Patch Tuesday – February 2021

Microsoft has released a relatively small number of fixes this month, in total just 56. But they include patches for a zero-day flaw in the Win32k component and some serious TCP/IP networking stack vulnerabilities.

Windows and Windows Server

February’s cumulative update (CU) for Windows 10 comes with a patch for a zero-day Elevation of Privilege flaw (CVE-2021-1732) in Win32k. Zero-days are bugs that are exploited in the wild before a patch is made available. Win32k is a core component of Windows and compromise can lead to a hacker gaining SYSTEM access.

According to Chinese security company DBAPPSecurity, the flaw has been leveraged by a group called Bitter, which has a history of attacks against users and organizations in Pakistan and China. DBAPPSecurity describes the attack as high-quality and sophisticated. The zero-day has been exploited for the previous 7 months.

Information about six other bugs were made public before Patch Tuesday: CVE-2021-1721, CVE-2021-1733, CVE-2021-26701, CVE-2021-1727, CVE-2021-24098, and CVE-2021-24106. While they were not being actively exploited, it won’t take long for hackers to weaponize them.

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

TCP/IP exploits

Microsoft published a separate blog post about three TCP/IP exploits: CVE-2021-24074, CVE-2021-24094, and CVE-2021-24086. The first two are critical Remote Code Execution (RCE) flaws. Microsoft says they are complex and that it would be difficult to create working exploits. But while it may mean in the short-term hackers are unable to weaponize the flaws, you should update your systems as soon as possible. The third patch is for a Denial of Service (DoS) vulnerability and it is easier to exploit.

Microsoft recommends deploying February’s CU for Windows 10 and Windows Server this month. For organizations that are unable to apply the patch immediately, each CVE details a workaround that doesn’t require restarting servers.

Exchange, SQL, and SharePoint Server

Exchange Server 2016 and 2019 get two updates, both rated important. CVE-2021-24085 is a spoofing vulnerability that could let authenticated attackers leak a cert file, resulting in the generation of a CSRF token. And CVE-2021-1730 is another spoofing vulnerability but this time in the Exchange Server installer.

SharePoint Server versions through 2010 to 2019 get patches for important RCE bugs, information disclosure flaws, and spoofing vulnerabilities.

Microsoft Office

The Microsoft 365 Apps for Enterprise (Click-To-Run) get three patches for RCE vulnerabilities in Excel.

Adobe Software

Finally, be sure to upgrade Adobe Reader to the latest version. A critical buffer overflow vulnerability (CVE-2021-21017) has already been exploited in the wild, targeting Windows users. Adobe says that attacks have been limited. An update for Windows and macOS patches multiple critical and important vulnerabilities in Adobe Acrobat and Adobe Reader.


Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
Don't leave your business open to attack! Come learn how to protect your AD in this FREE masterclass!REGISTER NOW - Thursday, December 2, 2021 @ 1 pm ET

Active Directory (AD) is leveraged by over 90% of enterprises worldwide as the authentication and authorization hub of their IT infrastructure—but its inherent complexity leaves it prone to misconfigurations that can allow attackers to slip into your network and wreak havoc. 

Join this session with Microsoft MVP and MCT Sander Berkouwer, who will explore:

  • Whether you should upgrade your domain controllers to Windows Server
    2019 and beyond
  • Achieving mission impossible: updating DCs within 48 hours
  • How to disable legacy protocols and outdated compatibility options in
    Active Directory

Sponsored by: