This is the second Tuesday in February, and it means Microsoft and other software vendors are releasing dozens of updates to fix security issues. There are two zero days under active exploitation and critical network failures that allow attackers to execute malicious code remotely or shut down computers.
The key patch fixes a bug in the code execution in Adobe Reader, which despite its long-in-the-tooth status is widely used to view and update PDF documents. As the critical vulnerability is detected, CVE-2021-21017 results from a heap overflow on a heap basis. After announcing an anonymous source, Adobe warned that the bug was being actively exploited in limited attacks on Reader users running Windows.
Adobe has not provided additional details about the vulnerability or the in-the-wild attacks it exploits. In general, hackers use specially crafted documents that are emailed or published online to activate the vulnerability and execute code that installs malware on the device running the program. Adobe’s use of the word ‘restricted’ probably means that the hackers are focusing their attacks on a small number of high-value targets.
Microsoft has meanwhile released a vulnerability fix in Windows 10 and Windows Server 2019 that is also being actively attacked. The bug, indexed as CVE-2021-1732, enables attackers to execute their malicious code with elevated system privileges.
Chain of benefits?
Hackers typically use these so-called elevation-of-privilege exploits along with attack code that targets a separate vulnerability. The former allows code execution, while the latter ensures that the code with rights is sufficient to gain access to sensitive parts of the operating system. Microsoft has JinQuan, MaDongZe, TuXiaoYi and LiHao from DBAPPSecurity Co. Ltd. credited for discovering and reporting the vulnerability.
The simultaneous patch of CVE-2021-21017 and CVE-2021-1732 and their connection to Windows increases the clear possibility that in-the-wild attacks are used for the two vulnerabilities. However, neither Microsoft nor Adobe provided details to confirm this speculation.
Microsoft on Tuesday released a security bulletin that strongly urges users to patch three vulnerabilities in the Windows TCP / IP component, which is responsible for sending and receiving Internet traffic. CVE-2021-24074 and CVE-2021-24094 are both considered critical and allow attackers to maliciously manipulate code packets that execute code. Both vulnerabilities also allow hackers to launch denial of service attacks – just like a third TCP / IP vulnerability detected as CVE-2021-24086.
The bulletin states that the development of reliable code implementations will be difficult, but that DoS attacks are much easier and therefore likely to be used in nature.
“The two RCE vulnerabilities are complex, making it difficult to create functional benefits, and so they are unlikely to be in the short term,” the bulletin said Tuesday. “We believe that attackers can create DoS exploits faster, and we expect all three issues to be exploited shortly after release with a DoS attack. We therefore recommend that customers quickly apply Windows security updates this month. ”
The three vulnerabilities stem from a bug in the implementation of TCP / IP by Microsoft that affects all supported versions of Windows versions. Non-Microsoft implementations are not affected. Microsoft said it had identified the vulnerabilities internally.
56 vulnerabilities
In total, Microsoft has patched 56 vulnerabilities on various products, including Windows, Office, and SharePoint. Microsoft considered 11 of the vulnerabilities to be critical. As usual, affected users should install practice sites as soon as possible. Those who cannot immediately plaster should refer to the solutions that appear in the advice.
A word also about Adobe Reader. Adobe has devoted significant resources over the past few years to improving product safety. That said, Reader includes a range of advanced features that casual users rarely, or never need. These advanced features create the kind of attack surface that hackers like. The vast majority of computer users may consider a standard browser that has fewer bubbles and whistles. Edge, Chrome or Firefox are all suitable replacements.