June 8, 2021

Microsoft today released another round of security updates for Windows operating systems and supported software, including fixes for six zero-day bugs that malicious hackers already are exploiting in active attacks.

June’s Patch Tuesday addresses just 49 security holes — about half the normal number of vulnerabilities lately. But what this month lacks in volume it makes up for in urgency: Microsoft warns that bad guys are leveraging a half-dozen of those weaknesses to break into computers in targeted attacks.

Among the zero-days are:

CVE-2021-33742, a remote code execution bug in a Windows HTML component.
CVE-2021-31955, an information disclosure bug in the Windows Kernel
CVE-2021-31956, an elevation of privilege flaw in Windows NTFS
CVE-2021-33739, an elevation of privilege flaw in the Microsoft Desktop Window Manager
CVE-2021-31201, an elevation of privilege flaw in the Microsoft Enhanced Cryptographic Provider
CVE-2021-31199, an elevation of privilege flaw in the Microsoft Enhanced Cryptographic Provider

Kevin Breen, director of cyber threat research at Immersive Labs, said elevation of privilege flaws are just as valuable to attackers as remote code execution bugs: Once the attacker has gained an initial foothold, he can move laterally across the network and uncover further ways to escalate to system or domain-level access.

“This can be hugely damaging in the event of ransomware attacks, where high privileges can enable the attackers to stop or destroy backups and other security tools,” Breen said. “The ‘exploit detected’ tag means attackers are actively using them, so for me, it’s the most important piece of information we need to prioritize the patches.”

Microsoft also patched five critical bugs — flaws that can be remotely exploited to seize control over the targeted Windows computer without any help from users. CVE-2021-31959 affects everything from Windows 7 through Windows 10 and Server versions 2008, 2012, 2016 and 2019.

Sharepoint also got a critical update in CVE-2021-31963; Microsoft says this one is less likely to be exploited, but then critical Sharepoint flaws are a favorite target of ransomware criminals.

Interestingly, two of the Windows zero-day flaws — CVE-2021-31201 and CVE-2021-31199 — are related to a patch Adobe released recently for CVE-2021-28550, a flaw in Adobe Acrobat and Reader that also is being actively exploited.

“Attackers have been seen exploiting these vulnerabilities by sending victims specially crafted PDFs, often attached in a phishing email, that when opened on the victim’s machine, the attacker is able to gain arbitrary code execution,” said Christopher Hass, director of information security and research at Automox. “There are no workarounds for these vulnerabilities, patching as soon as possible is highly recommended.”

In addition to updating Acrobat and Reader, Adobe patched flaws in a slew of other products today, including Adobe Connect, Photoshop, and Creative Cloud. The full list is here, with links to updates.

The usual disclaimer:

Before you update with this month’s patch batch, please make sure you have backed up your system and/or important files. It’s not uncommon for Windows updates to hose one’s system or prevent it from booting properly, and some updates even have been known to erase or corrupt files.

So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.

As always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.

For a quick visual breakdown of each update released today and its severity level, check out the this Patch Tuesday post from the SANS Internet Storm Center.


59 thoughts on “Microsoft Patches Six Zero-Day Security Holes

  1. Harry Johnston

    One correction: Adobe’s patch for CVE-2021-28550 (security bulletin APSB21-29, which you link to) was released last month, not today.

    Today’s Adobe security bulletin is APSB21-37 and lists CVE-2021-28551, 28552, 28554, 28631, and 28632.

  2. Brad Larkin

    Love that you cover the basic blocking-and-tackling of security as well as the most sophisticated gangs. Thank you Brian.

  3. The Sunshine State

    I have 21-H1 on all my Windows 10 machines , running without any issues .

  4. rando

    hahahahahahahahahaha to eternity…..also…fcuk you bill! i hope malinda takes you aaaassssss to the cleaners….can you IMAGINE BILL GATES PICKING UP WOMEN IN A (OFCOURSE!!!STEREO TYPE.MUCHBILLYY) GOLLLLLDDD PORSHA MADE IN GERMANY. ..lol..fs they made tanks amphibious marchland attack machines…fcuk bill….imagine getting into a porcshe with bill gates in it or d trump or epstein ir appollo hedgr fu d graduate from drexel burnam lambert unreal mike milken is a bilkionarre and got trump pardon

    but i do digress
    when did the us intel.”community” w trillion doelar funding get any major issue right.

    cold war socviet cillapse oopps didnt see that coming…911? oooopppppsssie total shick after wtc bombing after uss cole …total shock despite all the cash… fast forward to last week….

    1. smh2021

      Someone missed their dose of Haldol today

  5. Yyz

    When are enterprises, governments and users going to hold Microsoft accountable for all these problems? If they can’t sue because of EULAs at least move to a different product. Sure, it’s not easy, but how many resources are being wasted with remediation and recovery efforts?

