This week, Microsoft pushed 50 updates to fix vulnerabilities in both the Windows and Office ecosystems. Fortunately, there are no Adobe or Exchange Server updates this month.The bad news is that there are 6 fixes Zero day An exploit that contains important updates to the Windows Core Web Rendering (MSHTML) component. We’ve added this month’s Windows Update to the Patch Now schedule, but Microsoft Office and development platform updates can be deployed in a standard release regime. Updates also include changes to Microsoft Hyper-V, cryptographic libraries, and Windows. DCOM, All of these require some testing before deployment.
You can find this information Summarized in infographic..
Key test scenarios
No high-risk changes to the Windows platform have been reported this month. In this patch cycle, the test guide has been divided into two sections.
Changing to Microsoft OLE and DCOM components is technically the most difficult and requires the most business expertise to debug and deploy. DCOM services are not easy to build and can be difficult to maintain. As a result, they are not the first option for most companies to develop in-house.
If you have a DCOM server (or service) within your IT group, that means it needs to be there — and some core business elements depend on it. To manage the risk of this June update, have a list of applications with DCOM components so that you can compare the two builds (before and after the update) side by side and take enough time to complete them. We recommend that you make comparisons. Test and update your code base as needed.
Every month, Microsoft publishes a list of known operating system and platform-related issues included in this update cycle. Below are some important issues related to the latest build of Microsoft.
- As with last month, updating your device from Windows 10 version 1809 or later to a newer version of Windows 10 can result in the loss of system and user certificates. Microsoft hasn’t released any further advice other than migrating to a newer version of Windows 10.
- There is a problem with the Japanese input method editor (IME) Not generated correctly Furigana text. These issues are very common on Microsoft Update. IMEs are so complex that they have been a problem for Microsoft for years. This Japanese writing issue will be updated later this year.
- Related issues, after installation KB4493509, On devices with some Asian language packs installed, you may see the error “0x800f0982–PSFX_E_MATCHING_COMPONENT_NOT_FOUND”. To resolve this issue, you must uninstall and then reinstall the language pack.
There are many reports that the ESU system was unable to complete Windows Update last month. If you are running an older system, you will need to purchase an ESU key. The most important thing is that you need to activate it (in some cases, an important missing step).You can know more about ESU update key activation online..
You can also find a Microsoft summary One page for known issues in this release..
Currently, this June cycle has two major updates over previously released updates.
- CVE-2020-0835: This is an update to the Windows Defender Antimalware feature in Windows 10. Windows Defender is updated monthly and typically generates a new CVE entry each time. As a result, updating Defender CVE entries is unusual (as well as creating new CVE entries each month). This update is (fortunately) for related documentation. No further action is required.
- CVE-2021-28455: This revision refers to an update in another document about the Microsoft RedJet database. This update (unfortunately) adds Microsoft Access 2013 and 2016 to the affected list. If you use Jet’s “Red” database (check your middleware), you need to test and update your system.
As an additional note about updating Windows Defender, given all that’s happening this month (6 public exploits!), It’s highly recommended that you make sure Defender is up to date.Microsoft publishes some Additional documentation on how to check and enforce compliance For Windows Defender.. Why not do it now? It’s free and the defenders are pretty good.
Mitigation and workarounds
So far, Microsoft doesn’t seem to have published any mitigations or workarounds for this June release.
Each month, the update cycle is categorized into product families (defined by Microsoft) in the following basic groupings:
- Browsers (Internet Explorer and Edge);
- Microsoft Windows (both desktop and server);
- Microsoft Office;
- Microsoft Exchange;
- Microsoft Development Platform ( ASP.NET Core, .NET Core, Chakra Core);
- Adobe (retired ???)
Since there is only one update for the Microsoft Chromium project, it seems to be back to the normal rhythm of minimal Microsoft browser updates ()CVE-2021-33741). This browser update has been rated as important by Microsoft as it can cause privileged security issues and requires user interaction.Instead of using Microsoft Security Portal To get better intelligence on these browser updates, I found Microsoft Chromium release notes page A better source of patch-related documentation. Given the nature of how Chrome is installed on Windows desktops, updates are expected to have little impact. Add this browser update to the standard release schedule.
Microsoft Windows 10
This month, Microsoft released 27 updates to the Windows ecosystem, three of which were rated as important and the rest rated as important. This is a relatively small number compared to the previous month. But I’m sure (and this is big) that we haven’t seen so many vulnerabilities that have been publicly exploited or exposed. Six exploits have been identified this month, including: CVE-2021-31955, CVE-2021-31956, CVE-2021-33739, CVE-2021-33742, CVE-2021-31199 And CVE-2021-31201..
In addition to this month’s troubles, the following two issues have also been published. CVE-2021-33739 And CVE-2021-31968.. This is a lot — especially for a month.One of the patches I’m most concerned about is CVE-2021-33742.. It is rated critical because it can execute arbitrary code on the target system and can affect core Windows elements (it is rated critical).MSHTML). This web rendering component became a frequent (and favorite) target for attackers as soon as Internet Explorer (IE) was released. Almost all (many) security issues that have affected IE and corresponding patches relate to how MSHTML components interact with the Windows subsystem (Win32) and, worse, with Microsoft script objects. Was there.
Attacks on this component can lead to deep access to compromised systems and are difficult to debug. This month, we’ll be adding this Windows Update to the “Patch Now” release schedule, even if we didn’t have all the published or confirmed exploits.
Much like last month, Microsoft has released 11 updates that were rated as important during this release cycle, and one that was rated as important. Again, Microsoft SharePoint updates are the main focus and important patches have been applied. CVE-2021-31963.. Compared to some of the most worrisome news about Windows Update this month, these Office patches are relatively complex to exploit and don’t expose very vulnerable vectors like the Outlook preview pane.
There have been a lot of information updates for these patches in the last few days, and there may be a problem with the combination of updates to SharePoint Server. Microsoft has published the following error:DataFormWebPart Accessing an external URL can block it and generate an “8scdc” event tag in the SharePoint Unified Logging System (ULS) logs. For more information on this issue, KB 5004210..
Plan a SharePoint server restart and add these Office updates to the standard release schedule.
There are no Microsoft Exchange updates in this cycle. This is a welcome remedy from the last few months when a significant update required an urgent patch that impacted the entire enterprise.
Microsoft development platform
This month is an easy month to update the Microsoft development platforms (.NET and Visual Studio), with only two updates rated as important.
- CVE-2021-31938: Complex and difficult attacks that require local access and user interaction when using Kubernetes tool extensions.
- CVE-2021-31957: this ASP.NET The vulnerability is a bit more serious (it affects the server, not the tool extension). That said, it’s still a complex attack completely resolved by Microsoft.
Add Visual Studio updates to the standard developer release schedule. Add ASP.NET updates to your preferred release schedule as you increase your exposure to the Internet.
Copyright © 2021 IDG Communications Co., Ltd.
With six zero-day attacks, this will be Tuesday’s “patch now” patch
Source link With six zero-day attacks, this will be Tuesday’s “patch now” patch