Microsoft today released updates to plug at least 56 security holes in its windows operating systems and other software. One of the bugs is already being actively exploited, and six of them have been released before today, potentially giving attackers an early edge in figuring out how to exploit the flaws.
Nine of the 56 vulnerabilities have obtained the most urgent “critical” rating from Microsoft, meaning that malware or rogues can use them to gain remote control of unpatched systems with little or no help from users.
The flaw that is already being exploited in freedom – CVE-2021-1732 – affects Windows 10, Server 2016 and later editions. It received a rating of “important” a little less terrible and mainly because it is a vulnerability that allows an attacker to increase their authority and control on a device, which means that the attacker already needs access to the target system.
Two of the other bugs that were released before this week are critical and reside in Microsoft .NET Framework, a component required by many third-party applications (most Windows users will have some version of .NET installed).
Windows 10 users should note that while the operating system installs all monthly patch rollups at once, this package generally does not include .NET updates, which are installed on their own. Therefore, after backing up your system and installing this month’s patches, you can check Windows Update again to see if there are any pending .NET updates.
A key concern for businesses is another critical DNS server bug in versions of Windows Server 2008 through 2019 that can be used to remotely install the attacker’s software of choice. CVE-2021-24078 earned a CVSS score of 9.8, which is almost as dangerous as it looks.
Recorded future says this vulnerability can be exploited remotely by having a vulnerable DNS server query a domain that it has not seen before (for example, by sending a phishing email with a link to a new domain or even with embedded images that call to a new one domain). Kevin Breen of Immersive Laboratories notes that CVE-2021-24078 can allow an attacker to steal a lot of data by changing the destination of an organization’s web traffic – such as pointing internal devices or accessing Outlook email on a malicious server.
Windows Server users should also be aware that Microsoft this month is enforcing the second round of security improvements as part of a two-phase update to address CVE-2020-1472, a serious vulnerability that saw active exploitation for the first time. time in September 2020.
The vulnerability, dubbed “Zerologon, ”It’s a bug in the kernel“Netlogon”Component of Windows Server devices. The flaw allows an unauthenticated attacker to gain administrative access to a Windows domain controller and run any application at will. A domain controller is a server that responds to security authentication requests in a Windows environment, and a compromised domain controller can give attackers the keys to the kingdom within a corporate network.
Microsoft’s initial patch for CVE-2020-1472 fixed the flaw in Windows Server systems, but did nothing to prevent unsupported or third-party devices from talking to domain controllers using the insecure Netlogon communication method. Microsoft said it chose this two-step approach “to ensure that vendors of non-compliant implementations can provide updates to customers.” With this month’s patches, Microsoft will begin to reject Netlogon’s insecure attempts from devices other than Windows.
It is worth mentioning some other security updates not related to Windows. Adobe today released updates to fix at least 50 security holes in a variety of products, including Photoshop and Reader. The Acrobat / Reader update addresses a critical zero-day flaw that Adobe says is being actively exploited against Windows users, so if you have Adobe Acrobat or Reader installed, make sure these programs are kept up to date.
There is also a zero-day failure in Google Chrome web browser (CVE-2021-21148) that is seeing active attacks. Chrome downloads security updates automatically, but users still need to restart their browser for the updates to take full effect. If you’re a Chrome user and you see a red “update” prompt to the right of the address bar, it’s time to save your work and restart your browser.
Standard reminder: While it is necessary to keep up to date with Windows patches, it is important to make sure that you are updating only after backing up your important data and files. A reliable backup means you are less likely to tear your hair out when a patch with strange errors causes problems when booting the system.
So, do yourself a favor and back up your files before installing any patches. Windows 10 even has some built-in tools to help you do that, either by file / folder or by making a complete, bootable copy of your hard drive at once.
Remember that Windows 10, by default, will automatically download and install updates according to your own schedule. If you want to ensure that Windows has been configured to pause the update so that you can back up your files and / or system before the operating system decides to restart and install patches, see this guide.
And as always, if you have any flaws or problems installing any of these patches this month, leave a comment on that below; there is a better than equal chance that other readers have experienced the same and may appear here with some useful tips.
Tags: CVE-2020-1472, CVE-2021-1732, CVE-2021-21148, CVE-2021-24078, Immersive Labs, Kevin Breen, Microsoft Patch Tuesday February 2021, Netlogon, Recorded Future, ZeroLogon
This entry was posted on Tuesday, February 9th, 2021 at 17:37 and is filed under Security Tools, Time to apply the patch. You can follow any comments to this entry through the RSS 2.0 feed. You can skip to the end and leave a comment. Pinging is currently not allowed.