    1. Retired Security Guy Al

      All software has vulnerabilities, they just haven’t been discovered, yet. MS , ten to fifteen years back was not great at security but since then they’ve really improved. They continue to be the biggest target for obvious reasons, but they mostly get the job done. Adobe, on the other hand…

  6. KoSReader600000

    “Interestingly, two of the Windows zero-day flaws — CVE-2021-31201 and CVE-2021-31199 — are related to a patch Adobe released recently for CVE-2021-28550, a flaw in Adobe Acrobat and Reader that also is being actively exploited.”-Brian Krebs

    I am a bit confused. Is the adobe patch the problem? Is the adobe product the problem? Next, if you have a machine that has the zero flaw should you just remove the adobe product? Should you remove the adobe patch? Last, if you have a machine without the adobe product should use you the MS patch for said zero day?

    1. Harry Johnston

      My guess would be that the only relationship between the three vulnerabilities is that they were all first discovered as part of the zero-day attacks mentioned in the Adobe bulletin.

      At any rate, you definitely need to install all the patches that are relevant to your system in order to be secure. If you are running Adobe Reader on Windows, for example, you need to make sure that both Adobe Reader and Windows are up to date.

    2. timeless

      The Windows vulnerabilities are privilege escalation. But, first you need to be running code on the box.

      So, start by sending someone a PDF, which exploits acrobat to let you run code. Then attack Windows using the privilege escalation vulnerabilities.

      Note: you’re going to want to patch both. Patching just Acrobat means you risk someone finding a different bug in something else you have and chaining to attack Windows. Or similarly, only patching Windows means you risk someone attacking Acrobat and then doing something else (either a different Windows vulnerability, or just ransomware).

  7. David Union

    My Patch Tuesday Updates are missing. I had your email advising me that they had been released. I also had these three mails from Microsoft: Microsoft Security Update Summary for June 6 2021, Microsoft Security Advisory Notification and Microsoft Security Update Releases.
    But when I check for updates, I get the message that my laptop is up-to-date. I’ve created a thread in the Microsoft Community forum.
    Has anyone else reported missing Patch Tuesday Updates, Bryan?

    PS I think Rando’s ranting reply yesterday should be deleted.

  8. David Union

    I received these emails: Microsoft Security Update Summary for June 6 2021/ Microsoft Security Advisory Notification / Microsoft Security Update Releases
    The KB890830 update (Malicious Software Removal Tool) installed, confirmed by my Update History, but the others are missing i.e. checking my settings for Windows Updates shows a message that my laptop is up-to-date.
    But it’s not. These are the Patch Tuesday Updates and I had your email confirming this.
    I’ve restarted my laptop several times but my Settings still show that my laptop is up-to-date. Has anyone else reported this problem, Bryan?

  9. Patrick

    “It’s not uncommon for Windows updates to hose one’s system or prevent it from booting properly, and some updates even have been known to erase or corrupt files.”

    Oh, come on, this is just plain untrue. Can it happen? Yes. Is it common? No, and for 99.X% of users, not something they’ll ever experience.

    1. Ah... Juicestratics

      99.x% is 150% made up. If you haven’t had a single black screen boot, hard rollback, user/file issue, anything in 2 years? Tell us your HW configuration on your single digit W10 pc’s, because a lot, a LOT of people have had these issues. Then go buy a lotto ticket because you’re fortunate. Just 1 year ago (and the whole year before that) these things were happening sequentially month after month for non-trivial %’s. Entire product lines. Remember when they killed the Intel chipsets? No? Or integrated radeons in a whole swath of laptops? It’s improved in the last several but there’s a reason people were advised to wait if they could, especially on ‘rollup’ updates. Plain untrue, no it isn’t. It’s not uncommon, it’s NOT 0.1%. No way. But nobody has the % stat you imagine including MS, and they downplay intentionally. If you supported end users for the last 2 years, either professionally or just family and friends, you experienced at least 2 of these or you’re the unicorn.

      1. Harry Johnston

        Not that I disagree with Brian’s advice, but my professional experience seems very different to yours. Our fleet is about 5K Windows computers and we’ve had very few serious issues (persistent bluescreens, lost data, etc.) caused by updates. Hardware problems are an order of magnitude more common.

        The last incident I’m aware of was in 2019, when some of our Windows 7 machines failed to boot after installing KB4512486, and frankly that was our fault for not having KB3133977 installed – we’d only had about three years to do it in, after all! The new cumulative update model pretty much eliminates that potential risk anyway.

        On the other hand, we buy almost entirely from a single vendor (Dell) and we install Windows ourselves on all our computers. I think the latter in particular is important, I seem to recall that several of the high-profile issues I’ve read about over the past decade or so were caused by issues with the preinstalled Windows image provided by the hardware vendor. So my workplace experiences probably aren’t typical of either personal-use or small-business scenarios.

