Microsoft rolled out updates today to punch at least 56 security holes Windows operating systems and other software. One of the bugs is already being actively exploited, and six of them were released before today, which may have given attackers an edge in figuring out how to exploit the bugs.
Nine of the 56 vulnerabilities earned Microsoft’s most urgent “critical” rating, which means that malware or malicious people can use them to remotely control unprocessed systems with little or no user assistance.
The bug already exploited in nature – CVE-2021-1732 – affects Windows 10, Server 2016 and later releases. It has received a slightly less serious “important” rating and mainly because it is a vulnerability that allows an attacker to increase their authority and control over a device, which means that the attacker must already have access to the target system.
Two of the other bugs released this week are critical and are in Microsoft’s .NET Framework, a component required by many third-party applications (most Windows users have a .NET version installed).
Windows 10 users should note that although the operating system installs all monthly patch-ups at once, the implementation does not usually include .NET updates that are installed on their own. So if you’ve backed up your system and installed this month’s boxes, you can go back to Windows Update to see if there are any .NET updates pending.
A major issue for businesses is another critical bug in the DNS server on Windows Server 2008 through 2019 that can be used to remotely install the attacker’s software. CVE-2021-24078 earned a CVSS score of 9.8, which is about as dangerous as they come.
Recorded future says this vulnerability could be exploited remotely by having a vulnerable DNS server inquire about a domain he has not yet seen (eg by a phishing email linking to a new domain or even with embedded images calling to a new domain). Kevin Breen of Immersive Labs note that CVE-2021-24078 can cause the attacker to steal a lot of data by changing the destination for an organization’s web traffic – such as pointing internal devices or Outlook email access to a malicious server.
Windows Server users should also be aware that Microsoft is applying the second round of security enhancements this month as part of a two-phase update to address CVE-2020-1472, a serious vulnerability that first became active in September 2020 has been exploited.
The vulnerability, called “Zerologon, ‘Is a core error’NetlogonComponent of Windows Server devices. The error causes an unauthorized attacker to gain administrative access to a Windows domain controller and execute any application at random. A domain controller is a server that responds to security authentication requests in a Windows environment, and a dominated domain controller can give attackers the keys to the kingdom in a corporate network.
Microsoft’s initial patch for CVE-2020-1472 fixed the bug on Windows Server systems, but did nothing to prevent unsupported or third-party devices from talking to domain administrators using the unsafe Netlogon communication method. Microsoft said it had chosen this two-step approach “to ensure that vendors of non-compliant implementations can provide customers with updates.” With this month’s subjects, Microsoft will reject unsafe Netlogon attempts from non-Windows devices.
A few other, non-Windows security updates are worth mentioning. Adobe today released updates to fix at least 50 vulnerabilities in a range of products, including Photoshop and Reader. The Acrobat / Reader update addresses a critical zero-day error that Adobe claims is actively exploited by Windows users in the wild, so if you have Adobe Acrobat or Reader installed, make sure that these programs are kept up to date.
There is also a zero day error Google’s Chrome Web Browser (CVE-2021-21148) which sees active attacks. Chrome automatically downloads security updates, but users still need to restart the browser to fully enable the updates. If you’re a Chrome user and see a red “update” prompt on the right side of the address bar, it’s time to save your work and restart your browser.
Default Reminder: While it’s important to stay up to date on Windows patches, it’s important to make sure you’re only updating after backing up important data and files. A reliable backup means you are less likely to pull your hair out if the strange buggy patch causes problems starting up the system.
So do yourself a favor and make a backup of your files before installing patches. Windows 10 even has some built-in tools to help you make it on a file / folder basis or by making a full and bootable copy of your hard drive at once.
Keep in mind that Windows 10 will download and install standard updates on its own schedule. If you want to ensure that Windows is set to pause the update so that you can back up your files and / or system before the operating system decides to reboot and install the software, see this guide.
And as always, if you’ve been having trouble installing one of these patches this month, you may want to consider commenting below; there is a better chance than any other chance that other readers have experienced the same, and they can climb in here with some helpful tips.
Tags: CVE-2020-1472, CVE-2021-1732, CVE-2021-21148, CVE-2021-24078, Immersive Labs, Kevin Breen, Microsoft Patch Tuesday February 2021, Netlogon, Recorded Future, ZeroLogon
This entry was posted on Tuesday, February 9th, 2021 at 5:37 pm and is filed under Security Tools, Time to Patch. You can follow any comments on this entry through the RSS 2.0 feed. You can go to the end and leave a comment. Ping is currently not allowed.