVE-2021-34464 and CVE-2021-34522 are RCE vulnerabilities in the Microsoft Malware Protection Engine. Both of these vulnerabilities received CVSSv3 scores of 7.8 and are rated as “Exploitation Less Likely,” but we chose to highlight them due to in-the-wild exploitation of a similar flaw, CVE-2021-1647, in January. While CVE-2021-1647 was a zero-day, the ubiquity of Microsoft Defender makes this a noteworthy vulnerability. Fortunately, Microsoft Defender automatically updates in most configurations, limiting the impact of this vulnerability. Microsoft does recommend, and provide guidance for, confirming that automatic updates are working.

22. Remote Code Execution - DirectWrite (CVE-2021-34489) - High [462]

Description:

qualys: CVE-2021-34489 – DirectWrite Remote Code Execution Vulnerability

23. Remote Code Execution - Windows Media Foundation (CVE-2021-34503) - High [462]

Description:

24. Remote Code Execution - Windows Address Book (CVE-2021-34504) - High [462]

Description:

25. Remote Code Execution - Microsoft Defender (CVE-2021-34522) - High [462]

Description:

tenable: CVE-2021-34464 and CVE-2021-34522 are RCE vulnerabilities in the Microsoft Malware Protection Engine. Both of these vulnerabilities received CVSSv3 scores of 7.8 and are rated as “Exploitation Less Likely,” but we chose to highlight them due to in-the-wild exploitation of a similar flaw, CVE-2021-1647, in January. While CVE-2021-1647 was a zero-day, the ubiquity of Microsoft Defender makes this a noteworthy vulnerability. Fortunately, Microsoft Defender automatically updates in most configurations, limiting the impact of this vulnerability. Microsoft does recommend, and provide guidance for, confirming that automatic updates are working.

26. Security Feature Bypass - Active Directory (CVE-2021-33781) - High [460]

Description:

27. Remote Code Execution - Microsoft Exchange Server (CVE-2021-31196) - High [448]

Description:

tenable: CVE-2021-31196, CVE-2021-31206 and CVE-2021-34473 are RCE vulnerabilities in Microsoft Exchange Server. CVE-2021-34473 is the highest rated, receiving a CVSSv3 score of 9.1 and is more likely to be exploited according to Microsoft’s Exploitability Index. It was also patched as part of the April 2021 Patch Tuesday release, though Microsoft says the CVE was “inadvertently omitted” from the security update guide despite being patched. Exchange Server has become a very popular target since March, when Microsoft patched four zero-day vulnerabilities, including CVE-2021-26855 (ProxyLogon) in an out-of-band release. In fact, CVE-2021-31196 was disclosed to Microsoft by Orange Tsai of the DEVCORE team, who was also responsible for disclosing ProxyLogon and other Exchange Server vulnerabilities earlier this year. For organizations that run Exchange Server on-prem, it is important to apply available patches sooner rather than later, especially with the increased targeting of vulnerable servers.

28. Remote Code Execution - Windows MSHTML Platform (CVE-2021-34447) - High [448]

Description:

29. Remote Code Execution - Windows MSHTML Platform (CVE-2021-34497) - High [448]

Description:

30. Remote Code Execution - HEVC Video Extensions (CVE-2021-31947) - High [443]

Description:

31. Remote Code Execution - HEVC Video Extensions (CVE-2021-33775) - High [443]

Description:

32. Remote Code Execution - HEVC Video Extensions (CVE-2021-33776) - High [443]

Description:

33. Remote Code Execution - HEVC Video Extensions (CVE-2021-33777) - High [443]

Description:

34. Remote Code Execution - HEVC Video Extensions (CVE-2021-33778) - High [443]

Description:

35. Remote Code Execution - Microsoft SharePoint (CVE-2021-34520) - High [443]

Description:

qualys: Microsoft released patches addressing critical RCE vulnerabilities in SharePoint Server (CVE-2021-34467, CVE-2021-34468). These CVEs have a high likelihood of exploitability and are assigned a CVSSv3 base score of 7.1 by the vendor. Along with these patches, CVE-2021-34520 should be prioritized for patching.