        1. mealy

          “my workplace experiences probably aren’t typical of either personal-use or small-business scenarios.”

          It’d be a helluva small business though, and Grandma’s solitaire downtime would be minimal, trojan free.. Probably a nice sweater in it for you if you meet performance goals, just saying.

      1. Fake people are natural born liars

        Please do not spoof the name of Brian Krebs.
        His real comments will always have an HTML tag next to the name that says, “Post author”

          1. mealy

            I have no problem using lots of different names to post in the comments. It keeps the trolls guessing.

            1. mealy

              Now they feel the need to impersonate me, “mealy” in addition to BK himself.

              Somewhat obviously the it’s “Gregory” trolling extended from the previous article.
              BK will see the difference on his end, Greg. Just a heads up.

              1. nope

                I read the previous article. And this whole thing started because of your trolling and spreading your opinion as if it were fact. Someone corrected you and started attacking and changing your name on every comment, repeating the same nonsense. It was obvious that the same misinformation was coming from a single person with many aliases.
                You got called out for your trolling and were called a narcissist for your inability to back down and just accept you were wrong. Instead you attacked others who disagreed and projected your own trolling/egotistical behavior onto others, while you were the worst offender
                You shouldn’t have tried to “win” so hard, the internet is full of bigger trolls. Stick with one name so people can see that your opinion is just your opinion, not objective fact.

                1. mealy

                  BK will know who you are if he cares to “Gregory”, and your trolling just concedes that you’re upset beyond argument or reason.

                  You are obviously very angry. If I were actually trolling as an objective here, you would be ceding victory on that. Food for thought, if it appealed.

                  Internet arguments shouldn’t be so directly superimposed on your ego, that’s obviously not good for your long term health or esteem.
                  Have a better day tomorrow or refuse to. Get well soon, or not.

                  1. Readership1 (previously just Reader)

                    I said not to worry about not having the last word, but you couldn’t resist.
                    He baited you to respond. Why’d you take the bait?
                    Don’t feed the trolls.

                    1. The Sunshine State

                      They are all a bunch of idiots.

                    2. Readership1 (previously just Reader)

                      Actually I think it’s just two people. Both idiots.
                      Flame wars that don’t end because both have the same personality disorders. Both think they are above the other. But they both are acting the same way… abusing the username anonymity of this site.

                  2. mealy

                    The ego of a narcissist demands to have the final word. Can’t be helped.
                    Projecting one’s own emotion and psychological tendencies is also irresistible.
                    So when a narcissist accuses someone else of being angry, that is the emotion they are feeling at that moment.
                    The Biggest troll of them all, is obviously going to accuse others of trolling. It’s just projection.

                    1. mealy

                      The “narcissism” of pretending to be someone you aren’t _can_ be helped though, just stop impersonating people. You’re not very good at it. BK sees the difference on his end but even before that, no doubt anyone who can read can tell the difference also. Night and day.

                      “Projecting one’s own emotion and psychological tendencies is also irresistible.” – No doubt you’re right?

                      Ironically if anyone were to follow that troll’s logic, you would be burning YOURSELF by doing that repeatedly over and over again. I was actually being serious in hoping you get whatever help or guidance you seem to need to calm down, not get so angry over simple internet disagreements to the point of trolling and impersonating people and being a pest. It’s not helping your position, it’s not even an effective troll when you’re this entirely obvious.

                      “The Biggest troll of them all, is obviously going to accuse others of trolling. It’s just projection.”

                      Oh, naturally! How about this – use YOUR name, “Gregory.”
                      Don’t pretend to be me, BK or anyone else, it’s not working.
                      Nobody is fooled, time to grow up. I’m not going to insult you, this isn’t a one liner of garbage, I mean it :
                      Get better soon. Rejoin productive humanity. Be yourself.
                      Try to make yourself a better person. You don’t hurt amyone with insults or fake psychology, it does nothing.
                      Have the last word now under your own name, go ahead.
                      (And a great day – if you can.)

            2. YANAL

              Well, exhibit A says mealy is a troll, dude.
              Movin’ on, get well soon.

            3. Craig Lutz, official pedant of MLB

              leave mealy alone, he’s had a rough life

            4. mealy

              Stop using my name! I mean it. I’ll find you and sue!

              1. mealy

                You’re a rather lazy impersonator, “Gregory” – on such a nice day too.

                FYI It’s the use of “dude” and your silly troll one-liners that give away your own (lack of?) style, there isn’t even much obfuscatory substance behind it. Copy and paste from the previous article, tsk. Your demonstrated understanding of civil law related to libel is one-dimensional, I don’t threaten to sue people. Go ahead and waste your day like this if you choose though, I guess if BK wants to do something about you he’ll find a means to that but it really is a shame you can’t just be a productive person in life instead and have to self-immolate like this.

