This week’s Patch Tuesday release from Microsoft is a big one for the Windows ecosystem; it includes 117 patches that handle four publicly reported and four exploited vulnerabilities. The good news: this month’s Microsoft Office and development platform (Visual Studio) patches are relatively straightforward and can be added with minimal risk to your standard patch release schedules, and there are no browser updates. Alas, we have a really serious printer issue (CVE-2021-34527) that was released out of bounds (OOB) and has been updated at least twice in the past few days. That means you need to pay immediate attention to the Windows updates and that you add all of the Windows desktop patches to your “Patch Now” schedule.
There were multiple updates through the week, and we expect more to the print spooler vulnerabilities in the coming days. Unfortunately, this large and broad-scoped series of patches will require significant testing due to the core system and kernel changes they entail. For further information you can check the Windows 10 health dashboard. You can also find more information on the risk of deploying these Patch Tuesday in this infographic.
Key testing scenarios
There are no reported high-risk changes to the Windows platform. However, there is one reported functional change and an additional feature added this month:
- Test your printers, with a view to potentially stopping all necessary spooler services.
- Verify that printing via LOB applications works as expected.
- Test that Word and PowerPoint files can be downloaded and opened.
I think with the five kernel updates and a particular focus on the server patch CVE-2021-34458, this month, ] a full LOB application test will be required.
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in the latest update cycle. I have referenced a few key issues that relate to the latest Microsoft builds, including:
- Devices with Windows installations created from custom offline media or custom ISO images might have Microsoft Edge Legacy removed by this update, but not automatically replaced by the new Microsoft Edge. To avoid this issue, be sure to first slipstream the SSU released March 29, 2021 or later into the custom offline media or ISO image before slipstreaming the LCU.
- ESU Updates (Windows 7 and Server 2008): After installing this update and restarting your device, you might receive the error “Failure to configure Windows updates.” You may receive this notice if you have not activated your ESU MAK add-on key. For more information about activation, you can find out more at this Microsoft blog post.
Resolved Issues with previous patches
- June Update : After installing KB5003671 or KB5003681 on Windows 8.1 or Windows Server 2012 R2, apps accessing event logs on remote devices might be unable to connect. This issue might occur if the local or remote has not yet installed updates released June 8, 2021 or later. Affected apps are using certain legacy Event Logging APIs. You might receive an error when attempting to connect. Last June, there was a known issue apparently by design.
At this point in July’s update cycle, there have been three major updates to previous released updates:
- CVE-2021-31940 and CVE-2021-31941: These revisions to past updates are informational updates that relate to MAC desktop software availability. If you are a Windows user, no further action is required.
- CVE-2020-17049: Microsoft is releasing security updates to deploy the enforcement phase for this vulnerability. Active Directory domain controllers are now capable of Enforcement mode. At this time, the PerformTicketSignature registry key settings will be ignored and Enforcement mode cannot be overridden. Now you know.
Mitigations and workarounds
As of now, it does not appear that Microsoft has published any mitigations or work-arounds for this July release.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge).
- Microsoft Windows (both desktop and server).
- Microsoft Office.
- Microsoft Exchange.
- Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core).
- Adobe (retired?).
Strictly speaking, there are no browser updates for the July Patch Tuesday. However, Microsoft released an update to its Edge browser last June that addressed two vulnerabilities that could lead to elevation-of-privilege scenarios. As these updates were part of the Chromium project, they were released on June 24 as part of the Edge Stable Channel (Version 91.0.864.59). We have not seen any impact to any Chromium browsers or dependent controls as a result of these updates.
If you allow automatic updates for Microsoft Edge, no further action is required at this time. You can read more about these releases on the Microsoft Edge Security update page found here.
Before we even start the discussion about this month’s Windows updates, add all of these Windows updates to your “Patch Now” schedule. This is a big update for Microsoft with 90 patches for Windows desktops alone. Nine of these patches are rated as critical — all of which relate to the Remote Desktop feature in Windows.
Unfortunately, four vulnerabilities addressed in this update have been publicly disclosed (including CVE-2021-34527) and a further four have been reported as exploited in the wild. Two of these exploited issues relate to Windows kernel elevation-of-privilege scenarios. This makes for a tough update to test, given the urgency of the printer spooler “crisis” and the need for rapid deployment of these updates. There are going to be problems with this update.
And, we are not yet done with Windows updates for July. In fact, Microsoft just released updates to its previously updated patches with CVE-2021-33481 and CVE-2021-34527 receiving major revisions yesterday. You can read more about the print spooler problems on the Microsoft security blog found here. The current recommendation is to turn off the spooler service for your servers. This is strong medicine for what appears to be a very serious issue.
Add this Windows update to your “Patch Now” schedule, and prepare for more urgent updates.
Compared to what is happening on the desktop and server environment this month, Microsoft Office updates appear relatively benign. Microsoft has released 10 patches that affect all currently supported versions of Office, with nine rated as important and one rated as moderate by Microsoft. These updates affect the usual suspects with Word, Excel and Sharepoint security vulnerabilities leading to potential spoofing or elevation of privilege issues. Add these Microsoft Office updates to your standard patch schedule.
Microsoft Exchange Server
While we don’t see quite the concern (and urgency) with Microsoft Exchange as we have seen in past months, Microsoft has released six updates rated as important and a single critical rated update (CVE-2021-34473). This critical update addresses a low complexity, network-based attack that does not require user intervention. And, it’s Microsoft’s second attempt at resolving this vulnerability (the first try was in April) that could lead to arbitrary code execution on the target server. Given this concern, we have added the Microsoft Exchange updates for the month of July to the “Patch Now” schedule.
Microsoft Development Platforms
Microsoft has released five updates, all rated as important to the Microsoft Visual Studio development platform. This month also includes a single GitHub advisory (CVE-2021-33767) that relates to the Open Enclave SDK. All of these updates should have a minimal impact on their respective platforms and can be added to the standard development update regime.
Microsoft has not released any (additional) updates to the Adobe ecosystem this month. However, given the important and urgent nature of the OOB printer updates, all other patches relating to printers and printing should be noted. This month Adobe has released (APSB21-51) 10 critical updates and an additional two important updates to all supported versions of Adobe Reader (Acrobat DC, Reader DC, Reader 2020, Acrobat 2017 and Acrobat 2017). Given that these patches address reported vulnerabilities that include low-complexity, remote code execution, “no user,” we recommend that you add these Adobe Reader updates to your “Patch Now” schedule.
I would also like to add that this month’s update, like previous Flash related updates will force the removal of Flash from the target system. Taking this update will remove Adobe Flash from the machine.
For more information, see the Update on Adobe Flash Player End of Support.