Executive Summary

For the month of August 2021, Microsoft has today released patches for 44 CVEs in Microsoft Windows and Windows components, Office, .NET Core and Visual Studio, Windows Defender, Windows Update and Update Assistant, Azure, and Microsoft Dynamics.

This is in addition to seven CVEs patched in Microsoft Edge (Chromium-based) earlier this month. Of the 44 CVEs patched today, seven are rated Critical and 37 are rated Important in severity.
This is the smallest release for Microsoft in 2021 (in fact since December 2019) and could be due to resource constraints since Microsoft spent so much time in July responding to events like PrintNightmare and PetitPotam.

Windows Clients

Windows 7 (extended support only): 12 vulnerabilities: 4 critical and 8 important

Windows Print Spooler Remote Code Execution Vulnerability — CVE-2021-36936

Windows TCP/IP Remote Code Execution Vulnerability — CVE-2021-26424

Remote Desktop Client Remote Code Execution Vulnerability — CVE-2021-34535

Scripting Engine Memory Corruption Vulnerability — CVE-2021-34480

Windows 8.1: 18 vulnerabilities: 5 critical and 13 important

Windows Print Spooler Remote Code Execution Vulnerability — CVE-2021-36936

Windows Services for NFS ONCRPC XDR Driver Remote Code Execution Vulnerability — CVE-2021-26432

Windows TCP/IP Remote Code Execution Vulnerability — CVE-2021-26424

Remote Desktop Client Remote Code Execution Vulnerability — CVE-2021-34535

Scripting Engine Memory Corruption Vulnerability — CVE-2021-34480

Windows 10 version 1903 and 1909: 23 vulnerabilities: 7 critical and 16 important

Remote Desktop Client Remote Code Execution Vulnerability — CVE-2021-34535

Windows MSHTML Platform Remote Code Execution Vulnerability — CVE-2021-34534

Scripting Engine Memory Corruption Vulnerability — CVE-2021-34480

Windows Graphics Component Remote Code Execution Vulnerability — CVE-2021-34530

Windows Print Spooler Remote Code Execution Vulnerability — CVE-2021-36936

Windows Services for NFS ONCRPC XDR Driver Remote Code Execution Vulnerability — CVE-2021-26432

Windows TCP/IP Remote Code Execution Vulnerability — CVE-2021-26424

Windows 10 version 2004, 20H2 and 21H1 : 24 vulnerabilities, 7 critical and 17 important

same as Windows 10 version 1909.

Windows Servers

Windows Server 2008 R2 (extended support only): 13 vulnerabilities: 4 critical and 9 important

Windows Print Spooler Remote Code Execution Vulnerability — CVE-2021-36936

Windows TCP/IP Remote Code Execution Vulnerability — CVE-2021-26424

Remote Desktop Client Remote Code Execution Vulnerability — CVE-2021-34535

Scripting Engine Memory Corruption Vulnerability — CVE-2021-34480

Windows Server 2012 R2: 19 vulnerabilities: 5 critical and 14 important

Windows Print Spooler Remote Code Execution Vulnerability — CVE-2021-36936

Windows Services for NFS ONCRPC XDR Driver Remote Code Execution Vulnerability — CVE-2021-26432

Windows TCP/IP Remote Code Execution Vulnerability — CVE-2021-26424

Remote Desktop Client Remote Code Execution Vulnerability — CVE-2021-34535

Scripting Engine Memory Corruption Vulnerability — CVE-2021-34480

Windows Server 2016: 23 vulnerabilities: 7 critical and 16 important

Windows Graphics Component Remote Code Execution Vulnerability — CVE-2021-34530

Scripting Engine Memory Corruption Vulnerability — CVE-2021-34480

Windows MSHTML Platform Remote Code Execution Vulnerability — CVE-2021-34534

Remote Desktop Client Remote Code Execution Vulnerability — CVE-2021-34535

Windows TCP/IP Remote Code Execution Vulnerability — CVE-2021-26424

Windows Services for NFS ONCRPC XDR Driver Remote Code Execution Vulnerability — CVE-2021-26432

Windows Print Spooler Remote Code Execution Vulnerability — CVE-2021-36936

Windows Server 2019: 25 vulnerabilities: 7 critical and 18 important

same as Windows Server 2016

Windows Security Updates

Windows 7 SP1 and Windows Server 2008 R2 (ESU Only)

Monthly Rollup: KB5005088

Security-Only: KB5005089

Updates and improvements:

Administrative privileges are required to install printer drivers using Point and Print. More information is available here and here.

