Microsoft today released updates to plug more than 80 security holes into Windows operating systems and other software, including one that is actively exploited, and another that was revealed earlier today. Ten of the bugs achieved Microsoft’s most serious “critical” rating, meaning they could be exploited by malware or malware to seize remote control over unpatched systems with little or no interaction from Windows users.
Most of this month’s batch is probably a critical bug (CVE-2021-1647) in Microsoft’s standard anti-malware suite – Windows Defender ̵
But Kevin Breen, research director at Immersive Labs, says depending on the vector, the error can be trivial to exploit.
“It can be as simple as sending a file,” he said. “The user does not have to interact with anything, as Defender gets access to it as soon as it is placed on the system.”
Fortunately, this bug is probably already patched by Microsoft on end-user systems, as the company continuously updates Defender outside of the normal monthly update cycle.
The glacier drew attention to another critical vulnerability this month – CVE-2020-1660 – which is an external code execution error in almost all versions of Windows that earned a CVSS score of 8.8 (10 is the most dangerous).
“They classify this vulnerability as ‘low’ in complexity, which means an attack can be easily reproduced,” Breen said. “However, they also note that it is ‘less likely’ to be exploited, which seems contradictory. Without the full context of this vulnerability, we must trust that Microsoft will make the decision for us.”
CVE-2020-1660 is actually just one of five errors in a core service from Microsoft called External procedure call (RPC), which is responsible for many heavy lifts in Windows. Some of the more memorable computers of the last decade spread automatically by exploiting RPC vulnerabilities.
Allan Liska, senior security architect at Recorded Future, said while so many vulnerabilities around the same component were released at the same time, two previous vulnerabilities in RPC – CVE-2019-1409 and CVE-2018-8514 – were not exploited much.
The remaining 70 errors that were patched this month achieved Microsoft’s less serious “important” rankings, which is not to say that they are much less of a security issue. Example: CVE-2021-1709, which is a “privilege enhancement” error in Windows 8 through 10 and Windows Server 2008 through 2019.
“Unfortunately, this type of vulnerability is often exploited quickly by attackers,” Liska said. For example, CVE-2019-1458 was announced on December 10, 2019, and by December 19, it was seen that an attacker was selling an exploitation for the vulnerability of underground markets. So while CVE-2021-1709 is only rated as [an information exposure flaw] by Microsoft it should be prioritized for patching. ”
Trend Micro’s ZDI initiative pointed out another bug marked “important” – CVE-2021-1648, an increase in privilege bugs in Windows 8, 10 and some Windows Server 2012 and 2019 published by ZDI earlier today.
“It was also detected by Google, probably because this update corrects an error introduced by a previous update,” ZDI’s Dustin Childs so. “The previous CVE was exploited in nature, so there is reason to believe that this CVE will also be actively exploited.”
Separately, Adobe released security updates to address at least eight vulnerabilities in a variety of products, including Adobe Photoshop and Illustrator. There is nobody Flash Player updates because Adobe retired the browser program in December (hallelujah!), and last month’s Microsoft update cycle removed the program from Microsoft browsers.
Windows 10 users should be aware that the operating system will download updates and install them all at once on its own schedule, close active programs, and restart the system. If you want to ensure that Windows is set to pause the update so that you have a good chance of backing up your files and / or system, see this guide.
Back up your system before using any of these updates. Windows 10 even has some built-in tools to help you do that, either by file / folder or by making a complete and bootable copy of your hard drive at the same time. You never know when an update will weaken your system or possibly corrupt important files. For those who want more flexible and full-fledged backup options (including incremental backups), Acronis and Macrium are two that I have used before and are worth seeing.
That said, there do not appear to be any major issues yet with this month’s update batch. But before using updates, consider visiting AskWoody.com, which usually has the thin report of problematic updates.
As always, if you experience errors or issues installing any of these updates this month, consider leaving a comment below; there is a better than a chance that other readers have experienced the same, and can call in here with some helpful tips.
Tags: Allan Liska, AskWoody.com, CVE-2018-8514, CVE-2019-1409, CVE-2019-1458, CVE-2020-1660, CVE-2021-1647, CVE-2021-1648, CVE-2021-1709 , Dustin Childs, Immersive Labs, Kevin Breen, Recorded Future, Trend Micros ZDI Initiative, Windows Defender
This entry was posted on Tuesday, January 12th, 2021 at 8:32 pm and is filed under Time to Patch. You can follow any comments on this post through the RSS 2.0 feed. You can skip to the end and leave a comment. Pinging is currently not allowed.