Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

1/12/2021
04:30 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Microsoft Defender Zero-Day Fixed in First Patch Tuesday of 2021

Microsoft patched 83 bugs, including a Microsoft Defender zero-day and one publicly known elevation of privilege flaw.

Microsoft has released patches for 83 vulnerabilities on its first Patch Tuesday of 2021, which addresses 10 critical flaws, including one zero-day remote code execution bug in Microsoft Defender. 

Related Content:

Attackers Know Microsoft 365 Better Than You Do

How Data Breaches Affect the Enterprise

New From The Edge: Cartoon: Shakin' It Up at the Office

The fixes released today cover Microsoft Windows, the Edge browser, ChakraCore, Office and Microsoft Office Services and Web Apps, Microsoft Malware Protection Engine, Visual Studio, ASP .NET, .NET Core, and Azure. Of these, 73 are classified Important; one is publicly known.

While 83 CVEs (common vulnerabilities and exposures) is much lower than the record monthly patch numbers Microsoft reported last year, it's 59% higher than the 49 patched in January 2020. "If that's any indication, it means 2021 will be another banner year for Patch Tuesday vulnerability disclosures," says Satnam Narang, staff research engineer at Tenable.

CVE-2021-1647 is the critical bug in Microsoft's Malware Protection Engine already seen in the wild. Microsoft does not elaborate on these attacks or how widespread they are. It does say a proof-of-concept code is available, though the code or technique may not work in all situations. 

This vulnerability doesn't affect the network stack, and an attacker could gain access remotely via SSH, locally by accessing the machine itself, or by tricking the user into performing an action that would trigger the bug, such as opening a malicious file. User interaction is not required.

Attack complexity is low, meaning attackers wouldn't require specialized access conditions to exploit the flaw, and they can expect repeatable success against the vulnerable component, Microsoft says in its disclosure. It also requires low privileges: An attacker would need privileges that provide basic user capabilities, which normally only affect user-owned settings and files.

"Considering how prevalent Microsoft Defender is, this flaw provides attackers with a large attack surface," Narang says. 

News of the zero-day and patch arrive weeks after Microsoft confirmed its network was among the thousands affected by infected SolarWinds software updates, and it admitted attackers were able to view its source code. While there are no details of attacks leveraging this zero-day, Dustin Childs of Trend Micro's Zero-Day Initiative (ZDI) acknowledges the possibility that this patch could be related to the compromise. 

For many organizations, CVE-2021-1647 may already be patched. Microsoft often updates malware definitions and the Microsoft Malware Protection Engine. The default configuration for both businesses and individuals ensures both are automatically updated, the company says. Those whose systems are not connected to the Internet will need to manually apply the fix. 

"For organizations that are configured for automatic updating, no actions should be required, but one of the first actions a threat actor or malware will try to attempt is to disrupt threat protection on a system so definition and engine updates are blocked," says Chris Goettl, senior director of product management and security at Ivanti.

He advises security teams to ensure their Microsoft Malware Protection Engine is at Version 1.1.17700.4 or higher. 

The ZDI publicly disclosed CVE-2021-1648, an important elevation of privilege flaw in print driver host splwow64, after it exceeded its own disclosure timeline. This patch was also discovered by Google Project Zero researchers and corrects a flaw introduced in an earlier patch. Like the zero-day patched this month, this vulnerability has low attack complexity, low required privileges, and does not require user interaction for exploitation, Microsoft reports. 

"The previous CVE was being exploited in the wild, so it's within reason to think this CVE will be actively exploited as well," Trend Micro's Childs writes.

CVE-2021-1647 aside, the remaining Critical bugs are all remote code execution vulnerabilities. Five affect Remote Procedure Call (RPC) runtime, including CVE-2021-1660, which has a CVSS score of 8.8 and is bound to the network stack. Microsoft says this can be exploited using a low-complexity attack and requires no privileges or user interaction.

It's worth noting Microsoft also patched four additional RPC vulnerabilities that are classified as Important but have the same CVSS score and descriptors as the critical flaws. Microsoft now providers fewer details in patch descriptions and it's unclear why some of these flaws are classified as Critical and others as Important.

This month's Critical bugs primarily affect the operating system, browser, and malware protection, Goettl notes. He urges businesses to also pay attention to Important updates, some of which address bugs in developer tools. "Your development teams need to be aware of what tools they are using and what vulnerabilities may be exposed," he explains.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23381
PUBLISHED: 2021-04-18
This affects all versions of package killing. If attacker-controlled user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23374
PUBLISHED: 2021-04-18
This affects all versions of package ps-visitor. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23375
PUBLISHED: 2021-04-18
This affects all versions of package psnode. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23376
PUBLISHED: 2021-04-18
This affects all versions of package ffmpegdotjs. If attacker-controlled user input is given to the trimvideo function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23377
PUBLISHED: 2021-04-18
This affects all versions of package onion-oled-js. If attacker-controlled user input is given to the scroll function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.