Microsoft today released updates to more than 80 security holes in its Windows operating systems and other software, including one that is being actively exploited and another that was announced before today. Ten of the bugs earned Microsoft’s most critical “critical” rating, meaning they could be used by malware or malicious people to use remote control over unpacked systems with little or no interaction from Windows users.
Most of this bug is probably a critical bug (CVE-2021-1647) in Microsoft’s standard anti-malware package – Windows Defender – it is to see active exploitation. Microsoft has recently stopped providing a lot of detail in their vulnerability advice, so it’s not entirely clear how it is being exploited.
But Kevin Breen, director of research at Immersive Labs, says depending on the vector, the error may be insignificant to exploit.
“It can be as simple as sending a file,” he said. “The user does not need to communicate with anything, as Defender will gain access to it once it is placed on the system.”
Fortunately, this bug is probably already being patched by Microsoft on end-user systems, as the company is constantly updating Defender beyond the normal monthly patch cycle.
Breen this month addressed another critical vulnerability – CVE-2020-1660 – which is an external code execution error in almost every version of Windows that deserves a CVSS score of 8.8 (10 is the most dangerous ).
“They classify this vulnerability as ‘low’ in complexity, which means an attack can be easy to reproduce,” Breen said. However, they also note that it is ‘less likely’ to be exploited, which seems counter-intuitive. Without the full context of this vulnerability, we have to rely on Microsoft to make the decision for us. ”
CVE-2020-1660 is actually just one of five bugs in a core Microsoft service called Remote procedure call (RPC), which is responsible for a lot of hard work in Windows. Some of the most memorable computer worms of the last decade spread automatically by exploiting RPC vulnerabilities.
Allan Liska, senior security architect at Recorded future, said while it is worrying that so many vulnerabilities around the same component have been released simultaneously, two previous vulnerabilities in RPC – CVE-2019-1409 and CVE-2018-8514 – have not been widely exploited.
The remaining 70 or so bugs fixed this month have earned Microsoft’s less serious “important” ratings, which is not to say it’s much less of a security concern. Case in point: CVE-2021-1709, which is an “increase in privilege” in Windows 8 to 10 and Windows Server 2008 through 2019.
“Unfortunately, this kind of vulnerability is quickly exploited by attackers,” Liska said. ‘CVE-2019-1458, for example, was announced on 10 December 2019 and by 19 December an attacker was seen selling an exploitation for the vulnerability in underground markets. Thus, while CVE-2021-1709 is only considered as [an information exposure flaw] by Microsoft it should be prioritized to patch. ”
Trend Micro’s ZDI initiative indicated another bug that is “important” – CVE-2021-1648, a significant privilege in Windows 8, 10, and some Windows Server 2012 and 2019 that were publicly announced by ZDI before today.
“It was probably discovered by Google because the bug fixes a bug that was installed by a previous patch,” ZDI said Dustin Childs said. “The previous CPU is exploited in nature, so it is reasonable to think that this CPU will also be actively exploited.”
Separately, Adobe has released security updates to address at least eight vulnerabilities in a range of products, including: Adobe Photoshop and Illustrator. There is no Flash Player updates because Adobe pulled the browser plug-in in December (hallelujah!), and Microsoft’s update cycle from last month removed the program from Microsoft’s browsers.
Windows 10 users should note that the operating system will download updates and install everything at its own schedule, close active programs, and restart the system. Consult this guide to ensure that Windows is set to pause the update so that you have a sufficient chance of backing up your files and / or system.
Make a backup of your system before applying any of these updates. Windows 10 even has some built-in tools to help you make it on a file / folder basis or by making a full and bootable copy of your hard drive at once. You never know when a patch series will corrupt your system or damage important files. For those who want more flexible and complete backup options (including incremental backups), Acronis and Macrium are two I’ve used before, and they’s worth a look.
It is said that there are apparently no major issues with this month’s update journal yet. Before applying updates, consider visiting AskWoody.com, which is usually scanty about any reports of problems.
As always, if you’ve been having trouble installing one of these patches this month, you may want to consider commenting below; there is a better chance than any other chance that other readers have experienced the same, and they can climb in here with some helpful tips.
Tags: Allan Liska, AskWoody.com, CVE-2018-8514, CVE-2019-1409, CVE-2019-1458, CVE-2020-1660, CVE-2021-1647, CVE-2021-1648, CVE-2021-1709 , Dustin Childs, Immersive Labs, Kevin Breen, Recorded Future, Trend Micro’s ZDI Initiative, Windows Defender
This entry was posted on Tuesday, January 12th, 2021 at 8:32 pm and is filed under Time to Patch. You can follow any comments on this entry through the RSS 2.0 feed. You can go to the end and leave a comment. Ping is currently not allowed.