Attacker Value
High
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
Required
Privileges Required
None
Attack Vector
Network
1

CVE-2021-34448

Disclosure Date: July 16, 2021
Exploited in the Wild
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Add Assessment

2
Ratings
Technical Analysis

Looking at Microsoft’s advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34448 shows very little information other than that this is a scripting engine vulnerability which is exploitable across a wide range of Windows OS versions and is exploitable remotely. Further investigation though shows that Cisco Talos at https://blog.talosintelligence.com/2021/07/microsoft-patch-tuesday-for-july-2021.html mentions that this vulnerability is a memory corruption vulnerability triggered when opening a maliciously crafted email or visiting a malicious website.

Further examination of https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-34448 using the Download column (which is not enabled by default but can be added) shows several references to IE Cumulative Update which suggests this is potentially an IE related vulnerability. Further examination of past advisories named in the same way like https://msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2017-0224 shows that IE scripting engine vulnerabilities are also referenced using the same style of language, so it would seem this is a memory corruption vulnerability within IE’s scripting engine.

Users should ideally apply patches to fix this issue given it has been exploited in the wild already, however if this is not possible then users should disable JavaScript in their browsers as most scripting engine vulnerabilities rely on taking advantage of flaws in the JavaScript engine of a given browser, which requires the browser to have JavaScript enabled in the first place. Note that this will break the operation of most sites so patching is preferred where possible.

CVSS V3 Severity and Metrics
Base Score:
8.8 High
Impact Score:
5.9
Exploitability Score:
2.8
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
Required
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • Microsoft

Products

  • Windows,
  • Windows Server,
  • Windows 10 Version 1909 for 32-bit Systems,
  • Windows 10 Version 1909 for x64-based Systems,
  • Windows 10 Version 1909 for ARM64-based Systems,
  • Windows 10 Version 21H1 for x64-based Systems,
  • Windows 10 Version 21H1 for ARM64-based Systems,
  • Windows 10 Version 21H1 for 32-bit Systems,
  • Windows 10 Version 2004 for 32-bit Systems,
  • Windows 10 Version 2004 for ARM64-based Systems,
  • Windows 10 Version 2004 for x64-based Systems,
  • Windows 10 Version 20H2 for x64-based Systems,
  • Windows 10 Version 20H2 for 32-bit Systems,
  • Windows 10 Version 20H2 for ARM64-based Systems

Exploited in the Wild

Reported by:

Additional Info

Technical Analysis