Microsoft security alert.
July 13, 2021
Advisory overview
Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 111 vulnerabilities that were fixed in 14 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Vulnerability details
Microsoft has released 14 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
-
Microsoft SharePoint Enterprise Server Multiple Vulnerabilities July 2021
- Severity
- Critical 4
- Qualys ID
- 110386
- Vendor Reference
- KB5001975, KB5001976, KB5001981, KB5001984, KB5001992, KB5001996
- CVE Reference
- CVE-2021-34467, CVE-2021-34468, CVE-2021-34517, CVE-2021-34519, CVE-2021-34520
- CVSS Scores
- Base 6.5 / Temporal 4.8
- Description
-
Microsoft has released July security updates to fix multiple security vulnerabilities.
This security update contains the following KBs:
KB5001975
KB5001992
KB5001996
KB5001976
KB5001981
KB5001984QID Detection Logic:
This authenticated QID checks the file versions from the above Microsoft KB article with the versions on the affected SharePoint system. - Consequence
-
Successful exploitation allows an attacker to execute code remotely.
- Solution
-
Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.
KB5001975
KB5001992
KB5001996
KB5001976
KB5001981
KB5001984
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Office and Microsoft Office Services and Web Apps Security Update July 2021
-
Microsoft Office and Microsoft Office Services and Web Apps Security Update July 2021
- Severity
- Critical 4
- Qualys ID
- 110387
- Vendor Reference
- KB5001949, KB5001973, KB5001977, KB5001979, KB5001983, KB5001986, KB5001993
- CVE Reference
- CVE-2021-34451, CVE-2021-34452, CVE-2021-34469, CVE-2021-34501, CVE-2021-34518
- CVSS Scores
- Base 6.8 / Temporal 5
- Description
-
Microsoft has released July 2021 security updates to fix multiple security vulnerabilities.
This security update contains the following KBs:
KB5001949
KB5001986
KB5001973
KB5001979
KB5001983
KB5001977
KB5001993QID Detection Logic:
This authenticated QID checks the file versions from the Microsoft advisory with the versions on the affected office system.Note: Office click-2-run and Office 365 installations need to be updated manually or need to be set to automatic update. There is no direct download for the patch.
- Consequence
-
Successful exploitation allows an attacker to execute code remotely.
- Solution
-
Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.
KB5001949
KB5001986
KB5001973
KB5001979
KB5001983
KB5001977
KB5001993
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Office and Microsoft Office Services and Web Apps Security Update July 2021
-
Visual Studio Code Remote Code Execution (RCE) Vulnerability
- Severity
- Critical 4
- Qualys ID
- 375714
- Vendor Reference
- CVE-2021-34479, CVE-2021-34528, CVE-2021-34529
- CVE Reference
- CVE-2021-34479, CVE-2021-34528, CVE-2021-34529
- CVSS Scores
- Base 6.8 / Temporal 5
- Description
-
Visual Studio Code is a lightweight but powerful source code editor which runs on your desktop and is available for Windows, macOS and Linux.
Affected Versions:
Visual studio code prior to version 1.58.1.QID Detection Logic(Authenticated):
This QID checks for the vulnerable versions of visual studio code. - Consequence
- A local attacker who successfully exploited the vulnerability could inject arbitrary code to run in the context of the current user.
- Solution
-
Please refer to Microsoft advisory for Visual Studio Code
CVE-2021-34529
CVE-2021-34528 for more details.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2021-34479
CVE-2021-34528
CVE-2021-34529
-
Open Enclave Software Development Kit (SDK) Elevation of Privilege Vulnerability July 2021
- Severity
- Serious 3
- Qualys ID
- 375715
- Vendor Reference
- CVE-2021-33767
- CVE Reference
- CVE-2021-33767
- CVSS Scores
- Base 4.6 / Temporal 3.4
- Description
-
Enclaves have a vulnerability that provides a brief window for a local attacker to hijack the control flow of execution by controlling the input parameters. A malicious host can create an exception immediately after EENTER which causes control to be transferred to the host before the enclave stack(RSP register) has been set up. The host can then transfer control back to the enclave and cause it to execute with a stack that resides in host memory thereby enabling ROP exploits.
Affected Software:
Open Enclave SDK version prior to 0.17.1QID Detection Logic:
Checks for open-enclave package version less than 0.17.1 - Consequence
-
Successful exploitation allows elecation of privilege.
