On 8 June 2021, Microsoft, SAP and Adobe released patches for several vulnerabilities in multiple products. Timely patching of these flaws is recommended.
- Microsoft’s June 2021 Patch Tuesday fixed 50 vulnerabilities, five of which are rated Critical and allow remote code execution (RCE).
- Six of the flaws have been actively abused by malicious actors and include four elevation of privilege vulnerabilities, one information disclosure flaw, and one RCE.
- One of the Critical flaws under active attack is tracked as CVE-2021-33742, and affects all supported Windows versions. When a maliciously crafted webpage is opened and parsed by MSHTML (an engine used by email clients, various applications, and browsers), threat actors could execute arbitrary code on the victim machine.
- Also of note is a Critical flaw, tracked as CVE-2021-31962, in a Kerberos AppContainer Security Feature allowing threat actors to potentially bypass authentication to leverage any service that is accessed via an arbitrary service principal name (SPN).
- An RCE in Windows Defender – CVE-2021-31985– has been marked by Microsoft as likely to be exploited, having a low attack complexity, and requiring no authentication to exploit.
- Adobe’s Patch Tuesday fixed vulnerabilities in ten applications, including Adobe Acrobat, Reader, Photoshop, and Adobe After Effects. There are currently no reports of these vulnerabilities being actively exploited.
- SAP’s June 2021 Security Patch Day released security updates to address vulnerabilities affecting multiple products, including NetWeaver ABAP Server, ABAP Platform, and SAP Commerce flaws that were assigned “Hot News” priority (CVSS score above 9).
- We recommend expedited patching for the Microsoft vulnerabilities described above.
- Adobe products are a popular target for cybercriminals. Timely patching for the Adobe flaws is recommended.
- If you are running the vulnerable SAP software, we recommend upgrading to the latest version by following the SAP advisory. Please note: it requires an SAP Kernel update, which demands downtime.
- SAP clients can limit access to Remote function call (RFC) modules over the network and secure external HTTP communications to prevent exploitation.