Microsoft Patch Tuesday, January 2021 edition – Krebs on Security



[ad_1]

Microsoft today released updates to address more than 80 security holes in its the Windows operating systems and other software, including one that is actively exploited and one that has been disclosed before today. Ten of the flaws gave Microsoft the most disastrous “critical” rating, meaning they could be exploited by malware or criminals to gain remote control of unpatched systems with little to no human interaction. the share of Windows users.

Probably the most disturbing of the lot this month is a critical bug (CVE-2021-1647) in Microsoft’s default anti-malware suite – Windows Defender – which sees active exploitation. Microsoft recently stopped providing much detail in its vulnerability notices, so it’s not entirely clear how this is being exploited.

But Kevin breen, research director at Immersive laboratories, said depending on the vector the flaw could be easy to exploit.

“It could be as easy as sending a file,” he says. “The user does not need to interact with anything, as Defender will access it as soon as it is placed on the system.”

Fortunately, this bug is likely already fixed by Microsoft on end-user systems, as the company continually updates Defender outside of the normal monthly patch cycle.

Breen called attention to another critical vulnerability this month – CVE-2020-1660 – which is a remote code execution flaw in almost all versions of Windows that have achieved a CVSS score of 8.8. (10 being the most dangerous).

“They classify this vulnerability as ‘low’ in complexity, which means that an attack could be easy to reproduce,” Breen said. “However, they also note that it is ‘less likely’ to be exploited, which seems counterintuitive. Without the full context of this vulnerability, we have to rely on Microsoft to make the decision for us. “

CVE-2020-1660 is actually just one of five bugs in a Microsoft core service called Remote procedure call (RPC), which is responsible for many heavy tasks under Windows. Some of the most memorable computer worms of the past decade have spread automatically by exploiting RPC vulnerabilities.

Allan Liska, senior security architect at Future registered, stated that it is of concern that so many vulnerabilities around the same component were released simultaneously, two previous vulnerabilities in RPC – CVE-2019-1409 and CVE-2018-8514 – have not been widely exploited.

The roughly 70 remaining flaws fixed this month earned Microsoft less serious “important” ratings, which isn’t to say they’re much less of a security concern. Real-world example: CVE-2021-1709, which is an “elevation of privilege” vulnerability in Windows 8-10 and Windows Server 2008-2019.

“Unfortunately, this type of vulnerability is often quickly exploited by attackers,” Liska said. “For example, CVE-2019-1458 was announced on December 10, 2019, and on December 19, an attacker was seen selling an exploit for the vulnerability in underground markets. So while CVE-2021-1709 is only classified as [an information exposure flaw] by Microsoft, it should be prioritized for fixes. “

Trend Micro ZDI Initiative pointed out another flaw marked “important” – CVE-2021-1648, an elevation of privilege bug in Windows 8, 10 and some Windows Server 2012 and 2019 that was publicly disclosed by ZDI prior to today.

“It was also discovered by Google probably because this patch fixes a bug introduced by a previous patch,” ZDI said. Dustin Childs said. “The old CVE was being mined in the wild, so it’s reasonable to assume that this VEC will also be actively mined.”

Additionally, Adobe has released security updates to address at least eight vulnerabilities across a range of products, including Adobe photoshop and Illustrator. There’s no Flash player updates because Adobe removed the browser plugin in December (hallelujah!), and last month’s Microsoft update cycle removed the program from Microsoft’s browsers.

Windows 10 users should be aware that the operating system will download updates and install them all at once on its own schedule, shutting down active programs and restarting the system. If you want to make sure that Windows has been configured to pause updating so that you have ample opportunity to back up your files and / or your system, check out this guide.

Please back up your system before applying any of these updates. Windows 10 even has built-in tools to help you do this, either by file / folder, or by creating a full, bootable copy of your hard drive in one go. You never know when a patch roll-up is going to disrupt your system or possibly damage important files. For those looking for more flexible and comprehensive backup options (including incremental backups), Acronis and Macrium are two that I have used previously and worth checking out.

That said, there don’t appear to be any major issues with this month’s bundle of updates. But before you apply the updates, consider visiting AskWoody.com, which usually has the skinny on all the reports of problematic fixes.

As always, if you have any issues or issues installing any of these fixes this month, consider leaving a comment about it below; there is a better chance that even other readers have been through the same thing and can provide some useful advice here.

Tags: Allan Liska, AskWoody.com, CVE-2018-8514, CVE-2019-1409, CVE-2019-1458, CVE-2020-1660, CVE-2021-1647, CVE-2021-1648, CVE-2021-1709 , Dustin Childs, Immersive Labs, Kevin Breen, Recorded Future, Trend Micro ZDI Initiative, Windows Defender

[ad_2]

Source link