Microsoft fixed 49 vulnerabilities in its June Patch Tuesday updates, including fixes for six that are known to be exploited in the wild and two that have been publicly disclosed. All known exploited and publicly disclosed vulnerabilities are in the OS so applying your June operating system update will take care of them. Here’s our callout of security updates and issues we think you’ll want to be aware of.

Newsworthy Events

• Windows 10 21H1 released on May 18. Microsoft provided enablement packages to update from Windows 10 2004 or Windows 10 20H2. Below is an excerpt from KB5000736 explaining the enablement packages, which are available in your ZENworks patch feed. Notice that a prerequisite is to have the latest 2004 or 20H2 monthly quality update installed (May 2021 or later).
  
  Windows 10, versions 2004, 20H2, and 21H1 share a common core operating system with an identical set of system files. Therefore, the new features in Windows 10, version 21H1 are included in the latest monthly quality update for Windows 10, version 2004 and Windows 10, version 20H1, but are in an inactive and dormant state. These new features will remain dormant until they are turned on through the “enablement package,” a small, quick-to-install “master switch” that activates the Windows 10, version 21H1 features.
  
  
• ZDNet published an interesting article about the PuzzleMaker attacks. The Puzzlemaker attackers chained an earlier Google Chrome vulnerability with two of this month’s Microsoft Windows OS zero-day vulnerabilities to exploit a machine’s sandbox environment to gain access to the machine. It’s a good read and a good reminder of damage that can be done when older vulnerabilities are left unpatched.
• The U.S. Federal authorities recovered more than $2 million in cryptocurrency that Colonial Pipeline paid in ransom to the Russian hacker ring Darkside. You can get the details about how they did it here.

Quick Take

• Microsoft released fixes for 49 vulnerabilities, including six known exploited:
  • CVE-2021-31199 Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability: 5.2 CVSS 3.0 base score; affects all Windows OS versions.
  • CVE-2021-31201 Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability: 5.2 CVSS 3.0 base score; affects all Windows OS versions.
  • CVE-2021-31955 Windows Kernel Information Disclosure Vulnerability: 5.5 CVSS 3.0 base score; affects Windows Server 2019 and Windows 10 versions.
  • CVE-2021-31956 Windows NTFS Elevation of Privilege Vulnerability: 7.82 CVSS 3.0 base score; affects all Windows OS versions.
  • CVE-2021-33742 Windows MSHTML Platform Remote Code Execution Vulnerability: 7.5 CVSS 3.0 base score; affects all Windows OS versions.
  • CVE-2021-33739 Microsoft DWM Core Library Elevation of Privilege Vulnerability: 8.4 CVSS 3.0 base score; affects Windows 10 and Windows Server version 20H2.
• Microsoft also released fixes for two publicly disclosed vulnerability:
  • CVE-2021-31968 Windows Remote Desktop Services Denial of Service Vulnerability:5 CVSS 3.0 base score; affects all Windows OS versions.
  • (Also known exploited) CVE-2021-33739 Microsoft DWM Core Library Elevation of Privilege Vulnerability: 8.4 CVSS 3.0 base score; affects Windows 10 and Windows Server version 20H2.
• Servicing Stack Updates this month: Windows 10 1809|1909 and Windows Server 2019. As a reminder, Servicing Stack Updates for Windows 10 2004 and newer versions are included in the monthly Cumulative Update so are no longer tracked separately.

Windows Server 2019 Updates

• There is a new Servicing Stack Update (KB5003711). It is not a prerequisite for June updates but we recommend that you install it this month in case it is required for July updates.
• CRITICAL Severity: The cumulative update (KB5003646) resolves 24 new CVEs, including the 6 known exploited (CVE-2021-31199, CVE-2021-31201, CVE-2021-31955, CVE-2021-31956, CVE-2021-33742, CVE-2021-33739) and the 2 publicly disclosed (CVE-2021-31968, CVE-2021-33739).

Windows Server 2016 Updates

• CRITICAL Severity: The cumulative update (KB5003638) resolves 20 new CVEs, including 4 known exploited (CVE-2021-31199, CVE-2021-31201, CVE-2021-31956, CVE-2021-33742) and 1 publicly disclosed (CVE-2021-31968).

Windows 10 Updates

• There are new Servicing Stack Update for versions 1809 (KB5003711), and 1909 (KB5003710). It is not a prerequisite for June updates but we recommend that you install it this month in case it is required for July updates.
• CRITICAL Severity: The cumulative update (KB number varies by version) resolves up to 26 new CVEs, including the 6 known exploited (CVE-2021-31199, CVE-2021-31201, CVE-2021-31955, CVE-2021-31956, CVE-2021-33742, CVE-2021-33739) and the 2 publicly disclosed (CVE-2021-31968, CVE-2021-33739).

Windows 8.1 / Windows Server 2012 R2 Updates

• CRITICAL Severity: The Security Monthly Quality Rollup (KB5003671) resolves 19 new CVEs, including 4 known exploited (CVE-2021-31199, CVE-2021-31201, CVE-2021-31956, CVE-2021-33742) and 1 publicly disclosed (CVE-2021-31968).
• CRITICAL Severity: The Security Only Quality Update (KB5003681) resolves 16 new CVEs, none of which are publicly disclosed or known exploited.
• CRITICAL Severity: The Cumulative Security Update for Internet Explorer 11 (KB5003636) resolves 3 new CVEs, including 1 known exploited (CVE-2021-33742). Apply it with the Security Only Quality Update (KB5003681). It is not needed with the Security Monthly Quality Rollup (KB5003671).

Windows Server 2012 Updates

• CRITICAL Severity: The Security Monthly Quality Rollup (KB5003697) resolves 18 new CVEs, including 4 known exploited (CVE-2021-31199, CVE-2021-31201, CVE-2021-31956, CVE-2021-33742) and 1 publicly disclosed (CVE-2021-31968).
• CRITICAL Severity: The Security Only Quality Update (KB5003696) resolves 15 new CVEs, , including 3 known exploited (CVE-2021-31199, CVE-2021-31201, CVE-2021-31956) and 1 publicly disclosed (CVE-2021-31968).
• CRITICAL Severity: The Cumulative Security Update for Internet Explorer 11 (KB5003636) resolves 3 new CVEs, including 1 known exploited (CVE-2021-33742). Apply it with the Security Only Quality Update (KB5003696). It is not needed with the Security Monthly Quality Rollup (KB5003697).

Windows 7 / Windows Server 2008 R2 Extended Security Updates

• These updates can only be installed on devices that have an active ESU MAK license.
• In ZENworks Patch Management, these updates only show up in the feed if you have purchased the ZENworks Patch Management Add-On Subscription for Windows 7 / Windows Server 2008 Extended Security Updates. Otherwise, you must download them from the Microsoft Update Catalog and use the Custom Patch feature to create the patch. For more details, see Installing Windows 7 / Windows Server 2008 Extended Security Updates with ZENworks Patch Management.
• CRITICAL Severity: The Security Monthly Quality Rollup (KB5003667) resolves 14 new CVEs, including 4 known exploited (CVE-2021-31199, CVE-2021-31201, CVE-2021-31956, CVE-2021-33742) and 1 publicly disclosed (CVE-2021-31968).
• CRITICAL Severity: The Security Only Quality Update (KB5003694) resolves 11 new CVEs, including 3 known exploited (CVE-2021-31199, CVE-2021-31201, CVE-2021-31956) and 1 publicly disclosed (CVE-2021-31968).
• CRITICAL Severity: The Cumulative Security Update for Internet Explorer 11 (KB5003636) resolves 3 new CVEs, including 1 known exploited (CVE-2021-33742). Apply it with the Security Only Quality Update (KB5003694). It is not needed with the Security Monthly Quality Rollup (KB5003667).

Windows Server 2008 Extended Security Updates

• These updates can only be installed on devices that have an active ESU MAK license.
• In ZENworks Patch Management, these updates only show up in the feed if you have purchased the ZENworks Patch Management Add-On Subscription for Windows 7 / Windows Server 2008 Extended Security Updates. Otherwise, you must download them from the Microsoft Update Catalog and use the Custom Patch feature to create the patch. For more details, see Installing Windows 7 / Windows Server 2008 Extended Security Updates with ZENworks Patch Management.
• CRITICAL Severity: The Security Monthly Quality Rollup (KB5003661) resolves 12 new CVEs, including 4 known exploited (CVE-2021-31199, CVE-2021-31201, CVE-2021-31956, CVE-2021-33742).
• CRITICAL Severity: The Security Only Quality Update (KB5003695) resolves 10 new CVEs, including 3 known exploited (CVE-2021-31199, CVE-2021-31201, CVE-2021-31956).
• CRITICAL Severity: The Cumulative Security Update for Internet Explorer 9 (KB5003636) resolves 3 new CVEs, including 1 known exploited (CVE-2021-33742). Apply it with the Security Only Quality Update (KB5003695). It is not needed with the Security Monthly Quality Rollup (KB5003661).

Microsoft SharePoint Server

• CRITICAL Severity: The monthly Security Update resolves 7 CVEs (CVE-2021-26420, CVE-2021-31948, CVE-2021-31950, CVE-2021-31963, CVE-2021-31964, CVE-2021-31965, CVE-2021-31966, across Microsoft SharePoint Foundation Server 2013, Microsoft SharePoint Enterprise Server 2016, and Microsoft SharePoint Server 2019. None have public disclosures or known exploits.

Microsoft Office 2013–2016 (Windows) and 2016-2019 (Mac)

• IMPORTANT Severity: The Security Update resolves up to 4 CVEs (CVE-2021-31939, CVE-2021-31940, CVE-2021-31941, CVE-2021-31949) depending on the version. None have public disclosures or known exploits.

Microsoft 365 Apps (formerly Office 365 ProPlus) and Office 2019

• IMPORTANT Severity: Each channel update resolves up to 4 CVEs (CVE-2021-31939, CVE-2021-31940, CVE-2021-31941, CVE-2021-31949) depending on the version. None have public disclosures or known exploits.

Adobe Acrobat and Reader

• CRITICAL Severity: APSB21-37 resolves 5 CVEs across all current versions: CVE-2021-28551, CVE-2021-28552, CVE-2021-28554, CVE-2021-28631, and CVE-2021-28632.

Third-Party Security Updates

• Google Chrome 91.0.4472.101 (resolves 14 CVEs)
• Mozilla Firefox 89.0 (resolves 9 CVEs)
• Mozilla Firefox 78.11.0 ESR (resolves 2 CVEs)
• Mozilla Thunderbird 78.11.0 (resolves 2 CVEs)