- Solution
-
Customers are advised to refer to v0.17.1 or later for more details.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
v0.17.1
-
Microsoft Exchange Server Multiple Vulnerabilities July 2021
- Severity
- Urgent 5
- Qualys ID
- 50112
- Vendor Reference
- N/A
- CVE Reference
- CVE-2021-31196, CVE-2021-31206, CVE-2021-33766, CVE-2021-33768, CVE-2021-34523
- CVSS Scores
- Base 7.9 / Temporal 6.5
- Description
-
Microsoft Exchange Server is prone to multiple vulnerabilities:
Microsoft Exchange Server Elevation of Privilege Vulnerability
Microsoft Exchange Server Information Disclosure Vulnerability
Microsoft Exchange Server Remote Code Execution VulnerabilityKB Articles associated with this update are: KB5004780,KB5004779,KB5004778
Affected Versions:
Microsoft Exchange Server 2013 Cumulative Update 23
Microsoft Exchange Server 2019 Cumulative Update 9
Microsoft Exchange Server 2019 Cumulative Update 10
Microsoft Exchange Server 2016 Cumulative Update 20
Microsoft Exchange Server 2016 Cumulative Update 21QID Detection Logic (authenticated):
The QID checks for the version of file Exsetup.exe.
- Consequence
-
Successful exploitation allows attackers to execute remote code.
- Solution
-
Customers are advised to refer to KB5004780, KB5004779, KB5004778 for information pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB5004778
KB5004779
KB5004780
-
Microsoft Exchange Server Elevation of Privilege Vulnerability July 2021
- Severity
- Critical 4
- Qualys ID
- 50113
- Vendor Reference
- KB5003611, KB5003612, KB5004778
- CVE Reference
- CVE-2021-34470
- CVSS Scores
- Base 5.2 / Temporal 4.3
- Description
-
Microsoft Exchange Server is prone to multiple vulnerabilities:
Microsoft Exchange Server Elevation of Privilege Vulnerability
KB Articles associated with this update are: KB5003611, KB5003612, KB5004778Affected Versions:
Microsoft Exchange Server 2013 Cumulative Update 23
Microsoft Exchange Server 2019 Cumulative Update 10
Microsoft Exchange Server 2016 Cumulative Update 21QID Detection Logic (authenticated):
The QID checks for the version of file Exsetup.exe.
- Consequence
-
Successful exploitation allows Elevation of privilege.
- Solution
-
Customers are advised to refer to KB5003611, KB5003612 , KB5004778 for information pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB5003611
KB5003612
KB5004778
-
Microsoft Windows Codecs Library High Efficiency Video Coding (HEVC) Video Extensions Remote Code Execution (RCE) Vulnerabilities
- Severity
- Critical 4
- Qualys ID
- 91788
- Vendor Reference
- CVE-2021-31947, CVE-2021-33775, CVE-2021-33776, CVE-2021-33777, CVE-2021-33778
- CVE Reference
- CVE-2021-31947, CVE-2021-33775, CVE-2021-33776, CVE-2021-33777, CVE-2021-33778
- CVSS Scores
- Base 6.8 / Temporal 5
- Description
-
A remote code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory.
Affected Product:
"HEVC" or "HEVC from Device Manufacturer" media codec before version 1.0.41483.0QID detection Logic:
The gets the version of HEVCVideoExtension by querying wmi class Win32_InstalledStoreProgram. - Consequence
-
An attacker who successfully exploited this vulnerability can compromise confidentiality, integrity and availability of the system
- Solution
-
Users are advised to check CVE-2021-31947 ,CVE-2021-33775 for more information.
, CVE-2021-33776 for more information.
,CVE-2021-33777 for more information.
,CVE-2021-33778 for more information.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2021-31947
CVE-2021-33775
CVE-2021-33776
CVE-2021-33777
CVE-2021-33778
-
Microsoft Windows Codecs Library Raw Image Extension Remote Code Execution (RCE) Vulnerability
- Severity
- Critical 4
- Qualys ID
- 91789
- Vendor Reference
- CVE-2021-34521
- CVE Reference
- CVE-2021-34521
- CVSS Scores
- Base 6.8 / Temporal 5
- Description
-
A remote code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory.
Affected Product:
"RawImageExtension " or "RawImageExtension from Device Manufacturer" media codec before and including version 1.0.41311.0QID detection Logic:
The gets the version of RawImageExtension by querying wmi class Win32_InstalledStoreProgram. - Consequence
-
An attacker who successfully exploited this vulnerability could compromise confidentiality, integrity and availability of the system.
- Solution
-
Users are advised to check CVE-2021-34521
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2021-34521
-
Microsoft Defender Remote Code Execution (RCE) Vulnerability July 2021
- Severity
- Urgent 5
- Qualys ID
- 91790
- Vendor Reference
- CVE-2021-34464, CVE-2021-34522
- CVE Reference
- CVE-2021-34464, CVE-2021-34522
- CVSS Scores
- Base 9.3 / Temporal 6.9
- Description
-
Microsoft Defender is prone to Remote Code Execution Vulnerability.