Fixed an issue with Smart Card Authentication failures on non-RFC compliant printers and scanners. See here for more information.

Security updates

Windows 8.1 and Windows Server 2012 R2

Monthly Rollup: KB5005076 

Security-only: KB5005106 

Updates and improvements:

Administrative privileges are required to install printer drivers using Point and Print. More information is available here and here.

Fixed an issue with Smart Card Authentication failures on non-RFC compliant printers and scanners. See here for more information.

Security updates

Windows 10 version 1909

Support Page: KB5005031

Updates and improvements:

Administrative privileges are required to install printer drivers using Point and Print. More information is available here and here.

Windows 10 version 2004, 20H2 and 21H1

Support Page: KB5005033

Updates and improvements:

Administrative privileges are required to install printer drivers using Point and Print. More information is available here and here.

Known Issues

Windows 7 SP1 and Windows Server 2008 R2

After installing this update, the Elastic File System (EFS) API OpenEncryptedFileRaw(A/W), often used in backup software, will not work when you back up to or from a Windows Server 2008 SP2 device.

Expected behaviour according to Microsoft. See CVE-2021-36942.

Certain operations will fail on Cluster Shared Volumes.

Perform the task from a process with elevated rights.

Perform the task from a node that does not have CSV ownership.

Updates will be uninstalled if the device does not support ESU.

Expected behaviour.

Windows 8.1 and Server 2012 R2

After installing this update, the Elastic File System (EFS) API OpenEncryptedFileRaw(A/W), often used in backup software, will not work when you back up to or from a Windows Server 2008 SP2 device.

Expected behaviour according to Microsoft. See CVE-2021-36942.

Certain operations will fail on Cluster Shared Volumes.

Perform the task from a process with elevated rights.

Perform the task from a node that does not have CSV ownership.

Windows 10 version 1909

After installing this update, the Elastic File System (EFS) API OpenEncryptedFileRaw(A/W), often used in backup software, will not work when you back up to or from a Windows Server 2008 SP2 device.

Expected behaviour according to Microsoft. See CVE-2021-36942.

Windows 10 versions 2004, 20H2 and 21H1

After installing this update, the Elastic File System (EFS) API OpenEncryptedFileRaw(A/W), often used in backup software, will not work when you back up to or from a Windows Server 2008 SP2 device.

Expected behaviour according to Microsoft. See CVE-2021-36942.

Some devices will receive the error “PSFX_E_MATCHING_BINARY_MISSING” when trying to install updates after the KB5003690 update released in June.

See here for a workaround.

If Windows was installed from custom ISO images or custom offline media, the new Microsoft Edge may not be installed.

See the support article for a workaround.

Character input issues with the Japanese Input Method Editor.

No workaround or solution yet.