36. Remote Code Execution - Raw Image Extension (CVE-2021-34521) - High [443]

Description:

37. Security Feature Bypass - Windows ADFS (CVE-2021-33779) - High [441]

Description:

38. Security Feature Bypass - Windows LSA (CVE-2021-33786) - High [441]

Description:

39. Security Feature Bypass - Windows HTML Platforms (CVE-2021-34446) - High [441]

Description:

40. Remote Code Execution - Microsoft SharePoint (CVE-2021-34467) - High [429]

Description:

qualys: CVE-2021-34467, CVE-2021-34468 – Microsoft SharePoint Server Remote Code Execution Vulnerability

qualys: Microsoft released patches addressing critical RCE vulnerabilities in SharePoint Server (CVE-2021-34467, CVE-2021-34468). These CVEs have a high likelihood of exploitability and are assigned a CVSSv3 base score of 7.1 by the vendor. Along with these patches, CVE-2021-34520 should be prioritized for patching.

41. Remote Code Execution - Microsoft SharePoint (CVE-2021-34468) - High [429]

Description:

qualys: CVE-2021-34467, CVE-2021-34468 – Microsoft SharePoint Server Remote Code Execution Vulnerability

qualys: Microsoft released patches addressing critical RCE vulnerabilities in SharePoint Server (CVE-2021-34467, CVE-2021-34468). These CVEs have a high likelihood of exploitability and are assigned a CVSSv3 base score of 7.1 by the vendor. Along with these patches, CVE-2021-34520 should be prioritized for patching.

42. Remote Code Execution - Windows Hyper-V (CVE-2021-34450) - High [424]

Description:

tenable: CVE-2021-34450 is an RCE vulnerability in Windows Hyper-V, which would allow an attacker who is authenticated to a guest virtual machine (VM) to send crafted requests to execute arbitrary code on the host machine. While Microsoft rates this as “Exploitation Less Likely,” it is important to consider that malware variants commonly look to escape VMs and infect the host machine, so patching this flaw should remain a priority despite Microsoft’s risk assessment.

43. Remote Code Execution - Microsoft Word (CVE-2021-34452) - High [424]

Description:

44. Remote Code Execution - Microsoft Excel (CVE-2021-34501) - High [424]

Description:

45. Remote Code Execution - Microsoft Excel (CVE-2021-34518) - High [424]

Description:

46. Denial of Service - Windows TCP/IP Driver (CVE-2021-31183) - High [420]

Description:

47. Denial of Service - Windows TCP/IP Driver (CVE-2021-33772) - High [420]

Description:

48. Denial of Service - Windows DNS Server (CVE-2021-34442) - High [420]

Description:

49. Denial of Service - Windows TCP/IP Driver (CVE-2021-34490) - High [420]

Description:

50. Security Feature Bypass - Windows Hello (CVE-2021-34466) - High [414]

Description:

51. Denial of Service - Windows DNS Server (CVE-2021-33745) - High [406]

Description:

52. Denial of Service - Windows DNS Server (CVE-2021-34444) - High [406]

Description:

53. Denial of Service - Windows DNS Server (CVE-2021-34499) - High [406]

Description:

54. Security Feature Bypass - Microsoft Office (CVE-2021-34469) - High [404]

Description:

55. Security Feature Bypass - Windows Secure Kernel Mode (CVE-2021-33744) - High [401]

Description:

56. Security Feature Bypass - Windows Security Account Manager Remote Protocol (CVE-2021-33757) - High [401]

Description:

57. Denial of Service - Windows AF_UNIX Socket Provider (CVE-2021-33785) - High [401]

Description:

58. Denial of Service - Windows LSA (CVE-2021-33788) - High [401]

Description:

59. Denial of Service - Bowser.sys (CVE-2021-34476) - High [401]

Description:

Medium (56)

60. Remote Code Execution - Dynamics Business Central (CVE-2021-34474) - Medium [386]

Description:

61. Elevation of Privilege - Windows Container Isolation FS Filter Driver (CVE-2021-34461) - Medium [379]

Description:

62. Elevation of Privilege - Windows Kernel (CVE-2021-34514) - Medium [379]

Description:

63. Elevation of Privilege - Windows Kernel (CVE-2021-34516) - Medium [379]

Description:

