Update Microsoft products for critical vulnerabilities
The information below was sent to U-M IT groups via email July 14, 2021. It is intended for U-M IT staff who are responsible for university computers with Microsoft products installed.
Summary
Multiple vulnerabilities have been discovered in Microsoft products, the most severe of which could allow for arbitrary code execution in the context of the logged on user. At least four of the vulnerabilities are under active attack according to Microsoft. Microsoft has released patches/updates to address the vulnerabilities.
Problem
Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged-on user.
Threats
There are reports that the Windows Print Spooler Remote Code Execution Vulnerability (CVE-2021-34527), Windows Kernel Elevation of Privilege Vulnerabilities (CVE-2021-33771, CVE-2021-31979) and Scripting Engine Memory Corruption Vulnerability (CVE-2021-34448) are being actively exploited in the wild.
Affected Systems
Most Microsoft products are affected, including Windows, Windows Server, Office, SharePoint, Bing, Active Directory, and more. See the full list at Microsoft: July 2021 Security Updates.
Action Items
- Update affected systems immediately after appropriate testing. Prioritize systems that are accessible from the internet and systems that are sensitive or critical.
- The need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).
- MiWorkspace and MiServer Managed OS machines will be updated for you.
Note that the updates include another fix for the PrintNightmare print spooler vulnerability. The fixes previously released for that vulnerability were reported to be incomplete. This new update should be applied in addition to the previous fixes.
How We Protect U-M
- ITS IA works closely with others in Information Technology Services (ITS) and U-M units to ensure timely patching of systems. MiWorkspace, MiServer, and other ITS-managed systems and devices are updated as soon as possible after appropriate testing.
- ITS IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.
- ITS IA provides vulnerability management guidance to the university.
Information for Users
MiWorkspace machines will be updated as soon as possible. If you have Microsoft software on your personal computer, it is best to set them to update automatically when you can.
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.
References
- Microsoft July 2021 Patch Tuesday: 117 vulnerabilities, Pwn2Own Exchange Server bug fixed (ZDNet, 7/13/21)
- Microsoft Patch Tuesday, July 2021 Edition (Krebs on Security, 7/13/21)
- Microsoft July 2021 Patch Tuesday (SANS ISC InfoSec Forums, 7/13/21)
- Windows 10 version 21H1 July Patch Tuesday: Vulnerability fixes galore (Windows Central, 7/13/21)
- July 2021 Security Updates (Microsoft, 7/2021)