                Get well soon Gregory.

              2. Chip Douglas

                You’re a rather lazy impersonator, “mealy” on such a nice day too.

                FYI It’s the use of “get well soon” and your silly narcissism that give away your own (lack of?) style, there isn’t even much obfuscatory substance behind it. Copy and paste from the previous comment, tsk. Your demonstrated understanding of blogging is one-dimensional, I always troll people by changing the name to someone else. Go ahead and waste your day like this if you choose though, I guess if BK wants to do something about you he’ll find a means to that but it really is a shame you are just a narcissist instead and have to get the last word like this.

                Get well soon.

                1. mealy

                  Don’t you have a life to get back to? Well I guess you don’t. You’re too busy trollingme.
                  Now you are copying me like some sort of child. You sound very immature and you’re wasting your time. I hope BK does ban you from the site but maybe someday you’ll learn how to act maturely.

                  Get well soon “Gregory” of that’s your real name.

                  1. Readership1 (previously just Reader)

                    Maybe you shouldn’t engage at all. Don’t worry about not having the last word.

                    1. mealy

                      I do agree, but that’s not “me.” – Only BK or his admin would know, it’s somewhat opaque from userland here.

                      My last was what “Chip Johnson” subsequently copied verbatim. Meh, now I’m explaining a troll’s “art” for them in their gallery of sorts. You’re no doubt right that it’s best not to engage, so this “is” my “last” word on it. Anything after this will not be mealy, me, and only BK will be in a position to verify that, should he become so bored. I doubt it’s ultimately worth his time either way unless he’s running a project on tracking idiots.

                      A common “fun” on the internet these days, being a pest. Perhaps they’re just being themselves, who really knows.
                      Still a beautiful day on my end, the one true revenge.

            5. mealy

              “Gregory” needs a time out for introspection.

            6. mealy

              Brian can you intervene and moderate? This Gregory guy is annoying.

  10. JohnIL

    Oh well, it’s Windows another month another list of potential disaster in patches. Windows looks worse then a old patch quilt these days. We can only hope that Microsoft has something better planned for the next Windows.

  11. rayan khaled

    J’adore le fait que vous couvriez le blocage et la lutte de base de la sécurité ainsi que les gangs les plus sophistiqués. Merci Brian.

  12. Raptor

    This is why I recommend people not use Windows unless that absolutely have to. If your friends and family still use Windows try and get them to switch to Linux or Mac OS. Windows is a security nightmare and dumpster fire.

    1. SalSte

      And as soon as enough people move over to either MacOS or Linux to make it profitable enough to attack them, they’ll be just as much of a security nightmare and dumpster fire.

  13. Jack

    Brian,

    Thanks for keeping us up to date

    But, Windowz is 35 years old. It’s reasonable to assume that M$FT should have plugged those security holes by now.

  14. Mike

    My May Security Update failed to install and it keeps failing. I’ve consulted with an IT expert and they couldn’t get it to go, and next step is to do something with Media Creation Tool, but first have them do a mirror of my machine. Another option is to try the June update and see if that goes OK, and then see if the May update will install. However, I’m concerned that doing the June update without having first done the May update will somehow “break” my system leading to it failing to reboot etc…. Any insights or suggestions…. i.e., should I just have them do the fix with the Media Creation Tool, or try the June update myself? Thanks!

    1. Harry Johnston

      It is safe to install the June update without having installed the May update. And since the updates are cumulative, if the June update does install, you no longer need to worry about the May update.

      That said, as Brian mentioned in the article, make sure you’ve got any data that matters to you backed up first. Especially so since you already know your system is unstable.

  15. Zianezoz

    Dear you always sharing good content keep it up I suggest your website, my friend

  16. John Tillotson

    We should promulgate the idea that as a basic requirement to be considered “minimally computer literate”, a person should be aware of:

    1. How to use at least one alternate platform such as a Linux or MacOS system to perform the basic functions of browsing, accessing email and using a basic office suite.
    2. How to use both Android and iPhone devices to perform basic mobile tasks like telephone calls, email and messaging.
    3. The existence of multiple alternatives like Linux, UNIX, Mac OS, as workable and competent platforms for doing their jobs.

    If this becomes the “common standard” for individuals to be considered “minimally computer literate”, then there will be much more flexibility for companies to move to different platforms: “Vendor lock in” would be less powerful.

    If we have a widespread corporate culture that is “aware” of alternatives to the current industry “leader”, then businesses would know that their staff have the ability to adapt to different platforms. Then they could have more confidence to put pressure on the industry “leader” to fix their sh*t or be replaced, as businesses are tired of the risk and expense of running the current common industry “leader” OS. Money talks and BS walks.

Comments are closed.