Patch Tuesday – January 2021
It’s a quiet start for Microsoft in 2021 as it issues patches for only 80 vulnerabilities, which is considerably lower than most months. Among them are a fix for a zero-day bug in Microsoft’s Defender software and a fix for a flaw publicly disclosed at the tail of end last year by Trend Micro ZDI.
Windows and Windows Server
This month Microsoft fixed a critical zero-day flaw (CVE-2021-1647) in its Defender product, the built-in malware protection software in Windows. The vulnerability is being actively exploited and while Microsoft hasn’t published details, it’s believed that the flaw can be easily exploited by hackers.
KerbsOnSecurity quotes Kevin Breen, director of research at Immersive Labs, as saying “It could be as simple as sending a file. The user doesn’t need to interact with anything, as Defender will access it as soon as it is placed on the system.” The patches for Microsoft Defender are automatically installed by Windows Update unless explicitly blocked by system administrators.
A critical remote code execution (RCE) bug (CVE-2020-1660) in the Remote Procedure Call (RPC) runtime gets patched. RPC is often used to manage communications between Windows devices and it has in the past been a popular mechanism for viruses known as worms. Worms can spread easily between computers without any user interaction. CVE-2020-1660 is one of 5 RPC bugs patched this month.
Passwords Haven’t Disappeared Yet
123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?
An elevation of privilege (EoP) bug in the splwow64 service, made public last month by Trend Micro’s Zero-Day Initiative (ZDI) project, has also been patched. Microsoft says that while details about CVE-2021-1648 were publicly available, it wasn’t exploited in the wild.
Exchange, SQL, and SharePoint Server
Microsoft released a patch for an EoP bug in Microsoft SQL Server 2012, 2014, 2016, 2017, and 2019. It is rated important and Microsoft says that an authenticated attacker could send data over a network to an affected SQL Server when configured to run an Extended Event session.
There are 9 patches for SharePoint Server. All are rated important and include EoP, spoofing, and RCE flaws. There are no patches for Exchange Server this month.
Microsoft 365 Apps for Enterprise (Click-to-Run) get patches for five important RCE vulnerabilities. Microsoft Office 2010 through 2019 also gets a series of patches for RCE bugs, all rated important.
Flash Player is now officially dead but that doesn’t mean there won’t be important patches from Adobe. This month sees Adobe patch flaws in Photoshop, Illustrator, Animate, Campaign Classic, InCopy, Captivate, and Bridge. You can find more information about the patches on Adobe’s website here.
And that’s it for another month. Happy patching!