Aug. Patch Tues. – Actively Exploited Windows Zero-Day Gets a Patch!

Aug. Patch Tues. – Actively Exploited Windows Zero-Day Gets a Patch!

Microsoft’s Aug. 2021 Patch Tues. addressed a smaller set of issues than usual, including more Print Spooler problems, a zero-day & 7 critical vulnerabilities.

Microsoft has patched 51 security vulnerabilities in its scheduled Aug. Patch Tuesday update, including 7 critical bugs, 2 issues that were publicly disclosed but unpatched as yet, & 1 that’s listed as a zero-day that has been exploited in the wild.


Also, there are 17 elevation-of-privilege (EoP) vulnerabilities, 13 remote code-execution (RCE) issues, 8 information-disclosure flaws & 2 denial-of-service (DoS) bugs.

The update also includes patches for 3 more Print Spooler bugs, familiar from the Print Nightmare saga.

Lighter Month

“Fortunately, it was a lighter month than usual,” stated Eric Feldman, Senior Product Marketing Manager at Automox, in a Patch Tues. analysis from the vendor.

“This represents a 56% reduction in overall vulnerabilities from July, & 33% fewer vulnerabilities on average for each month so far this year. We have also seen a similar reduction in critical vulnerabilities this month, with 30% less compared to the monthly average.”

Windows Critical Security Vulnerabilities

The 7 critical bugs addressed in Aug. are as follows:

  • CVE-2021-26424 – Windows TCP/IP RCE Vulnerability
  • CVE-2021-26432 – Windows Services for NFS ONCRPC XDR Driver RCE Vulnerability
  • CVE-2021-34480 – Scripting Engine Memory Corruption Vulnerability
  • CVE-2021-34530 – Windows Graphics Component RCE Vulnerability
  • CVE-2021-34534 – Windows MSHTML Platform RCE Vulnerability
  • CVE-2021-34535 – Remote Desktop Client RCE Vulnerability
  • CVE-2021-36936 – Windows Print Spooler RCE Vulnerability

TCP/IP Protocol

The bug tracked as CVE-2021-26424 exists in the TCP/IP protocol stack identified in Windows 7 & newer Microsoft operating systems, including servers.

“Despite its CVSS rating of 9.9, this may prove to be a trivial bug, but it’s still fascinating,” explained Dustin Childs of Trend Micro’s Zero Day Initiative (ZDI) in his Tuesday analysis.

“An attacker on a guest Hyper-V OS could execute code on the host Hyper-V server by sending a specially crafted IPv6 ping. This keeps it out of the wormable category. Still, a successful attack would allow the guest OS to completely take over the Hyper-V host. While not wormable, it’s still cool to see new bugs in new scenarios being found in protocols that have been around for years.”

Windows Services

The next bug, CVE-2021-26432 in Windows Services, is more likely to be exploited given its low complexity status, according to Microsoft’s advisory; it doesn’t require privileges or user interaction to exploit, but Microsoft offered no further details.

“This may fall into the ‘wormable’ category, at least between servers with NFS installed, especially since the open network computing remote procedure call (ONCRPC) consists of an External Data Representation (XDR) runtime built on the Winsock Kernel (WSK) interface,” Childs outlined. “That certainly sounds like elevated code on a listening network service. Don’t ignore this patch.”

Loss of Confidentiality

Aleks Haugom, Product Marketing Manager at Automox, added, “Exploitation results in total loss of confidentiality across all devices managed by the same security authority. Furthermore, attackers can utilise it for denial-of-service attacks or to maliciously modify files.

So far, no further details have been released by Microsoft or the security researcher (Liubenjin from Codesafe Team of Legendsec at Qi’anxin Group) that discovered this vulnerability. Given the broad potential impact, its label ‘Exploitation More Likely’ & apparent secrecy, patching should be completed ASAP.”

Malicious File

Meanwhile, the memory-corruption bug (CVE-2021-34480) arises from how the scripting engine handles objects in memory, & it also allows RCE. Using a web-based attack or a malicious file, such as a malicious landing page or phishing email, attackers can use this vulnerability to take control of an affected system, install programs, view, or change data, or create new user accounts with full user rights.

“CVE-2021-34480 should also be a priority,” Kevin Breen, director of cyber-threat research at Immersive Labs, suggested.

Exploitation More Likely

“It is a low score in terms of CVSS, coming in at 6.8, but has been marked by Microsoft as ‘Exploitation More Likely’ because it is the type of attack commonly used to increase the success rate of spear phishing attacks to gain network access.  Simple, but effective.”

The Windows Graphic Component bug (CVE-2021-34530) allows attackers to remotely execute malicious code in the context of the current user, according to Microsoft – if they can social-engineer a target into opening a specially crafted file.


Another bug exists in the Windows MSHTML platform, also known as Trident (CVE-2021-34534). Trident is the rendering engine (mshtml.dll) used by Internet Explorer. The bug affects many Windows 10 versions (1607, 1809,1909, 2004, 20H2, 21H1) as well as Windows Server 2016 and 2019.

However, while it potentially affects a large number of users, exploitation is not trivial.