64. Elevation of Privilege - Microsoft Exchange Server (CVE-2021-34523) - Medium [374]

Description:

tenable: CVE-2021-33768, CVE-2021-34470 and CVE-2021-34523 are EoP vulnerabilities in Microsoft Exchange Server. CVE-2021-34523 is the highest rated Exchange Server EoP, receiving a CVSSv3 score of 9.0, though it is less likely to be exploited according to Microsoft’s Exploitability Index, as an attacker would need to have already established a presence on the vulnerable Exchange Server first before they could elevate privileges. Just like CVE-2021-34473, CVE-2021-34523 was patched as part of the April 2021 Patch Tuesday release and is another vulnerability that Microsoft says was omitted from its release notes inadvertently. CVE-2021-33768 was also disclosed to Microsoft by Orange Tsai. For organizations that run Exchange Server on-prem, it is important to apply available patches sooner rather than later, especially with the increased targeting of vulnerable servers.

rapid7: Only 4 of the 7 Exchange CVEs being disclosed this month are new. The two most severe vulnerabilities were patched in back in April and were mistakenly not disclosed. This means that if you applied the April 2021 updates you will not need to take any action for CVE-2021-34473, CVE-2021-34523, or CVE-2021-33766. Of the 4 newly patched vulnerabilities the most notable is CVE-2021-31206, a remote code execution flaw discovered in the recent Pwn2Own competition.

65. Remote Code Execution - Power BI (CVE-2021-31984) - Medium [367]

Description:

66. Remote Code Execution - Visual Studio Code (CVE-2021-34528) - Medium [367]

Description:

67. Remote Code Execution - Visual Studio Code (CVE-2021-34529) - Medium [367]

Description:

68. Elevation of Privilege - Windows Kernel (CVE-2021-34449) - Medium [366]

Description:

69. Information Disclosure - Windows SMB (CVE-2021-33783) - Medium [364]

Description:

70. Denial of Service - Windows Hyper-V (CVE-2021-33758) - Medium [363]

Description:

71. Elevation of Privilege - Windows Projected File System (CVE-2021-33743) - Medium [360]

Description:

72. Elevation of Privilege - Windows Remote Access Connection Manager (CVE-2021-33761) - Medium [360]

Description:

73. Elevation of Privilege - Microsoft Exchange Server (CVE-2021-33768) - Medium [360]

Description:

tenable: CVE-2021-33768, CVE-2021-34470 and CVE-2021-34523 are EoP vulnerabilities in Microsoft Exchange Server. CVE-2021-34523 is the highest rated Exchange Server EoP, receiving a CVSSv3 score of 9.0, though it is less likely to be exploited according to Microsoft’s Exploitability Index, as an attacker would need to have already established a presence on the vulnerable Exchange Server first before they could elevate privileges. Just like CVE-2021-34473, CVE-2021-34523 was patched as part of the April 2021 Patch Tuesday release and is another vulnerability that Microsoft says was omitted from its release notes inadvertently. CVE-2021-33768 was also disclosed to Microsoft by Orange Tsai. For organizations that run Exchange Server on-prem, it is important to apply available patches sooner rather than later, especially with the increased targeting of vulnerable servers.

74. Elevation of Privilege - Windows Remote Access Connection Manager (CVE-2021-33773) - Medium [360]

Description:

75. Elevation of Privilege - Windows Cloud Files Mini Filter Driver (CVE-2021-33784) - Medium [360]

Description:

76. Elevation of Privilege - Windows Remote Access Connection Manager (CVE-2021-34445) - Medium [360]

Description:

77. Elevation of Privilege - Windows File History Service (CVE-2021-34455) - Medium [360]

Description:

78. Elevation of Privilege - Windows Remote Access Connection Manager (CVE-2021-34456) - Medium [360]

Description:

79. Elevation of Privilege - Storage Spaces Controller (CVE-2021-34460) - Medium [360]

Description:

80. Elevation of Privilege - Microsoft Exchange Server (CVE-2021-34470) - Medium [360]

Description:

tenable: CVE-2021-33768, CVE-2021-34470 and CVE-2021-34523 are EoP vulnerabilities in Microsoft Exchange Server. CVE-2021-34523 is the highest rated Exchange Server EoP, receiving a CVSSv3 score of 9.0, though it is less likely to be exploited according to Microsoft’s Exploitability Index, as an attacker would need to have already established a presence on the vulnerable Exchange Server first before they could elevate privileges. Just like CVE-2021-34473, CVE-2021-34523 was patched as part of the April 2021 Patch Tuesday release and is another vulnerability that Microsoft says was omitted from its release notes inadvertently. CVE-2021-33768 was also disclosed to Microsoft by Orange Tsai. For organizations that run Exchange Server on-prem, it is important to apply available patches sooner rather than later, especially with the increased targeting of vulnerable servers.

