The June security updates include 7 zero-day exploits fixed in Microsoft code, 5 high-severity bugs in Intel BIOS firmware and Security Library, and 21 critical vulnerabilities fixed in Adobe products.

Microsoft Updates

The June 2021 security updates from Microsoft resolves 7 zero-day vulnerabilities- six of them known to be exploited in the wild – and 43 more security flaws fixed.

In April 2021, Kaspersky security spotted targeted attacks that chained a Google Chrome vulnerability with two of the zero-day fixed in Windows this month to drop a malware installer in the target system.  This then downloaded more complex code from a remote server controlled by the PuzzleMaker threat actors.

The Windows vulnerabilities used in the PuzzleMaker attack, and patched this month are:

• CVE-2021-31955 – Windows Kernel Information Disclosure Vulnerability
• CVE-2021-31956 – Windows NTFS Elevation of Privilege Vulnerability

Microsoft also fixed four more vulnerabilities that have been seen under attack in the wild:

• CVE-2021-33739 – Microsoft DWM Core Library Elevation of Privilege Vulnerability
• CVE-2021-33742 – Windows MSHTML Platform Remote Code Execution Vulnerability
• CVE-2021-31199 – Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability
• CVE-2021-31201 – Microsoft Enhanced Cryptographic Provider Elevation of Privilege Vulnerability

The seventh zero-day ‘CVE-2021-31968 – Windows Remote Desktop Services Denial of Service Vulnerability’ was publicly disclosed but has not yet been noticed in attacks.

Intel Updates

Intel has published 29 security advisories covering 73 vulnerabilities patched this month.  These include:

Intel Security Library vulnerabilities that may allow escalation of privilege, denial or service or information disclosure – including CVE-2021-0133 which could ‘allow an authenticated user to enable escalation of privilege via network access.’

Several CPU Firmware patches have been released to resolve escalation of privilege and denial of service vulnerabilities (CVE-2020-8670, CVE-2020-8700, CVE-2020-12359) that affect Xeon, Core-X and Intel Core processors from the 6^th to 11^th Generation.

Adobe Updates

Adobe has patched 41 vulnerabilities this month including 5 Critical vulnerabilities in Adobe Acrobat and Reader and 15 critical vulnerabilities that affect Creative Cloud applications.

The Adobe Acrobat and Reader vulnerabilities affect Windows and MacOS and ‘could lead to arbitrary code execution in the context of the current user’  according to Adobe.

Adobe Acrobat and Reader products should auto-update or users can be prompted to update by navigating to HELP > Check for Updates.

Creative Cloud products can be updated centrally using Adobe’s Admin Console.