Affected Software:
Windows DefenderQID Detection Logic (Authenticated):
Detection checks for mpengine.dll file version less than 1.1.18242.0
- Consequence
-
Successful exploitation allows attacker to compromise the system.
- Solution
-
Users are advised to check CVE-2021-34464 and CVE-2021-34522 for more information.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2021-34464
CVE-2021-34522
-
Microsoft Windows Kernel Remote Code Execution (RCE) Vulnerability July 2021
- Severity
- Urgent 5
- Qualys ID
- 91791
- Vendor Reference
- CVE-2021-34458
- CVE Reference
- CVE-2021-34458
- CVSS Scores
- Base 9 / Temporal 6.7
- Description
-
Microsoft releases the security update for Kernel Remote Code Execution Vulnerability July 2021
The KB Articles associated with the update:
KB5004237
KB5004244
KB5004238
This QID checks for the file version of ntoskrnl.exe
The following versions of ntoskrnl.exe with their corresponding KBs are verified:
KB5004237-
KB5004244-
KB5004238-
- Consequence
-
Exploitation of vulnerability could compromise the confidentiality, integrity and availability of the system
- Solution
-
Please refer to the Security Update Guide
CVE-2021-34458
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2021-34458
-
Microsoft Dynamics Business Central Remote Code Execution (RCE) Vulnerability July 2021
- Severity
- Urgent 5
- Qualys ID
- 91792
- Vendor Reference
- KB5004715, KB5004716, KB5004717
- CVE Reference
- CVE-2021-34474
- CVSS Scores
- Base 6.5 / Temporal 4.8
- Description
-
Microsoft Dynamics is prone to remote code execution vulnerability.
KB Articles associated with this update are: KB5004715, KB5004716, 5004717Affected Software:
Microsoft Dynamics 365 Business Central 2021 Release Wave 1 - Update 18.3
Microsoft Dynamics 365 Business Central 2020 Release Wave 2 - Update 17.8
Microsoft Dynamics 365 Business Central 2020 Release Wave 1 - Update 16.14
QID Detection Logic(Authenticated):
This authenticated QID flags vulnerable systems by detecting Vulnerable versions for file Microsoft.Dynamics.Nav.Server.exe - Consequence
- An attacker who successfully exploited this vulnerability could use it to pivot from the machine to the rest of the network.
- Solution
-
Customers are advised to refer to KB5004715, KB5004716 and KB5004717 for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB5004715
KB5004716
KB5004717
-
Microsoft Windows Security Update for Domain Name System (DNS) July 2021
- Severity
- Critical 4
- Qualys ID
- 91793
- Vendor Reference
- KB5004237, KB5004238, KB5004244, KB5004285, KB5004294, KB5004298, KB5004302
- CVE Reference
- CVE-2021-33745, CVE-2021-33746, CVE-2021-33754, CVE-2021-33780, CVE-2021-34442, CVE-2021-34444, CVE-2021-34494, CVE-2021-34499, CVE-2021-34525
- CVSS Scores
- Base 6.5 / Temporal 4.8
- Description
-
Microsoft releases the security update for Windows July 2021
The KB Articles associated with the update:
KB5004294
KB5004302
KB5004298
KB5004285
KB5004238
KB5004244
KB5004237
This QID checks for the file version of ntoskrnl.exe
The following versions of ntoskrnl.exe with their corresponding KBs are verified:
KB5004294-
KB5004302-
KB5004298-
KB5004285-
KB5004238-
KB5004244-
KB5004237-
- Consequence
-
Successful exploitation could compromised confidentiality, integrity and availability of the system
- Solution
-
Please refer to the Security Update Guide, KB5004294
KB5004302
KB5004298
KB5004285
KB5004238
KB5004244
KB5004237
Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB5004237
KB5004238
KB5004244
KB5004285
KB5004294
KB5004298
KB5004302
-
Visual Studio Code .NET Extensions Elevation of Privilege Vulnerability
- Severity
- Serious 3
- Qualys ID
- 91794
- Vendor Reference
- CVE-2021-34477
- CVE Reference
- CVE-2021-34477
- CVSS Scores
- Base 4.6 / Temporal 3.4
- Description
-
Visual Studio Code is a lightweight but powerful source code editor which runs on your desktop and is available for Windows, macOS and Linux.
Affected Versions:
.NET Education Bundle SDK Install Tool Extension for Visual Studio Code prior to version 0.7.0.