81. Elevation of Privilege - Windows Console Driver (CVE-2021-34488) - Medium [360]

Description:

82. Elevation of Privilege - Windows GDI (CVE-2021-34498) - Medium [360]

Description:

83. Elevation of Privilege - Storage Spaces Controller (CVE-2021-34510) - Medium [360]

Description:

84. Elevation of Privilege - Windows Installer (CVE-2021-34511) - Medium [360]

Description:

85. Elevation of Privilege - Storage Spaces Controller (CVE-2021-34512) - Medium [360]

Description:

86. Elevation of Privilege - Storage Spaces Controller (CVE-2021-34513) - Medium [360]

Description:

87. Elevation of Privilege - Storage Spaces Controller (CVE-2021-33751) - Medium [347]

Description:

88. Elevation of Privilege - Windows Event Tracing (CVE-2021-33774) - Medium [347]

Description:

89. Elevation of Privilege - Windows AppX Deployment Extensions (CVE-2021-34462) - Medium [347]

Description:

90. Elevation of Privilege - Windows Partition Management Driver (CVE-2021-34493) - Medium [347]

Description:

91. Elevation of Privilege - Windows Desktop Bridge (CVE-2021-33759) - Medium [341]

Description:

92. Spoofing - Windows Certificate (CVE-2021-34492) - Medium [340]

Description:

93. Denial of Service - Windows Hyper-V (CVE-2021-33755) - Medium [336]

Description:

94. Elevation of Privilege - Windows InstallService (CVE-2021-31961) - Medium [333]

Description:

95. Information Disclosure - Windows Kernel (CVE-2021-34491) - Medium [332]

Description:

96. Information Disclosure - Microsoft Exchange (CVE-2021-33766) - Medium [327]

Description:

rapid7: Only 4 of the 7 Exchange CVEs being disclosed this month are new. The two most severe vulnerabilities were patched in back in April and were mistakenly not disclosed. This means that if you applied the April 2021 updates you will not need to take any action for CVE-2021-34473, CVE-2021-34523, or CVE-2021-33766. Of the 4 newly patched vulnerabilities the most notable is CVE-2021-31206, a remote code execution flaw discovered in the recent Pwn2Own competition.

97. Information Disclosure - Windows Remote Assistance (CVE-2021-34507) - Medium [327]

Description:

98. Information Disclosure - Media Foundation (CVE-2021-33760) - Medium [313]

Description:

99. Information Disclosure - Windows Remote Access Connection Manager (CVE-2021-33763) - Medium [313]

Description:

100. Information Disclosure - Windows Key Distribution Center (CVE-2021-33764) - Medium [313]

Description:

101. Spoofing - Windows Installer (CVE-2021-33765) - Medium [313]

Description:

102. Spoofing - Windows Authenticode (CVE-2021-33782) - Medium [313]

Description:

103. Information Disclosure - GDI+ (CVE-2021-34440) - Medium [313]

Description:

104. Information Disclosure - Windows Remote Access Connection Manager (CVE-2021-34454) - Medium [313]

Description:

105. Information Disclosure - Windows Remote Access Connection Manager (CVE-2021-34457) - Medium [313]

Description:

106. Information Disclosure - Windows GDI (CVE-2021-34496) - Medium [313]

Description:

107. Information Disclosure - Windows Kernel Memory (CVE-2021-34500) - Medium [313]

Description:

108. Information Disclosure - Storage Spaces Controller (CVE-2021-34509) - Medium [313]

Description:

109. Spoofing - Microsoft SharePoint (CVE-2021-34517) - Medium [281]

Description:

110. Information Disclosure - Microsoft SharePoint (CVE-2021-34519) - Medium [281]

Description:

111. Elevation of Privilege - Open Enclave SDK (CVE-2021-33767) - Medium [266]

Description:

112. Elevation of Privilege - Visual Studio Code .NET Runtime (CVE-2021-34477) - Medium [266]

Description:

113. Spoofing - Microsoft Visual Studio (CVE-2021-34479) - Medium [245]

Description:

114. Elevation of Privilege - Windows AppContainer (CVE-2021-34459) - Medium [209]

Description:

115. Spoofing - Microsoft Office Online Server (CVE-2021-34451) - Medium [205]

Description:

Low (1)

116. Spoofing - Microsoft Bing Search (CVE-2021-33753) - Low [186]

Description:

Exploitation in the wild detected (3)

Elevation of Privilege (2)

• Windows Kernel (CVE-2021-31979, CVE-2021-33771)

qualys: CVE-2021-31979 – Windows Kernel Elevation of Privilege Vulnerability

tenable: CVE-2021-31979 and CVE-2021-33771 are EoP vulnerabilities in the Windows kernel. Both vulnerabilities received a CVSSv3 score of 7.8 and have been exploited in the wild as zero-days, according to Microsoft’s Threat Intelligence Center and Security Response Center. A local, authenticated attacker could exploit these vulnerabilities to run processes with elevated permissions. Similar zero-day vulnerabilities were patched in April 2020, which were observed under active exploitation by Google Project Zero.

Memory Corruption (1)

• Microsoft Scripting Engine (CVE-2021-34448)

qualys: CVE-2021-34448 – Scripting Engine Memory Corruption Vulnerability

tenable: CVE-2021-34448 is a memory corruption vulnerability in the Microsoft Scripting Engine which has been exploited in the wild as a zero-day, according to Microsoft. An attacker would need to entice a victim into visiting a malicious website in order to successfully exploit this vulnerability. Because exploitation requires user interaction, this vulnerability only received a CVSSv3 score of 6.8.

rapid7: Exploitation of CVE-2021-34448 has been observed in the wild by researchers. There are no details on the frequency or spread of this exploit. This vulnerability requires the user to visit a link to download a malicious file. As with other vulnerabilities that require user interaction, strong security hygiene is the first line of defense.

zdi: CVE-2021-34448 - Scripting Engine Memory Corruption Vulnerability. This bug is also listed as under active exploit, but there’s no indication of how widespread the attack is. The vulnerability allows an attacker to execute their code on an affected system if a user browses to a specially crafted website. The code execution would occur at the logged-on user level. This is also a case where CVSS doesn’t quite offer a true glimpse of the threat. Microsoft lists the attack complexity as high, which knocks this from a high severity (>8) to a medium severity (6.8). However, if there are already active attacks, does complexity matter? Regardless, treat this as critical since it could allow code execution on every supported version of Windows.

Public exploit exists, but exploitation in the wild is NOT detected (0)

Other Vulnerabilities (113)

Remote Code Execution (42)

• Windows Kernel (CVE-2021-34458, CVE-2021-34508)

zdi: CVE-2021-34458 - Windows Kernel Remote Code Execution Vulnerability. It’s rare to see remote code execution in a kernel bug, but this is that rare exception. This bug impacts systems hosting virtual machines with single root input/output virtualization (SR-IOV) devices. It’s not clear how widespread this configuration is, but considering this bug rates as a CVSS 9.9, it’s not one to ignore. If you have virtual machines in your environment, test and patch quickly.

• Windows DNS Server (CVE-2021-33746, CVE-2021-33754, CVE-2021-33780, CVE-2021-34494, CVE-2021-34525)

qualys: CVE-2021-34494 – Windows DNS Server Remote Code Execution Vulnerability

qualys: Microsoft released patches addressing a critical RCE vulnerability in Windows DNS Server (CVE-2021-34494). This CVE has a high likelihood of exploitability and is assigned a CVSSv3 base score of 8.8 by the vendor. This is only exploitable to DNS servers only; however, it could allow remote code execution without user interaction.

qualys: CVE-2021-33780 – Windows DNS Server Remote Code Execution Vulnerability

qualys: Microsoft released patches addressing a critical RCE vulnerability in DNS Server (CVE-2021-33780). This CVE has a high likelihood of exploitability and is assigned a CVSSv3 base score of 8.8 by the vendor.

