Microsoft Patch Tuesday bug drought: No, it's not climate change or unexpected code quality improvements

Now is the winter of our discontent made glorious summer by the fact that it's August and Patch Tuesday brings word of only 44 vulnerabilities in Microsoft's software.

No doubt there are more flaws to be found but for now Redmond's customers can enjoy a relatively light load of fixes. In fact you'd have to go back to December 2019 to find a more meager bug harvest. There's a bit of selective counting here however, given that Microsoft has been patching Edge's Chromium bugs separately.

Among Tuesday's 44, seven are rated Critical severity and 37 are rated Important, one of which is under active attack. Affected software includes: Microsoft Windows and various Windows components, Office, .NET Core and Visual Studio, Windows Defender, Windows Update and Update Assistant, Azure, Azure Sphere, and Microsoft Dynamics, among other applications.

Two of the vulnerabilities identified this month are already publicly disclosed: Windows LSA Spoofing Vulnerability (CVE-2021-36942) and Windows Print Spooler Remote Code Execution Vulnerability (CVE-2021-36936).

"Microsoft released [the LSA spoofing patch] to further protect against NTLM relay attacks by issuing this update to block the LSARPC interface," said Zero-Day Initiative's Dustin Childs in a blog post. "This will impact some systems, notably Windows Server 2008 SP2, that use the EFS API OpenEncryptedFileRawA function."

It's not clear, Childs observed, whether the Print Spooler flaw is a variant of last month's PrintNightmare or a unique vulnerability.

"Either way, attackers can use this to execute code on affected systems," he said. "Microsoft does state low privileges are required, so that should put this in the non-wormable category, but you should still prioritize testing and deployment of this Critical-rated bug."

"You should apply this to your Domain Controllers first and follow the additional guidance in ADV210003 and KB5005413. This has been an ongoing issue since 2009, and, likely, this isn’t the last we’ll hear of this persistent issue."

• Here's a list of the flaws Russia, China, Iran and pals exploit most often, say Five Eyes infosec agencies
• Google fixes 'Chromebork' one-character code typo that prevented Chrome OS logins
• Microsoft abandons semi-annual releases for Windows Server
• Microsoft has a workaround for 'HiveNightmare' flaw: Nuke your shadow copies from orbit

Also not to be missed is a Critical flaw rated CVSS 9.9, a Windows TCP/IP Remote Code Execution Vulnerability (CVE-2021-26424), and an 8.8-rated Remote Desktop Client Remote Code Execution Vulnerability (CVE-2021-34535).

Microsoft has updated two previous patches from July: Windows Elevation of Privilege Vulnerability (CVE-2021-36934) and Windows Print Spooler Remote Code Execution Vulnerability (CVE-2021-34481).

And the rest

Adobe meanwhile published two patch bundles, APSB21-66 Security update available for Adobe Connect and APSB21-64 Security updates available for Magento, which together address 29 CVEs.

"The Critical-rated patch for Magento fixes a wide range of bugs, the worst of which could allow remote code execution," said Childs.

Mozilla published three patches, for Thunderbird 78.13, Firefox ESR 78.13, and Firefox 91, addressing 17 CVEs (the six ESE 78.13 CVEs are also fixed in Firefox 91). None are designated critical, but there are enough High severity issues to keep admins busy.

SAP released 19 new and updated SAP security patches, with three HotNews Notes and six High Priority Notes among them. SAP uses the term "HotNews" in place of "Critical" presumably because the company thinks that's less alarming.

"With nine critical patches in total (considering patches with HotNews and High Priority as critical), SAP customers are facing the most noteworthy SAP Patch Day this year," said Thomas Fritsch, content manager for security biz Onapsis, in a blog post.

Two critical patches rate 9.9 on the severity scale. "SAP Security Note #3071984, tagged with a CVSS score of 9.9, patches a vulnerability in SAP Business One that allows an attacker to upload files, including script files, to the server," said Fritsch. "The only reason it does not have a CVSS 10 rating is because it needs a minimum set of authorizations."

The other 9.9 flaw is addressed by SAP Security Note #3072955. The vulnerability allowed attackers to conduct proxy attacks using malicious queries on a servlet component in the Component Build Service in SAP NetWeaver Development Infrastructure. Fritsch reports that if this is running on the internet, the flaw could be abused to compromise data on the server.

Earlier this month, Google released 36 CVEs affecting Android and associated vendor components. Of the five critical bugs in the lot, two affect Qualcomm WLAN components and three affect closed-source Qualcomm components. ®