Microsoft July 2021 Patch Tuesday: 117 vulnerabilities, Pwn2Own Exchange Server bug fixed

Over 100 CVEs, many of which lead to RCE, have been tackled this month.

Microsoft has released 117 security fixes for the software, including a remote code execution (RCE) vulnerability in the  Exchange Server found by participants of the Pwn2Own competition.

The Redmond giant's latest round of patches, usually released on the second Tuesday of each month in what is known as Patch Tuesday, includes fixes for 117 flaws tackling RCEs, privilege escalation, spoofing, memory corruption, and information disclosure. Thirteen are considered critical, and nine are zero-days -- with four under active exploit.

Products impacted by Microsoft's latest security update, issued on July 13, include Microsoft Office, SharePoint, Excel, Microsoft Exchange Server, Windows Defender, Windows Kernel, and Windows SMB. 

Read on:

Some of the most interesting vulnerabilities resolved in this update are: 

  • CVE-2021-31206: A Microsoft Exchange Server RCE found during Pwn2Own. 
  • CVE-2021-34448: An actively exploited scripting engine memory corruption vulnerability requires a victim to visit a malicious website or click a malicious link actively.
  • CVE-2021-34494: A Windows DNS Server RCE, albeit restricted to DNS servers only.
  • CVE-2021-34458: A Windows Kernel RCE which permits a single root input/output virtualization (SR-IOV) device assigned to a guest to tamper with PCIe associates potentially. 

The latest round of patches comes just a week after Microsoft issued an emergency fix to rectify a security flaw nicknamed "PrintNightmare." Tracked under CVE-2021-1675 and CVE-2021-34527, the combination of RCE and a local privilege escalation flaw is already impacting some printers, and exploit code has been released.

In total, four of the vulnerabilities -- CVE-2021-34527 (PrintNightmare), CVE-2021-34448, CVE-2021-31979, and CVE-2021-33771 -- are listed as exploited in the wild. 

Microsoft thanked researchers from Google Security, Checkmarx, the Trend Micro Zero Day Initiative, and Fortinet's FortiGuard Lab, among other organizations, to report the now-patched security flaws; a number of vulnerabilities were also reported Microsoft Threat Intelligence Center (MSTIC).

According to the Zero Day Initiative (ZDI), which reported 17 of the bugs, this month's volume of fixes "is more than the last two months combined and on par with the monthly totals from 2020."

Last month, Microsoft resolved 50 vulnerabilities in the June batch of security fixes. These included seven zero-day bugs, six of which were reported by the Redmond giant as being actively exploited. 

A month prior, the tech giant tackled 55 security flaws during May Patch Tuesday. Four of which were deemed critical, and three were zero-days.


Alongside Microsoft's Patch Tuesday round, other vendors have published security updates that can be accessed below.