tenable: CVE-2021-33746, CVE-2021-33754, CVE-2021-33780, CVE-2021-34494 and CVE-2021-34525 are RCE vulnerabilities found in Windows DNS Server. While CVE-2021-33746 and CVE-2021-33754 were given CVSSv3 scores of 8.0, the remainder were scored as 8.8 because user interaction is not required. Based on the scores provided, exploitation of these flaws would require a low privileged account, presumably with the ability to send crafted DNS requests across the network, to target an affected DNS Server. Microsoft specifically calls out in the advisories for CVE-2021-33780 and CVE-2021-34494 that a host is only affected if it is configured as a DNS server, though the remaining CVEs do not provide this clarity. Even without the clarification on these CVEs, we recommend applying the necessary cumulative patches to all applicable hosts.

rapid7: Administrators should focus their efforts on the 11 vulnerabilities in Windows DNS server to reduce the most risk. The two most important of these vulnerabilities are CVE-2021-34494 and CVE-2021-33780. Exploitation of either of these vulnerabilities would result in Remote Code Execution with SYSTEM privileges without any user interaction via the network. Given the network exposure of DNS servers these vulnerabilities could prove to be troublesome if an exploit were to be developed. Microsoft lists CVE-2021-33780 as “Exploitation More Likely” so it may only be a matter of time before attackers attempt to make use of these flaws.

zdi: CVE-2021-34494 - Windows DNS Server Remote Code Execution Vulnerability. This bug is currently not under active attack, but considering the severity, there are those who will work to change that status. This bug could allow remote code execution at a privileged service level on a listening network port without user interaction. Microsoft does mention low privileges are needed, but depending on the server configuration, these could be easily gained. This bug is restricted to DNS Servers only, but if there’s one system you don’t want wormed, it’s probably your DNS server. Definitely test and deploy this one quickly.

• Microsoft Exchange Server (CVE-2021-31196, CVE-2021-31206, CVE-2021-34473)

tenable: CVE-2021-31196, CVE-2021-31206 and CVE-2021-34473 are RCE vulnerabilities in Microsoft Exchange Server. CVE-2021-34473 is the highest rated, receiving a CVSSv3 score of 9.1 and is more likely to be exploited according to Microsoft’s Exploitability Index. It was also patched as part of the April 2021 Patch Tuesday release, though Microsoft says the CVE was “inadvertently omitted” from the security update guide despite being patched. Exchange Server has become a very popular target since March, when Microsoft patched four zero-day vulnerabilities, including CVE-2021-26855 (ProxyLogon) in an out-of-band release. In fact, CVE-2021-31196 was disclosed to Microsoft by Orange Tsai of the DEVCORE team, who was also responsible for disclosing ProxyLogon and other Exchange Server vulnerabilities earlier this year. For organizations that run Exchange Server on-prem, it is important to apply available patches sooner rather than later, especially with the increased targeting of vulnerable servers.

tenable: CVE-2021-33768, CVE-2021-34470 and CVE-2021-34523 are EoP vulnerabilities in Microsoft Exchange Server. CVE-2021-34523 is the highest rated Exchange Server EoP, receiving a CVSSv3 score of 9.0, though it is less likely to be exploited according to Microsoft’s Exploitability Index, as an attacker would need to have already established a presence on the vulnerable Exchange Server first before they could elevate privileges. Just like CVE-2021-34473, CVE-2021-34523 was patched as part of the April 2021 Patch Tuesday release and is another vulnerability that Microsoft says was omitted from its release notes inadvertently. CVE-2021-33768 was also disclosed to Microsoft by Orange Tsai. For organizations that run Exchange Server on-prem, it is important to apply available patches sooner rather than later, especially with the increased targeting of vulnerable servers.

rapid7: Only 4 of the 7 Exchange CVEs being disclosed this month are new. The two most severe vulnerabilities were patched in back in April and were mistakenly not disclosed. This means that if you applied the April 2021 updates you will not need to take any action for CVE-2021-34473, CVE-2021-34523, or CVE-2021-33766. Of the 4 newly patched vulnerabilities the most notable is CVE-2021-31206, a remote code execution flaw discovered in the recent Pwn2Own competition.

zdi: Looking at the remaining patches, you’ll note seven patches for Exchange Server, but only some of these are actually new. One of the new ones is CVE-2021-31206, which was disclosed during the last Pwn2Own contest. There are also new patches for elevation of privilege bugs that could be exploited in a man-in-the-middle attack or be network adjacent. The real surprise in this month’s Exchange patches are the three bugs patched in April but not documented until today. Silent patches have caused many problems in the past and represent significant risks to enterprises. While the goal should be for administrators to install every patch, this is simply not feasible for most networks. Network defenders need as much information as possible to prioritize their resources. If they are not provided guidance on installing the patch, or information from the vendor on the severity of the patch, their uninformed decision could have negative consequences.