CVE

Title

Severity

CVSS

Public

Exploited

Type

CVE-2021-36948

Windows Update Medic Service Elevation of Privilege Vulnerability

Important

7.8

No

Yes

EoP

CVE-2021-36936

Windows Print Spooler Remote Code Execution Vulnerability

Critical

8.8

Yes

No

RCE

CVE-2021-36942

Windows LSA Spoofing Vulnerability

Important

9.8

Yes

No

Spoofing

CVE-2021-34535

Remote Desktop Client Remote Code Execution Vulnerability

Critical

9.9

No

No

RCE

CVE-2021-34480

Scripting Engine Memory Corruption Vulnerability

Critical

6.8

No

No

RCE

CVE-2021-34530

Windows Graphics Component Remote Code Execution Vulnerability

Critical

7.8

No

No

RCE

CVE-2021-34534

Windows MSHTML Platform Remote Code Execution Vulnerability

Critical

6.8

No

No

RCE

CVE-2021-26432

Windows Services for NFS ONCRPC XDR Driver Remote Code Execution Vulnerability

Critical

9.8

No

No

RCE

CVE-2021-26424

Windows TCP/IP Remote Code Execution Vulnerability

Critical

9.9

No

No

RCE

CVE-2021-26423

.NET Core and Visual Studio Denial of Service Vulnerability

Important

7.5

No

No

DoS

CVE-2021-34485

.NET Core and Visual Studio Information Disclosure Vulnerability

Important

5

No

No

Info

CVE-2021-34532

ASP.NET Core and Visual Studio Information Disclosure Vulnerability

Important

5.5

No

No

Info

CVE-2021-33762

Azure CycleCloud Elevation of Privilege Vulnerability

Important

7

No

No

EoP

CVE-2021-36943

Azure CycleCloud Elevation of Privilege Vulnerability

Important

4

No

No

EoP

CVE-2021-26430

Azure Sphere Denial of Service Vulnerability

Important

6

No

No

DoS

CVE-2021-26429

Azure Sphere Elevation of Privilege Vulnerability

Important

7.7

No

No

EoP

CVE-2021-26428

Azure Sphere Information Disclosure Vulnerability

Important

4.4

No

No

Info

CVE-2021-36949

Microsoft Azure Active Directory Connect Authentication Bypass Vulnerability

Important

7.1

No

No

SFB

CVE-2021-36950

Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability

Important

5.4

No

No

XSS

CVE-2021-34524

Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability

Important

8.1

No

No

RCE

CVE-2021-36946

Microsoft Dynamics Business Central Cross-site Scripting Vulnerability

Important

5.4

No

No

XSS

CVE-2021-34478

Microsoft Office Remote Code Execution Vulnerability

Important

7.8

No

No

RCE

CVE-2021-36940

Microsoft SharePoint Server Spoofing Vulnerability

Important

7.6

No

No

Spoofing

CVE-2021-34471

Microsoft Windows Defender Elevation of Privilege Vulnerability

Important

7.8

No

No

EoP

CVE-2021-36941

Microsoft Word Remote Code Execution Vulnerability

Important

7.8

No

No

RCE

CVE-2021-34536

Storage Spaces Controller Elevation of Privilege Vulnerability

Important

7.8

No

No

EoP

CVE-2021-36945

Windows 10 Update Assistant Elevation of Privilege Vulnerability

Important

7.3

No

No

EoP

CVE-2021-34537

Windows Bluetooth Service Elevation of Privilege Vulnerability

Important

7.8

No

No

EoP

CVE-2021-36938

Windows Cryptographic Primitives Library Information Disclosure Vulnerability

Important

5.5

No

No

Info

CVE-2021-36927

Windows Digital TV Tuner device registration application Elevation of Privilege Vulnerability

Important

7.8

No

No

EoP

CVE-2021-26425

Windows Event Tracing Elevation of Privilege Vulnerability

Important

7.8

No

No

EoP

CVE-2021-34486

Windows Event Tracing Elevation of Privilege Vulnerability

Important

7.8

No

No

EoP

CVE-2021-34487

Windows Event Tracing Elevation of Privilege Vulnerability

Important

7

No

No

EoP

CVE-2021-34533

Windows Graphics Component Font Parsing Remote Code Execution Vulnerability

Important

7.8

No

No

RCE

CVE-2021-36937

Windows Media MPEG-4 Video Decoder Remote Code Execution Vulnerability

Important

7.8

No

No

RCE

CVE-2021-34483

Windows Print Spooler Elevation of Privilege Vulnerability

Important

7.8

No

No

EoP

CVE-2021-36947

Windows Print Spooler Remote Code Execution Vulnerability

Important

8.8

No

No

RCE

CVE-2021-26431

Windows Recovery Environment Agent Elevation of Privilege Vulnerability

Important

7.8

No

No

EoP

CVE-2021-26433

Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability

Important

7.5

No

No

Info

CVE-2021-36926

Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability

Important

7.5

No

No

Info

CVE-2021-36932

Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability

Important

7.5

No

No

Info

CVE-2021-36933

Windows Services for NFS ONCRPC XDR Driver Information Disclosure Vulnerability

Important

7.5

No

No

Info

CVE-2021-26426

Windows User Account Profile Picture Elevation of Privilege Vulnerability

Important

7

No

No

EoP

CVE-2021-34484

Windows User Profile Service Elevation of Privilege Vulnerability

Important

7.8

No

No

EoP

CVE-2021-30590

Chromium: CVE-2021-30590 Heap buffer overflow in Bookmarks

High

N/A

No

No

RCE

CVE-2021-30591

Chromium: CVE-2021-30591 Use after free in File System API

High

N/A

No

No

RCE

CVE-2021-30592

Chromium: CVE-2021-30592 Out of Bounds write in Tab Groups

High

N/A

No

No

RCE

CVE-2021-30593

Chromium: CVE-2021-30593 Out of Bounds read in Tab Strip

High

N/A

No

No

Info

CVE-2021-30594

Chromium: CVE-2021-30594 Use after free in Page Info UI

High

N/A

No

No

RCE

CVE-2021-30596

Chromium: CVE-2021-30596 Incorrect security UI in Navigation

Medium

N/A

No

No

SFB

CVE-2021-30597

Chromium: CVE-2021-30597 Use after free in Browser UI

Medium

N/A

No

No

RCE

With thanks to the Patchmanagement.org team!

WordPress Appliance - Powered by TurnKey Linux