Microsoft has released patches for five critical vulnerabilities and 44 significant vulnerabilities across numerous product lines.
Several of the vulnerabilities have already been exploited in the wild as zero-days.
Two of the vulnerabilities chain with a Chrome vulnerability to gain access to target machines to deploy malware.
Patches are available and should be applied immediately.
What is the nature of the vulnerabilities?
Two of the vulnerabilities – part of an attack chain attributed to the PuzzleMaker Group – concern a Google Chrome zero-day vulnerability (CVE-2021-21224) detected by Kaspersky Technologies. Chaining the vulnerabilities together, attackers were observed escaping the HTML page sandbox and executing malicious code on the target machine(s) to ultimately deploy malware.
The majority of the other vulnerabilities patched were remote code executions and elevation of privilege.
Six of the 49 vulnerabilities were observed being exploited in the wild, including the two involved in the PuzzleMaker attack chain:
|Windows MSHTML Platform Remote Code Execution Vulnerability (CVSS 7.5)
|Microsoft Excel Remote Code Execution Vulnerability (CVSS 7.8)
|Microsoft DWM Core Library Elevation of Privilege Vulnerability (CVSS 8.4)
|Paint 3D Remote Code Execution Vulnerability (CVSS 7.8)
|Windows NTFS Elevation of Privilege Vulnerability (CVSS 7.8)
|Windows Kernel Information Disclosure Vulnerability (CVSS 5.5)
PuzzleMaker Group Attack Chain
“A wave of highly targeted attacks” against several organizations utilizing vulnerabilities detected by Kaspersky Technologies on April 14 and 15, 2021, were reported to Microsoft and included in the June 2021 patch:
CVE-2021-21224 is a V8 type confusion vulnerability in Google Chrome in versions prior to 90.0.4430.85 that allows remote attackers to execute arbitrary code inside an HTML page sandbox. This CVE is not included in the Microsoft June Patch, but it is likely the first vulnerability exploited in the chain attack used by the PuzzleMaker Group.
CVE-2021-31955 is a Win Kernel information disclosure vulnerability in
ntoskrnl.exe used to expose kernel addresses. The vulnerability allows the attacker to read kernel memory contents and is the second vulnerability in the PuzzleMaker Group chain attack.
CVE-2021-31956 is a heap buffer overflow vulnerability in the Win NTFS driver used to elevate privileges. Once privileges are elevated, the attacker can control the affected system and deploy malware.
The other forty-seven vulnerabilities patched include a vulnerability possibly linked to BITTER APT and a Critical CVE detected by Google’s Threat Analysis Group (TAG) that “seems to be a commercial exploit company providing capability for limited nation state Eastern Europe/Middle East targeting.”
What’s at risk?
Many of the vulnerabilities provide opportunity for an attacker to take control of the system and deploy malware on the affected system.
- All Chrome versions prior to 90.0.4430.85
- Unpatched Microsoft systems
What can I do to protect against this vulnerability?
To protect against compromise, update Google Chrome to version 90.0.4430.85 and apply the June 2021 MS Security Updates to all Microsoft systems. The patches are available from Microsoft.
Cybersecurity and Infrastructure Security Agency article
Microsoft’s June 2021 Security Updates Article
Microsoft’s June 2021 Update Guide
Securelist by Kaspersky’s PuzzleMaker article
ZDNet’s PuzzleMaker article
Tenable’s blog post on the June 2021 Patch