Patch Tuesday – February 2021
Microsoft has released a relatively small number of fixes this month, in total just 56. But they include patches for a zero-day flaw in the Win32k component and some serious TCP/IP networking stack vulnerabilities.
Windows and Windows Server
February’s cumulative update (CU) for Windows 10 comes with a patch for a zero-day Elevation of Privilege flaw (CVE-2021-1732) in Win32k. Zero-days are bugs that are exploited in the wild before a patch is made available. Win32k is a core component of Windows and compromise can lead to a hacker gaining SYSTEM access.
According to Chinese security company DBAPPSecurity, the flaw has been leveraged by a group called Bitter, which has a history of attacks against users and organizations in Pakistan and China. DBAPPSecurity describes the attack as high-quality and sophisticated. The zero-day has been exploited for the previous 7 months.
Information about six other bugs were made public before Patch Tuesday: CVE-2021-1721, CVE-2021-1733, CVE-2021-26701, CVE-2021-1727, CVE-2021-24098, and CVE-2021-24106. While they were not being actively exploited, it won’t take long for hackers to weaponize them.
Passwords Haven’t Disappeared Yet
123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?
Microsoft published a separate blog post about three TCP/IP exploits: CVE-2021-24074, CVE-2021-24094, and CVE-2021-24086. The first two are critical Remote Code Execution (RCE) flaws. Microsoft says they are complex and that it would be difficult to create working exploits. But while it may mean in the short-term hackers are unable to weaponize the flaws, you should update your systems as soon as possible. The third patch is for a Denial of Service (DoS) vulnerability and it is easier to exploit.
Microsoft recommends deploying February’s CU for Windows 10 and Windows Server this month. For organizations that are unable to apply the patch immediately, each CVE details a workaround that doesn’t require restarting servers.
Exchange, SQL, and SharePoint Server
Exchange Server 2016 and 2019 get two updates, both rated important. CVE-2021-24085 is a spoofing vulnerability that could let authenticated attackers leak a cert file, resulting in the generation of a CSRF token. And CVE-2021-1730 is another spoofing vulnerability but this time in the Exchange Server installer.
SharePoint Server versions through 2010 to 2019 get patches for important RCE bugs, information disclosure flaws, and spoofing vulnerabilities.
The Microsoft 365 Apps for Enterprise (Click-To-Run) get three patches for RCE vulnerabilities in Excel.
Finally, be sure to upgrade Adobe Reader to the latest version. A critical buffer overflow vulnerability (CVE-2021-21017) has already been exploited in the wild, targeting Windows users. Adobe says that attacks have been limited. An update for Windows and macOS patches multiple critical and important vulnerabilities in Adobe Acrobat and Adobe Reader.