Microsoft has released patches for 83 vulnerabilities on its first Patch Tuesday of 2021, which addresses 10 critical flaws, including one zero-day remote code execution bug in Microsoft Defender.
The fixes released today cover Microsoft Windows, the Edge browser, ChakraCore, Office and Microsoft Office Services and Web Apps, Microsoft Malware Protection Engine, Visual Studio, ASP .NET, .NET Core, and Azure. Of these, 73 are classified Important; one is publicly known.
While 83 CVEs (common vulnerabilities and exposures) is much lower than the record monthly patch numbers Microsoft reported last year, it's 59% higher than the 49 patched in January 2020. "If that's any indication, it means 2021 will be another banner year for Patch Tuesday vulnerability disclosures," says Satnam Narang, staff research engineer at Tenable.
CVE-2021-1647 is the critical bug in Microsoft's Malware Protection Engine already seen in the wild. Microsoft does not elaborate on these attacks or how widespread they are. It does say a proof-of-concept code is available, though the code or technique may not work in all situations.
This vulnerability doesn't affect the network stack, and an attacker could gain access remotely via SSH, locally by accessing the machine itself, or by tricking the user into performing an action that would trigger the bug, such as opening a malicious file. User interaction is not required.
Attack complexity is low, meaning attackers wouldn't require specialized access conditions to exploit the flaw, and they can expect repeatable success against the vulnerable component, Microsoft says in its disclosure. It also requires low privileges: An attacker would need privileges that provide basic user capabilities, which normally only affect user-owned settings and files.
"Considering how prevalent Microsoft Defender is, this flaw provides attackers with a large attack surface," Narang says.
News of the zero-day and patch arrive weeks after Microsoft confirmed its network was among the thousands affected by infected SolarWinds software updates, and it admitted attackers were able to view its source code. While there are no details of attacks leveraging this zero-day, Dustin Childs of Trend Micro's Zero-Day Initiative (ZDI) acknowledges the possibility that this patch could be related to the compromise.
For many organizations, CVE-2021-1647 may already be patched. Microsoft often updates malware definitions and the Microsoft Malware Protection Engine. The default configuration for both businesses and individuals ensures both are automatically updated, the company says. Those whose systems are not connected to the Internet will need to manually apply the fix.
"For organizations that are configured for automatic updating, no actions should be required, but one of the first actions a threat actor or malware will try to attempt is to disrupt threat protection on a system so definition and engine updates are blocked," says Chris Goettl, senior director of product management and security at Ivanti.
He advises security teams to ensure their Microsoft Malware Protection Engine is at Version 1.1.17700.4 or higher.
The ZDI publicly disclosed CVE-2021-1648, an important elevation of privilege flaw in print driver host splwow64, after it exceeded its own disclosure timeline. This patch was also discovered by Google Project Zero researchers and corrects a flaw introduced in an earlier patch. Like the zero-day patched this month, this vulnerability has low attack complexity, low required privileges, and does not require user interaction for exploitation, Microsoft reports.
"The previous CVE was being exploited in the wild, so it's within reason to think this CVE will be actively exploited as well," Trend Micro's Childs writes.
CVE-2021-1647 aside, the remaining Critical bugs are all remote code execution vulnerabilities. Five affect Remote Procedure Call (RPC) runtime, including CVE-2021-1660, which has a CVSS score of 8.8 and is bound to the network stack. Microsoft says this can be exploited using a low-complexity attack and requires no privileges or user interaction.
It's worth noting Microsoft also patched four additional RPC vulnerabilities that are classified as Important but have the same CVSS score and descriptors as the critical flaws. Microsoft now providers fewer details in patch descriptions and it's unclear why some of these flaws are classified as Critical and others as Important.
This month's Critical bugs primarily affect the operating system, browser, and malware protection, Goettl notes. He urges businesses to also pay attention to Important updates, some of which address bugs in developer tools. "Your development teams need to be aware of what tools they are using and what vulnerabilities may be exposed," he explains.