Microsoft Fixes 56 Security Flaws in February Patch Release
Microsoft's February security patch bundle rolled out on Tuesday to address 56 security vulnerabilities.
Specifically, the patches include 11 common vulnerabilities and exposures (CVEs) deemed "Critical," 43 CVEs considered "Important" and two CVEs assessed as "Moderate" in severity. One vulnerability affecting Windows systems was known to be exploited before Tuesday's patch release. There are also six vulnerabilities that are described as being "publicly known," which represents increased risk for organizations.
These counts, ratings and assessments come from security researchers, such as Trend Micro's Zero Day Initiative post on the topic by Dustin Childs.
Fewer patches were released this month compared with last year, but there are more publicly known flaws in this release.
"This [February 2021 Microsoft patch count] is roughly half the volume as what they patched in February 2020, but this release does contain an unusually high number of publicly known CVEs," Childs noted, adding that "Microsoft provides no information on where these CVEs were publicly exposed."
Vulnerability (CVE-2021-1732) is the one flaw that was known to have been previously exploited. It's an Important-rated Win32k elevation of privilege issue affecting Windows 10 and Windows Server systems.
Attackers might use another software exploit to tap this one, explained Childs. However, the attacker could gain system privileges if they were successful in using it, explained Chris Hass, director of information security and research at security solutions firm Automox:
To exploit this vulnerability [CVE-2021-1732], an attacker would first have to log on to the system, then run a specially crafted application. The exploitation of this vulnerability would allow an attacker to execute code in the context of the kernel and gain SYSTEM privileges, essentially giving the attacker free rein to do whatever they wanted with the compromised machine.
Of the six publicly known vulnerabilities, only CVE-2021-26701, a .NET Core and Visual Studio remote code execution flaw, was described as Critical, with a Common Vulnerability Scoring System score of 8.1 out of 10. Microsoft doesn't provide any information about this vulnerability, though, Childs noted.
The other publicly known CVEs are rated "Important. They are:
- CVE-2021-1721, a .NET Core and Visual Studio denial-of-service vulnerability
- CVE-2021-1733, a Sysinternals PSExec elevation-of-privilege vulnerability
- CVE-2021-24098, a Windows console driver denial-of-service vulnerability
- CVE-2021-24106, a Windows DirectX information disclosure vulnerability
- CVE-2021-1727, a Windows Installer elevation-of-privilege vulnerability
Microsoft's Sysinternals PSExec tool, in addition to having a flaw getting patched this month, has sometimes been weaponized by attackers, noted Nick Colyer, senior product marketing manager at Automox:
PsExec, which has been popular in the past for use in remote administration tasks such as patching remote systems, has also had a fair share of scrutiny due to the utility's weaponization by criminals in malware. Proof-of-concept code has not been independently verified, but it is notable that in January 2021 Microsoft released a patch to resolve a remote code execution vulnerability for the same utility indicating that it is getting attention.
Microsoft newly redone "Security Update Guide" doesn't tend to label the severity of the CVEs getting patched each month. Typically, IT pros get generic boilerplate descriptions and a Common Vulnerability Scoring System score from 1 to 10 in the guide. In a slight break from that approach, though, the Microsoft Security Response Center team provided a description of three February security vulnerabilities associated with Microsoft's implementation of the TCP/IP protocol, as described in this Microsoft blog post.
Microsoft discovered these TCP/IP vulnerabilities, which are associated with IPv4 and IPv6 solutions in Windows 10 and Windows Server versions. There are two Critical remote-code execution vulnerabilities (CVE-2021-24074 and CVE-2021-24094) and one Important denial-of-service vulnerability (CVE-2021-24086) in this month's bundle. Microsoft sees exploits using these vulnerabilities as being rather complex to execute. However, organizations are nonetheless urged to patch or implement a workaround now that the information is disclosed.
Other Critical Highlights
Another notable Critical vulnerability is CVE-2021-24078, a Windows DNS Server remote code execution flaw. It could permit exploits from an "unauthenticated attacker," and it's "wormable, although only between DNS servers," Childs indicated.
The attack method for CVE-2021-24078 isn't complex, though, noted Justin Knapp, senior product marketing manager at Automox:
Only Windows servers that are configured as DNS servers are at risk of having this vulnerability [CVE-2021-24078] exploited. To exploit the vulnerability, an unauthenticated attacker could send malicious requests to the Windows DNS server. Given the low level of attack complexity and "exploitation more likely" label assigned, this is a vulnerability that should be addressed immediately.
The Windows Fax Service has two Critical vulnerabilities, namely CVE-2021-1722 and CVE-2021-24077. This service is included by default in all Windows systems, and these flaws could permit an attacker to "take control of the affected system," noted Eric Feldman, senior product marketing manager at Automox.
There's also a Critical-rated Windows Local Spooler remote code execution vulnerability (CVE-2021-24088). The spooler "stores print jobs in memory until the printer is ready to accept them," explained Jay Goodman, manager of product marketing at Automox, but this flaw could let attackers run malicious code on systems remotely. He noted there's no mitigation available -- just the patch.
New Simplified APIs
The team at the Microsoft Security Response Center announced this week that it is offering more simplified APIs for IT pros wanting to customize patch details in reports. It appears to involve using PowerShell skills.
Another maybe helpful Microsoft publication for Tuesday's patch release is Microsoft's "Release Notes" for the February patches. It includes pointers to published workarounds, as well as "known issues."
IT pros can know about system reboots requirements with this month's patches by checking Microsoft's "Update Deployment" guide.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.