June, 2021: Patch Tuesday: 6 CVE's Exploited in the Wild

Welcome to this June Patch Tuesday Bulletin. This much there are 49 unique CVE’s listed, 6 technologies, 3 critical technologies, 2 publicly disclosed vulnerabilities, and 6 vulnerabilities that were exploited in the wild. CVE-2021-33739, CVE-2021-31201, CVE-2021-31199, CVE-2021-31956 are all exploited privilege escalation vulnerabilities with the highest CVSS score of 8.4/10 and CVE-2021-33739 was also publicly disclosed. CVE-2021-33742 is an exploited remote code execution vulnerability affecting the MSHTML platform with a CVSS score of 7.5/10. Finally, CVE-2021-31955 is an exploited information disclosure vulnerability with a CVSS score of 5.5. It goes without saying that remediating these vulnerabilities is the top priority this month. Windows is updating numerous vulnerabilities that are assessed and more likely to be exploited. It is important to make sure that updates for the following CVE’s are applied: CVE-2021-31959, CVE-2021-31954, CVE-2021-31952, CVE-2021-31951. These have a higher likelihood of being weaponized over the next month. While there may not be a large quantity of vulnerabilities there are quite a bit of important updates that need to be applied this month.

Over the years we've had millions of visitors to UltimateWindowsSecurity.com. Every month we have thousands and thousands of visitors to our Security Log Encyclopedia which documents all of the Security Log event ID’s for Windows Server OS’s. Back in 2007 when SharePoint added auditing capability, I realized that my audience not only needed the event information from SharePoint but I also found a similar need in SQL Server and Exchange. So not only did I document the data but I also started to develop the means to extract that event data from these applications so that it’s accessible and useable to the end user. Some 8 years later and LOGbinder is continuing to grow as companies realize LOGbinder bridges the gap between these applications and their infosec team. Visit LOGbinder.com to download a free 30-day fully functional trial and see the security event data that you have literally been missing.

So, without further ado, here’s the chart of MS patches this month.

Patch data provided by:

Technology

Products Affected

Severity

Reference

Workaround/ Exploited

Vulnerability Info

Visual Studio

Visual Studio 2019, 2019 for Mac, Code – Kubernetes Tools

Important

CVE-2021-31938

CVE-2021-31957

*Workaround: No

**Public: No

Exploited: No

Denial of Service

Elevation of Privilege

.NET

.NET 5.0

.NET Core 3.1

Important

CVE-2021-31957

*Workaround: No

**Public: No

Exploited: No

Denial of Service

Office

Excel 2013, 2016

Office 2013, 2016, 2019, 2019 for Mac, Web Apps Server 2013

Outlook 2013, 2016

SharePoint Enterprise Server 2013, 2016

SharePoint Foundation 2013 SharePoint Server 2019

Microsoft 365 Apps for Enterprise

Critical

CVE-2021-26420

CVE-2021-31939

CVE-2021-31940

CVE-2021-31941

CVE-2021-31948

CVE-2021-31949

CVE-2021-31950

CVE-2021-31963

CVE-2021-31964

CVE-2021-31965

CVE-2021-31966

*Workaround: No

**Public: No

Exploited: No

Information Disclosure

Remote Code Execution

Spoofing

 

System Center

Microsoft Malware Protection Engine

Critical

CVE-2021-31978

CVE-2021-31985

*Workaround: No

**Public: No

Exploited: No

Remote Code Execution

Denial of Service

Windows

Windows 8.1, RT 8.1, 10

Server 2012, 2016, 2019

Critical

CVE-2021-1675

CVE-2021-26414

CVE-2021-31199

CVE-2021-31201

CVE-2021-31951

CVE-2021-31952

CVE-2021-31953

CVE-2021-31954

CVE-2021-31955

CVE-2021-31956

CVE-2021-31958

CVE-2021-31959

CVE-2021-31960

CVE-2021-31962

CVE-2021-31967

CVE-2021-31968**

CVE-2021-31969

CVE-2021-31970

CVE-2021-31971

CVE-2021-31972

CVE-2021-31973

CVE-2021-31974

CVE-2021-31975

CVE-2021-31976

CVE-2021-31977

CVE-2021-33739**

CVE-2021-33742

*Workaround: No

**Public: Yes

Exploited: Yes

Denial of Service

Elevation of Privilege

Information Disclosure

Remote Code Execution

Security Feature Bypass

Apps

Intune management extension

3D Viewer

Paint 3D

Important

CVE-2021-31942

CVE-2021-31943

CVE-2021-31944

CVE-2021-31945

CVE-2021-31946

CVE-2021-31980

CVE-2021-31983

*Workaround: No

**Public: No

Exploited: No

Information Disclosure

Remote Code Execution