It is the second Tuesday in February, and that means Microsoft and other software makers are releasing dozens of updates to address security vulnerabilities. Topping this month’s list are two zero days under active exploitation and critical network failures that allow attackers to remotely execute malicious code or shut down computers.
The most important patch fixes a code execution flaw in Adobe Reader, which, despite its persistent status, remains widely used for viewing and working with PDF documents. CVE-2021-21017, as the critical vulnerability is tracked, results from a heap-based buffer overflow. After being informed by an anonymous source, Adobe warned that the flaw was actively exploited in limited attacks targeting Reader users running Windows.
Adobe did not provide additional details about the vulnerability or the in-the-wild attacks that exploit it. Typically, hackers use specially crafted documents sent via email or published online to trigger the vulnerability and execute code that installs malware on the device that runs the application. Adobe’s use of the word “limited” probably means that hackers are focusing their attacks on a small number of high-value targets.
Microsoft, meanwhile, has released a fix for a vulnerability in Windows 10 and Windows Server 2019 that is also under active attack. The flaw, indexed as CVE-2021-1732, allows attackers to execute their malicious code with elevated system rights.
Chain of exploits?
Hackers often use these so-called elevation of privilege exploits in conjunction with attack code that targets a separate vulnerability. The former will allow code execution, while the latter ensures that the code is executed with privileges high enough to access confidential parts of the operating system. Microsoft attributed the vulnerability discovery and report to JinQuan, MaDongZe, TuXiaoYi and LiHao of DBAPPSecurity Co. Ltd.
The simultaneous patching of CVE-2021-21017 and CVE-2021-1732 and their connection to Windows increases the distinct possibility that in-the-wild attacks are combining exploits for both vulnerabilities. However, neither Microsoft nor Adobe have provided details to confirm this speculation.
Microsoft released a security bulletin on Tuesday strongly urging users to fix three vulnerabilities in the Windows TCP / IP component, which is responsible for sending and receiving Internet traffic. CVE-2021-24074 and CVE-2021-24094 are classified as critical and allow attackers to send maliciously manipulated network packets that execute code. Both flaws also allow hackers to launch denial of service attacks – as well as a third TCP / IP vulnerability tracked as CVE-2021-24086.
The bulletin said that developing reliable code execution exploits will be difficult, but that DoS attacks are much easier and therefore are likely to be exploited in freedom.
“The two RCE vulnerabilities are complex, which makes it difficult to create functional exploits, so they are not likely in the short term,” said Tuesday’s bulletin. “We believe that attackers will be able to create DoS exploits much more quickly and we hope that all three problems can be exploited with a DoS attack shortly after launch. Therefore, we recommend that customers quickly apply Windows security updates this month. “
The three vulnerabilities stem from a failure to implement Microsoft’s TCP / IP and affect all supported versions of Windows versions. Non-Microsoft implementations are not affected. Microsoft said it identified the vulnerabilities internally.
56 vulnerabilities
In all, Microsoft has fixed 56 vulnerabilities in several products, including Windows, Office and SharePoint. Microsoft classified 11 of the vulnerabilities as critical. As usual, affected users should install patches as soon as possible. Those who cannot correct it immediately should consult the workarounds listed in the notices.
A word also about Adobe Reader. Adobe has devoted significant resources in recent years to improving product security. That said, Reader includes a number of advanced features that casual users rarely, if ever, need. These advanced features create the type of attack surface that hackers love. The vast majority of computer users may want to consider a standard reader that has fewer bells and whistles. Edge, Chrome or Firefox are all suitable substitutes.