Microsoft today released updates to plug more than 80 security holes in its windows operating systems and other software, including one that is being actively explored and one that was released before today. Ten of the flaws have earned Microsoft’s most terrible “critical” rating, meaning they can be exploited by malware or criminals to take remote control of unpatched systems with little or no interaction from Windows users.
The most worrying part of this month’s batch is probably a critical bug (CVE-2021-1647) in Microsoft’s standard anti-malware package – Windows Defender – that is seeing active exploration. Microsoft recently stopped providing many details in its vulnerability alerts, so it is not entirely clear how this is being exploited.
But Kevin Breen, director of research in Immersive Laboratories, says that depending on the vector, the failure can be trivial to explore.
“It can be as simple as sending a file,” he said. “The user does not need to interact with anything, as Defender will access it as soon as it is placed on the system.”
Fortunately, this bug has probably already been fixed by Microsoft on end-user systems, as the company continually updates Defender outside the normal monthly patch cycle.
Breen called attention to another critical vulnerability this month – CVE-2020-1660 – which is a remote code execution failure in almost all versions of Windows that achieved a CVSS score of 8.8 (10 is the most dangerous).
“They classify this vulnerability as ‘low’ in complexity, which means that an attack can be easy to reproduce,” said Breen. “However, they also note that it is ‘less likely’ to be exploited, which seems counterintuitive. Without the full context of this vulnerability, we have to rely on Microsoft to make the decision for us. “
CVE-2020-1660 is actually just one of five bugs in a core Microsoft service called Remote procedure call (RPC), which is responsible for a lot of heavy lifting on Windows. Some of the most memorable computer worms of the past decade have spread automatically, exploiting RPC vulnerabilities.
Allan Liska, senior security architect in Recorded future, said that while it is worrying that so many vulnerabilities around the same component have been released simultaneously, two previous vulnerabilities in RPC – CVE-2019-1409 and CVE-2018-8514 – have not been widely exploited.
The roughly 70 remaining flaws fixed this month have earned Microsoft’s less terrifying “important” ratings, which is not to say they are less of a security concern. Case in point: CVE-2021-1709, which is an “elevation of privilege” flaw in Windows 8-10 and Windows Server 2008 until 2019.
“Unfortunately, this type of vulnerability is often exploited quickly by attackers,” said Liska. “For example, CVE-2019-1458 was announced on December 10, 2019, and on December 19, an attacker was seen selling an exploit for the vulnerability in clandestine markets. Therefore, while CVE-2021-1709 is classified only as [an information exposure flaw] by Microsoft, it should be prioritized for correction. “
Trend Micro’s ZDI Initiative pointed out another flaw marked as “important” – CVE-2021-1648, an elevation of privilege bug in Windows 8, 10 and some Windows Server 2012 and 2019 that was publicly disclosed by ZDI before today.
“It was also discovered by Google probably because this patch fixes a bug introduced by a previous patch,” said ZDI’s Dustin Childs said. “The previous CVE was being explored in the wild, so it is reasonable to think that this CVE will also be actively explored.”
Separately, Adobe released security updates to address at least eight vulnerabilities in a range of products, including Adobe Photoshop and Illustrator. There is not Flash Player updates because Adobe removed the browser plugin in December (hallelujah!), and Microsoft’s update cycle last month removed the program from Microsoft browsers.
Windows 10 users should be aware that the operating system will download updates and install them all at once according to their own schedule, closing active programs and restarting the system. If you want to ensure that Windows has been configured to pause the update so that you have ample opportunity to back up your files and / or system, see this guide.
Back up your system before applying any of these updates. Windows 10 even has some built-in tools to help you do that, either by file / folder or by making a complete, bootable copy of your hard drive at once. You never know when a roll-up patch will damage your system or possibly damage important files. For those looking for more flexible and complete backup options (including incremental backups), Acronis and Macrium are two that I used earlier and are worth a look.
That said, there doesn’t seem to be any major problems yet with this month’s update batch. But before applying the updates, consider visiting AskWoody.com, which usually has information about any reports of problematic patches.
As always, if you experience glitches or problems installing any of these patches this month, leave a comment on that below; there is a better than equal chance that other readers have experienced the same and may appear here with some useful tips.
Tags: Allan Liska, AskWoody.com, CVE-2018-8514, CVE-2019-1409, CVE-2019-1458, CVE-2020-1660, CVE-2021-1647, CVE-2021-1648, CVE-2021-1709 , Dustin Childs, Immersive Labs, Kevin Breen, Recorded Future, Trend Micro’s ZDI Initiative, Windows Defender
This entry was posted on Tuesday, January 12th, 2021 at 8:32 pm and is filed under Time to correct. You can follow any comments to this entry through the RSS 2.0 feed. You can skip to the end and leave a comment. Pinging is currently not allowed.