• Windows DNS Snap-in (CVE-2021-33749, CVE-2021-33750, CVE-2021-33752, CVE-2021-33756)
• DirectWrite (CVE-2021-34489)

qualys: CVE-2021-34489 – DirectWrite Remote Code Execution Vulnerability

• Microsoft Defender (CVE-2021-34464, CVE-2021-34522)

tenable: CVE-2021-34464 and CVE-2021-34522 are RCE vulnerabilities in the Microsoft Malware Protection Engine. Both of these vulnerabilities received CVSSv3 scores of 7.8 and are rated as “Exploitation Less Likely,” but we chose to highlight them due to in-the-wild exploitation of a similar flaw, CVE-2021-1647, in January. While CVE-2021-1647 was a zero-day, the ubiquity of Microsoft Defender makes this a noteworthy vulnerability. Fortunately, Microsoft Defender automatically updates in most configurations, limiting the impact of this vulnerability. Microsoft does recommend, and provide guidance for, confirming that automatic updates are working.

• Windows Address Book (CVE-2021-34504)
• Windows Font Driver Host (CVE-2021-34438)
• Windows Media (CVE-2021-33740)
• Windows Media Foundation (CVE-2021-34439, CVE-2021-34441, CVE-2021-34503)
• Windows MSHTML Platform (CVE-2021-34447, CVE-2021-34497)
• HEVC Video Extensions (CVE-2021-31947, CVE-2021-33775, CVE-2021-33776, CVE-2021-33777, CVE-2021-33778)
• Microsoft SharePoint (CVE-2021-34467, CVE-2021-34468, CVE-2021-34520)

qualys: CVE-2021-34467, CVE-2021-34468 – Microsoft SharePoint Server Remote Code Execution Vulnerability

qualys: Microsoft released patches addressing critical RCE vulnerabilities in SharePoint Server (CVE-2021-34467, CVE-2021-34468). These CVEs have a high likelihood of exploitability and are assigned a CVSSv3 base score of 7.1 by the vendor. Along with these patches, CVE-2021-34520 should be prioritized for patching.

• Raw Image Extension (CVE-2021-34521)
• Microsoft Excel (CVE-2021-34501, CVE-2021-34518)
• Microsoft Word (CVE-2021-34452)
• Windows Hyper-V (CVE-2021-34450)

tenable: CVE-2021-34450 is an RCE vulnerability in Windows Hyper-V, which would allow an attacker who is authenticated to a guest virtual machine (VM) to send crafted requests to execute arbitrary code on the host machine. While Microsoft rates this as “Exploitation Less Likely,” it is important to consider that malware variants commonly look to escape VMs and infect the host machine, so patching this flaw should remain a priority despite Microsoft’s risk assessment.

• Dynamics Business Central (CVE-2021-34474)
• Power BI (CVE-2021-31984)
• Visual Studio Code (CVE-2021-34528, CVE-2021-34529)

Security Feature Bypass (8)

• Active Directory (CVE-2021-33781)
• Windows ADFS (CVE-2021-33779)
• Windows HTML Platforms (CVE-2021-34446)
• Windows LSA (CVE-2021-33786)
• Windows Hello (CVE-2021-34466)
• Microsoft Office (CVE-2021-34469)
• Windows Secure Kernel Mode (CVE-2021-33744)
• Windows Security Account Manager Remote Protocol (CVE-2021-33757)

Denial of Service (12)

• Windows DNS Server (CVE-2021-33745, CVE-2021-34442, CVE-2021-34444, CVE-2021-34499)
• Windows TCP/IP Driver (CVE-2021-31183, CVE-2021-33772, CVE-2021-34490)
• Bowser.sys (CVE-2021-34476)
• Windows AF_UNIX Socket Provider (CVE-2021-33785)
• Windows LSA (CVE-2021-33788)
• Windows Hyper-V (CVE-2021-33755, CVE-2021-33758)

