News

Microsoft's January Patch Rollout Tackles 10 'Critical' Flaws

• By Kurt Mackie
• 01/12/2021

Microsoft's January security patch release addresses 83 common vulnerabilities and exposures (CVEs), 10 of which were described as "Critical" by security researchers and 73 as "Important."

One vulnerability (CVE-2021-1647) is known to have been exploited (Microsoft's first "zero day" of the new year), while another (CVE-2021-1648) was described as being publicly known before Tuesday's patch release.

A list describing all of the January patches can be found in this Trend Micro Zero Day Initiative post by Justin Childs. In addition, Automox offers its patch list here, and the Cisco Talos team points to January patch highlights at this page.

Microsoft provides its documentation of the January patches in its Security Update Guide and its "Release Notes" document, where it characterized this month's bundle of patches as affecting Visual Studio, SQL Server, .NET and Azure, in addition to the usual Windows, browser and Office targets. These "Release Notes" include a list of the security bulletins that contain the more verbose FAQs, as well as those bulletins describing "known issues" associated with the patches. Known issues also can be found in table format in this Microsoft "Deployment Information" document.

Update 1/15: Microsoft's Japan security team posted a description of the January security updates that perhaps offers a useful summary for IT pros. It's written in Japanese but the English translation (Google Translate) seemed to work well. The team pointed out that Microsoft's "Security Update Guide" has filters that can be applied to make it more useful. The perhaps obscure post was noted in the Patchmangement.org Google Group forum (sign-up required), which is also a useful source.

Patch Highlights
The vulnerability known to be exploited this month (CVE-2021-1647) is a Critical remote code execution flaw in Microsoft Defender, Microsoft's anti-malware solution. However, if systems get updated via Microsoft's services, then this problem likely has already been fixed through Microsoft's ongoing distribution of malware definitions for Microsoft Defender, a point explained in the bulletin's FAQ.

Microsoft Defender has had this CVE-2021-1647 flaw since late October, but local access would have been needed to carry out an exploit, according to Chris Hass, director of information security and research at Automox.

"An attacker would need to have access to the local machine already or trick the user into triggering the execution of the exploit, likely in the form of a malicious document delivered via a phishing campaign," Hass said regarding CVE-2021-1647. "Affected versions of Defender date back to late October 2020," he added.

The vulnerability that was publicly known (CVE-2021-1648) is an Important elevation-of-privilege flaw in splwow64.exe, which is a Windows process that lets 32-bit applications print on 64-bit printers. Childs of the Zero Day Initiative indicated that Microsoft essentially is fixing a bug caused by an earlier bug fix with this particular patch.

"The previous CVE was being exploited in the wild, so it's within reason to think this CVE will be actively exploited as well," Childs explained regarding CVE-2021-1648.

Security researchers appear to be in the dark about an Important Windows Remote Desktop Protocol vulnerability (CVE-2021-1674) in this month's bundle. It got a high CVSS score of 8.8, but the security issue wasn't described by Microsoft.

An Important elevation-of-privilege vulnerability in the Windows Win32k process (CVE-2021-1709) is notable for not requiring user interaction. "An attacker could exploit a local machine to elevate their privileges and potentially use these privileges to carry out additional attacks," Cisco Talos observed.

Another notable Important vulnerability is CVE-2021-1707, affecting SharePoint users. It permits an attacker to "create a SharePoint site and then execute code remotely within the kernel if the logged-in user has the appropriate privileges," Cisco Talos explained.

In general, the Windows operating system patches should be prioritized this month since they account for "11 of the 13 top CVSS-scoring (CVSSv3 8.8) vulnerabilities," Tsang noted.

He also described the Windows Remote Procedure Call Runtime component getting patched this month as a noteworthy Critical issue. 

"This RPC Runtime component accounts for the 9 of the 13 top CVSS scoring vulnerabilities along with half of all the 10 Critical Remote Code Execution vulnerabilities being addressed," Tsang explained.