Microsoft Delivers Fixes for 83 Vulnerabilities in January Security Patch Bundle
Microsoft released its January security patch bundle on Tuesday, delivering fixes for 83 common vulnerabilities and exposures (CVEs).
Of that number, 10 CVEs were described as "Critical" by security researchers, while 73 are deemed "Important." One vulnerability (CVE-2021-1647) is known to have been exploited (Microsoft's first "zero day" of the new year), while another (CVE-2021-1648) was described as being publicly known before Tuesday's patch release. A list describing all of the January patches can be found in this Trend Micro Zero Day Initiative post by Justin Childs.
In addition, Automox offers its patch list here, and the Cisco Talos team points to January patch highlights at this page.
Microsoft provides its documentation of the January patches in its Security Update Guide. However, in most cases, readers are just given a Common Vulnerability Scoring System (CVSS) score and a generic boilerplate description, although more gets said when bulletins contain FAQ content. Microsoft switched to this approach back in November, claiming it was more concise and avoids disclosing details to adversaries. Consequently, IT pros wanting more detail about the patches likely will need to rely on outside security researcher descriptions.
Update 1/15: Microsoft's Japan security team posted a description of the January security updates that perhaps offers a useful summary for IT pros. It's written in Japanese but the English translation (Google Translate) seemed to work well. The team pointed out that Microsoft's "Security Update Guide" has filters that can be applied to make it more useful. The perhaps obscure post was noted in the Patchmangement.org Google Group forum (sign-up required), which is also a useful source.
Microsoft characterized this month's bundle of patches as affecting Visual Studio, SQL Server, .NET and Azure, in addition to the usual Windows, browser and Office targets, according to its "Release Notes" document. These "Release Notes" include a list of the security bulletins that contain the more verbose FAQs, as well as those bulletins describing "known issues" associated with the patches. Known issues also can be found in table format in this Microsoft "Deployment Information" document.
End of Flash
Adobe also released patches on Tuesday (six security updates and one hotfix), but the tie with Microsoft patches has weakened since the Adobe Flash Player supported in Windows has hit its end-of-support phase.
"Adobe Flash Player is officially end of life, seemingly closing the book on a major source of security concern for years in review," explained Nicholas Colyer, a senior product marketing manager at Automox, in an Automox post. "As of writing, Adobe has officially recommended the removal of Adobe Flash on all endpoints."
Likely, Flash has already been removed from browsers by Windows Update, Microsoft's updating service, noted Richard Tsang, Rapid7's senior software engineer, in an e-mailed comment.
The vulnerability known to be exploited this month (CVE-2021-1647) is a Critical remote code execution flaw in Microsoft Defender, Microsoft's anti-malware solution. However, if systems get updated via Microsoft's services, then this problem likely has already been fixed through Microsoft's ongoing distribution of malware definitions for Microsoft Defender, a point explained in the bulletin's FAQ.
Microsoft Defender has had this CVE-2021-1647 flaw since late October, but local access would have been needed to carry out an exploit, according to Chris Hass, director of information security and research at Automox.
"An attacker would need to have access to the local machine already or trick the user into triggering the execution of the exploit, likely in the form of a malicious document delivered via a phishing campaign," Hass said regarding CVE-2021-1647. "Affected versions of Defender date back to late October 2020," he added.
The vulnerability that was publicly known (CVE-2021-1648) is an Important elevation-of-privilege flaw in splwow64.exe, which is a Windows process that lets 32-bit applications print on 64-bit printers. Childs of the Zero Day Initiative indicated that Microsoft essentially is fixing a bug caused by an earlier bug fix with this particular patch.
"The previous CVE was being exploited in the wild, so it's within reason to think this CVE will be actively exploited as well," Childs explained regarding CVE-2021-1648.
Security researchers appear to be in the dark about an Important Windows Remote Desktop Protocol vulnerability (CVE-2021-1674) in this month's bundle. It got a high CVSS score of 8.8, but the security issue wasn't described by Microsoft.
An Important elevation-of-privilege vulnerability in the Windows Win32k process (CVE-2021-1709) is notable for not requiring user interaction. "An attacker could exploit a local machine to elevate their privileges and potentially use these privileges to carry out additional attacks," Cisco Talos observed.
Another notable Important vulnerability is CVE-2021-1707, affecting SharePoint users. It permits an attacker to "create a SharePoint site and then execute code remotely within the kernel if the logged-in user has the appropriate privileges," Cisco Talos explained.
In general, the Windows operating system patches should be prioritized this month since they account for "11 of the 13 top CVSS-scoring (CVSSv3 8.8) vulnerabilities," Tsang noted.
He also described the Windows Remote Procedure Call Runtime component getting patched this month as a noteworthy Critical issue.
"This RPC Runtime component accounts for the 9 of the 13 top CVSS scoring vulnerabilities along with half of all the 10 Critical Remote Code Execution vulnerabilities being addressed," Tsang explained.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.