.NET Install Tool for Authors Extension for Visual Studio Code prior to version 1.2.0.QID Detection Logic(Authenticated):
This QID checks for the vulnerable versions of .NET Education Bundle SDK Install Tool and .NET Install Tool for Authors Extension for Visual Studio Code. - Consequence
- Due to inaccurately scoped permissions being set on downloaded .NET install scripts, users are vulnerable to an elevation of privileges attack.
- Solution
-
Please refer to Microsoft advisory for Visual Studio Code for more details.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2021-34477
-
Microsoft Windows Security Update for July 2021
- Severity
- Critical 4
- Qualys ID
- 91795
- Vendor Reference
- KB5004233, KB5004237, KB5004238, KB5004244, KB5004245, KB5004249, KB5004285, KB5004294, KB5004298, KB5004302
- CVE Reference
- CVE-2021-31183, CVE-2021-31961, CVE-2021-31979, CVE-2021-33743, CVE-2021-33744, CVE-2021-33749, CVE-2021-33750, CVE-2021-33751, CVE-2021-33752, CVE-2021-33755, CVE-2021-33756, CVE-2021-33757, CVE-2021-33758, CVE-2021-33759, CVE-2021-33760, CVE-2021-33761, CVE-2021-33763, CVE-2021-33764, CVE-2021-33765, CVE-2021-33771, CVE-2021-33772, CVE-2021-33773, CVE-2021-33774, CVE-2021-33779, CVE-2021-33781, CVE-2021-33782, CVE-2021-33783, CVE-2021-33784, CVE-2021-33785, CVE-2021-33786, CVE-2021-33788, CVE-2021-34439, CVE-2021-34440, CVE-2021-34441, CVE-2021-34445, CVE-2021-34446, CVE-2021-34447, CVE-2021-34448, CVE-2021-34449, CVE-2021-34450, CVE-2021-34454, CVE-2021-34455, CVE-2021-34456, CVE-2021-34457, CVE-2021-34459, CVE-2021-34460, CVE-2021-34461, CVE-2021-34462, CVE-2021-34466, CVE-2021-34476, CVE-2021-34488, CVE-2021-34489, CVE-2021-34490, CVE-2021-34491, CVE-2021-34492, CVE-2021-34493, CVE-2021-34496, CVE-2021-34497, CVE-2021-34498, CVE-2021-34500, CVE-2021-34503, CVE-2021-34504, CVE-2021-34507, CVE-2021-34508, CVE-2021-34509, CVE-2021-34510, CVE-2021-34511, CVE-2021-34512, CVE-2021-34513, CVE-2021-34514, CVE-2021-34516, CVE-2021-34525
- CVSS Scores
- Base 9.3 / Temporal 7.7
- Description
-
Microsoft releases the security update for Windows July 2021
The KB Articles associated with the update:
KB5004233
KB5004235
KB5004237
KB5004238
KB5004244
KB5004245
KB5004249
KB5004285
KB5004294
KB5004298
KB5004302
This QID checks for the file version of ntoskrnl.exe
The following versions of ntoskrnl.exe with their corresponding KBs are verified:
KB5004299-6.0.6003.21163
KB5004305-6.0.6003.21163
KB5004289-6.1.7601.25661
KB5004307-6.1.7601.25661
KB5004249-10.0.10240.19003
KB5004238-10.0.14393.4530
KB5004302-6.2.9200.23409
KB5004294-6.2.9200.23409
KB5004285-6.2.9200.23409
KB5004298-6.3.9600.20065
KB5004245-10.0.18362.1679
KB5004244-10.0.17763.2061
KB5004237-10.0.19041.1110
- Consequence
- A remote attacker could exploit this vulnerability and execute code on the target system.
- Solution
-
Please refer to theKB5004233
KB5004235
KB5004237
KB5004238
KB5004244
KB5004245
KB5004249
KB5004285
KB5004294
KB5004298
KB5004302
Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB5004233
KB5004235
KB5004237
KB5004238
KB5004244
KB5004245
KB5004249
KB5004285
KB5004294
KB5004298
KB5004302
These new vulnerability checks are included in Qualys vulnerability signature 2.5.231-4. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
Selective Scan Instructions Using Qualys
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
-
Enable the following Qualys IDs:
- 110386
- 110387
- 375714
- 375715
- 50112
- 50113
- 91788
- 91789
- 91790
- 91791
- 91792
- 91793
- 91794
- 91795
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Access for Qualys Customers
Platforms and Platform Identification
Technical Support
For more information, customers may contact Qualys Technical Support.
About Qualys
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.