Critical zero-day features in first Patch Tuesday of 2021

Microsoft has released fixes for 84 vulnerabilities, 10 of them critical, one publicly disclosed, and one zero-day that is already being exploited in the wild, in its first monthly security drop of 2021, with patches incoming for Windows OS, Edge (HTML-based), Office, Visual Studio, .Net Core, .Net Repository, ASP .Net, Azure, Malware Protection Engine, and SQL Server. 

Although lighter than many of Microsoft’s 2020 releases, January’s Patch Tuesday update is still substantial in historical terms, and given the volume of ongoing cyber security incidents, there is every reason to expect that 2021 will bring similarly high volumes of fixes.

Automox senior product marketing manager Justin Knapp said: “January’s patch release represents an increase over last month’s batch and features this year’s first zero-day exploit for operations teams to tackle – a critical remote code execution [RCE] vulnerability within Microsoft Defender.

“With the SolarWinds breach still fresh from December and the scope of impact growing by the day, there is a reaffirmed urgency for organisations to implement best practices for even the most basic security habits.

“Whether it’s patching zero-day vulnerabilities within a 24-hour window or implementing strong password protocols, the need for security diligence has never been more evident.”

The critical Windows Defender RCE, assigned CVE-2021-1647, exists in Windows 7 through 10, and Server 2008 through 2019, but as Recorded Future’s Allan Liska explained, should not be problematic to overcome.

“The Microsoft Malware Protection Engine automatically updates itself, so there should be no action required to update,” he said. “While this is a serious vulnerability, previous RCE vulnerabilities in Windows Defender, CVE-2017-8558 and CVE-2018-0986, did not see widespread adoption by threat actors, presumably because Windows Defender systems are automatically updated.”

Other vulnerabilities of note this month include CVE-2021-1648 (previously disclosed by Google Project Zero), an elevation of privilege vulnerability in the splwow64 process in Windows 8 and 10, and Windows Server 2012 through 2019; and CVE-2021-1665, an RCE vulnerability in Microsoft’s GDI+ component affecting Windows 7 through 10 and Server 2008 through 2019, noteworthy because it impacts the out-of-support Windows 7.

Liska also noted CVE-2021-1709, an elevation of privilege vulnerability in the Win32 kernel in Windows 8 through 10, and Server 2008 through 2019, which is likely to be swiftly exploited and should be prioritised for patching.

“Finally, there are five newly released critical vulnerabilities in Microsoft’s Remote Procedure Call [RPC] Runtime,” said Liska. “CVE-2021-1658, CVE-2021-1660, CVE-2021-1666, CVE-2021-1667 and CVE-2021-1673 vulnerabilities exist in Windows 8 through 10 and Windows Server 2008 through 2019. While these vulnerabilities are considered critical, and it is concerning that so many vulnerabilities around the same component were released simultaneously, two previous vulnerabilities in RPC Runtime, CVE-2019-1409 and CVE-2018-8514, were not widely exploited.”

He added: “As a fun fact, RPC vulnerabilities like these played a role in many early worms, including Blaster, Sasser and Welchia.”

Ivanti’s Chris Goettl said: “The critical vulnerabilities this month all seem to be residing in the OS, browser and malware protection engine, but don’t let that distract you from the other updates. While the SQL, .Net Core, ASP .Net and other dev tools updates this month are only resolving important severity vulnerabilities, the DevOps toolchain is an area of concern. Your development teams need to be aware of what tools they are using and what vulnerabilities may be exposed.”