Microsoft today released updates to plug more than 80 security holes Windows operating systems and other software, including those that are actively exploited and others that were unveiled earlier today. Ten of the flaws earned Microsoft’s worst rating of “critical,” meaning they could be exploited by malware or abuse to take advantage of remote control on unrepaired systems with little or no interaction from Windows users.
The biggest concern for this month’s batch is probably a critical bug (CVE-2021-1647) in Microsoft’s default malware protection package ̵
But Kevin Breen, Director of Research at Immersion laboratories, says that depending on the vector, the disadvantage can be trivial to use.
“It can be as simple as sending a file,” he said. “The user does not have to interact with anything, as Defender will have access to it as soon as it is placed in the system.”
Fortunately, this bug is probably already patched by Microsoft on end-user systems, as the company is constantly updating Defender outside of the normal monthly fix cycle.
Breen drew attention to another critical vulnerability this month – CVE-2020-1660 – which is a shortcoming of remote code execution in almost every version of Windows, which won a CVSS score of 8.8 (10 is the most dangerous).
“They classify this vulnerability as ‘low’ in complexity, which means the attack can be easy to replicate,” Breen said. However, they also note that it is “less likely” to be exploited, which seems unintuitive. Without the full context of this vulnerability, we must rely on Microsoft to make the decision for us. “
CVE-2020-1660 is actually just one of five bugs in Microsoft’s main service called Call a remote procedure (RPC), which is responsible for very heavy lifts in Windows. Some of the most memorable computer worms of the last decade spread automatically using RPC vulnerabilities.
Alan Liska, senior security architect at Recorded futuresaid it was worrying that so many vulnerabilities around the same component were released simultaneously, two previous vulnerabilities in RPC – CVE-2019-1409 and CVE-2018-8514 – were not widely used.
The other 70 flaws ironed out this month won Microsoft’s less terrible “important” ratings, which doesn’t mean they’re much less concerned about security. Example: CVE-2021-1709, which is a disadvantage of “privilege enhancement” in Windows 8 to 10 and Windows Server 2008 to 2019.
“Unfortunately, this type of vulnerability is often exploited by attackers,” Liska said. “For example, CVE-2019-1458 was announced on December 10, 2019, and by December 19, an attacker was seen selling an exploit for the vulnerability of the underground markets. So while CVE-2021-1709 is only evaluated as [an information exposure flaw] from Microsoft, it must have priority for correction. “
Trend Micro’s ZDI initiative pointed out another drawback noted as “important” – CVE-2021-1648, an increase in privilege in Windows 8, 10 and some Windows Server 2012 and 2019, which was publicly revealed by ZDI earlier today.
“It was also discovered by Google because this fix fixes an error entered from a previous fix,” ZDI Dustin Childs said. “The previous CVE is being exploited in the wild, so it is reasonable to think that this CVE will also be actively exploited.”
Separately, Adobe has released security updates to address at least eight vulnerabilities across a number of products, including Adobe Photoshop and Illustrator. Nothing there Flash Player updates because Adobe withdrew the browser plug-in in December (hallelujah!), and last month’s Microsoft update cycle removed the program from Microsoft’s browsers.
Windows 10 users should be aware that the operating system will download updates and install them at once on its own schedule, closing active programs and restarting the system. If you want to make sure that Windows is set to pause for updates so that you have enough options to back up your files and / or system, see this guide.
Please back up your system before applying any of these updates. Windows 10 even has some built-in tools to help you do this, either for each file / folder, or by making a full and bootable copy of your hard drive at the same time. You never know when the accumulation of fixes will damage your system or possibly damage important files. For those looking for more flexible and full-featured backup options (including incremental backups), Acronis and Macrium are two I’ve used before and are worth considering.
However, it seems that there are still no major problems that appear in this month’s update. But before you apply updates, consider visiting AskWoody.com, which is usually weak in all problem patch reports.
As always, if you have problems or install any of these patches this month, please consider leaving a comment about it below; there is a better than even chance that other readers have experienced the same and can hear here with some helpful tips.
Tags: Alan Liska, AskWoody.com, CVE-2018-8514, CVE-2019-1409, CVE-2019-1458, CVE-2020-1660, CVE-2021-1647, CVE-2021-1648, CVE-2021-1709 , Dustin Childs, Immersive Labs, Kevin Breen, Recorded Future, ZDI Initiative on Trend Micro, Windows Defender
This entry was posted on Tuesday, January 12th, 2021 at 8:32 pm and is filed under Time to Patch. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a comment. Ping is currently not allowed.