Elevation of Privilege (30)

• Windows Container Isolation FS Filter Driver (CVE-2021-34461)
• Windows Kernel (CVE-2021-34449, CVE-2021-34514, CVE-2021-34516)
• Microsoft Exchange Server (CVE-2021-33768, CVE-2021-34470, CVE-2021-34523)

tenable: CVE-2021-33768, CVE-2021-34470 and CVE-2021-34523 are EoP vulnerabilities in Microsoft Exchange Server. CVE-2021-34523 is the highest rated Exchange Server EoP, receiving a CVSSv3 score of 9.0, though it is less likely to be exploited according to Microsoft’s Exploitability Index, as an attacker would need to have already established a presence on the vulnerable Exchange Server first before they could elevate privileges. Just like CVE-2021-34473, CVE-2021-34523 was patched as part of the April 2021 Patch Tuesday release and is another vulnerability that Microsoft says was omitted from its release notes inadvertently. CVE-2021-33768 was also disclosed to Microsoft by Orange Tsai. For organizations that run Exchange Server on-prem, it is important to apply available patches sooner rather than later, especially with the increased targeting of vulnerable servers.

rapid7: Only 4 of the 7 Exchange CVEs being disclosed this month are new. The two most severe vulnerabilities were patched in back in April and were mistakenly not disclosed. This means that if you applied the April 2021 updates you will not need to take any action for CVE-2021-34473, CVE-2021-34523, or CVE-2021-33766. Of the 4 newly patched vulnerabilities the most notable is CVE-2021-31206, a remote code execution flaw discovered in the recent Pwn2Own competition.

• Storage Spaces Controller (CVE-2021-33751, CVE-2021-34460, CVE-2021-34510, CVE-2021-34512, CVE-2021-34513)
• Windows Cloud Files Mini Filter Driver (CVE-2021-33784)
• Windows Console Driver (CVE-2021-34488)
• Windows File History Service (CVE-2021-34455)
• Windows GDI (CVE-2021-34498)
• Windows Installer (CVE-2021-34511)
• Windows Projected File System (CVE-2021-33743)
• Windows Remote Access Connection Manager (CVE-2021-33761, CVE-2021-33773, CVE-2021-34445, CVE-2021-34456)
• Windows AppX Deployment Extensions (CVE-2021-34462)
• Windows Event Tracing (CVE-2021-33774)
• Windows Partition Management Driver (CVE-2021-34493)
• Windows Desktop Bridge (CVE-2021-33759)
• Windows InstallService (CVE-2021-31961)
• Open Enclave SDK (CVE-2021-33767)
• Visual Studio Code .NET Runtime (CVE-2021-34477)
• Windows AppContainer (CVE-2021-34459)

Information Disclosure (14)

• Windows SMB (CVE-2021-33783)
• Windows Kernel (CVE-2021-34491)
• Microsoft Exchange (CVE-2021-33766)

rapid7: Only 4 of the 7 Exchange CVEs being disclosed this month are new. The two most severe vulnerabilities were patched in back in April and were mistakenly not disclosed. This means that if you applied the April 2021 updates you will not need to take any action for CVE-2021-34473, CVE-2021-34523, or CVE-2021-33766. Of the 4 newly patched vulnerabilities the most notable is CVE-2021-31206, a remote code execution flaw discovered in the recent Pwn2Own competition.

• Windows Remote Assistance (CVE-2021-34507)
• GDI+ (CVE-2021-34440)
• Media Foundation (CVE-2021-33760)
• Storage Spaces Controller (CVE-2021-34509)
• Windows GDI (CVE-2021-34496)
• Windows Kernel Memory (CVE-2021-34500)
• Windows Key Distribution Center (CVE-2021-33764)
• Windows Remote Access Connection Manager (CVE-2021-33763, CVE-2021-34454, CVE-2021-34457)
• Microsoft SharePoint (CVE-2021-34519)

Spoofing (7)

• Windows Certificate (CVE-2021-34492)
• Windows Authenticode (CVE-2021-33782)
• Windows Installer (CVE-2021-33765)
• Microsoft SharePoint (CVE-2021-34517)
• Microsoft Visual Studio (CVE-2021-34479)
• Microsoft Office Online Server (CVE-2021-34451)
• Microsoft Bing Search (CVE-2021-33753)