“To exploit, a threat actor would need to pull off a highly complex attack with user interaction – still entirely possible with the sophisticated attackers of today,” warned Peter Pflaster, Technical Product Marketing Manager at Automox.

Remote Desktop Client

The bug tracked as CVE-2021-34535 impacts the Microsoft Remote Desktop Client, Microsoft’s nearly ubiquitous utility for connecting to remote PCs.

“With today’s highly dispersed workforce, CVE-2021-34535, an RCE vulnerability in Remote Desktop Clients, should be a priority patch,” stated Breen.

“Attackers increasingly use RDP access as the tip of the spear to gain network access, often combining it with privilege escalation to move laterally.

These can be powerful as, depending on the method, it may let the attacker to authenticate in the network in the same way a user would, making detection difficult.”

Blue Keep

It’s not as dangerous of a bug as Blue Keep, according to Childs, which also affected RDP.

“Before you start having flashbacks to Blue Keep, this bug affects the RDP client & not the RDP server,” he revealed.

“However, the CVSS 9.9 bug is nothing to ignore. An attacker can take over a system if they can convince an affected RDP client to connect to an RDP server they control.

On Hyper-V servers, a malicious program running in a guest VM could trigger guest-to-host RCE by exploiting this vulnerability in the Hyper-V Viewer. This is the more likely scenario & the reason you should test & deploy this patch quickly.”

Windows Print Spooler Bugs

The final critical bug is CVE-2021-36936, a Windows Print Spooler RCE bug that’s listed as publicly known.

Print Spooler made headlines last month, when Microsoft patched what it thought was a minor elevation-of-privilege vulnerability in the service (CVE-2021-1675).

But the listing was updated later in the week, after researchers from Tencent & NSFOCUS TIANJI Lab worked out it could be used for RCE – requiring a new patch.

Code-Execution Bug

It also disclosed a 2nd bug, similar to Print Nightmare (CVE-2021-34527); & a 3rd, an EoP issue (CVE-2021-34481).

“Another month, another remote code-execution bug in the Print Spooler,” suggested ZDI’s Childs.

“This bug is listed as publicly known, but it’s not clear if this bug is a variant of Print Nightmare or a unique vulnerability all on its own. There are quite a few print-spooler bugs to keep track of. Either way, attackers can use this to execute code on affected systems.

Microsoft does state low privileges are required, so that should put this in the non-wormable category, but you should still prioritise testing & deployment of this critical-rated bug.”

Critical Vulnerability

The critical vulnerability is just 1 of 3 Print Spooler issues in the Aug. Patch Tues. release.

“The spectre of the Print Nightmare continues to haunt this patch Tues. with 3 more print spooler vulnerabilities, CVE-2021-36947, CVE-2021-36936 & CVE-2021-34481,” outlined Breen.

“All 3 are listed as RCE over the network, requiring a low level of access, similar to Print Nightmare. Microsoft has marked these as ‘Exploitation More Likely’ which, if the previous speed of POC code being published is anything to go by, is certainly true.”

Windows Update Medic Service

The actively exploited bug is tracked as CVE-2021-36948 & is rated as important; it could pave the way for RCE via the Windows Update Medic Service in Windows 10 & Server 2019 & newer operating systems.

“Update Medic is a new service that allows users to repair Windows Update components from a damaged state such that the device can continue to receive updates,” Automox’ Jay Goodman explained. “The exploit is both low complexity and can be exploited without user interaction, making this an easy vulnerability to include in an adversary’s toolbox.”

Ransomware Attacks

Immersive’s Breen added, “CVE-2021-36948 is a privilege-escalation vulnerability – the cornerstone of modern intrusions as they allow attackers the level of access to do things like hide their tracks & create user accounts.  In the case of ransomware attacks, they have also been used to ensure maximum damage.”

Though the bug is being reported as being exploited in the wild by Microsoft, activity appears to remain limited or targeted: “We have seen no evidence of it at Kenna Security at this time,” Jerry Gamblin, Director of Security Research at Kenna Security (now part of Cisco) informed.

Windows LSA Spoofing Bug

The 2nd publicly known bug (after the Print Spooler issue covered earlier) is tracked as CVE-2021-36942, & it’s an important-rated Windows LSA (Local Security Authority) spoofing vulnerability.

“It fixes a flaw that could be used to steal NTLM hashes from a domain controller or other vulnerable host,” Immersive’s Breen stated.

“These types of attacks are well known for lateral movement & privilege escalation, as has been demonstrated recently by a new exploit called Petit Potam. It is a post-intrusion exploit – further down the attack chain – but still a useful tool for attackers.”


Childs offered a bit of context around the bug.

“Microsoft released this patch to further protect against NTLM relay attacks by issuing this update to block the LSARPC interface,” he reasoned.

“This will impact some systems, notably Windows Server 2008 SP2, that use the EFS API Open Encrypted File RawA function. You should apply this to your Domain Controllers first & follow the additional guidance in ADV210003 & KB5005413. This has been an ongoing issue since 2009, &, likely, this isn’t the last we’ll hear of this persistent issue.”

Microsoft’s next Patch Tues. is Sept. 14.