January 2021 Patch Tuesday: One Actively Exploited Vulnerability and a Few Likely to Be

Here we are in a new year and Microsoft has released their first set of patches. This month we continue the recent trend of less than 100 vulnerabilities fixed by Microsoft. While there are some critical vulnerabilities (and one that will get fixed without you having to deploy a patch), I was still struck by how few critical fixes were included this month.

All in all, we saw 83 vulnerabilities fixed, with 10 marked critical and 71 marked important. Interestingly, the important fixes are the ones marked with a higher likelihood of being exploited. So let’s review those critical ones along with the others that warrant attention.

Operating system

Most of the operating system vulnerabilities this month all have the same description and details. There are five vulnerabilities titled Remote Procedure Call Runtime Remote Code Execution Vulnerability. CVE-2021-1658, CVE-2021-1660, CVE-2021-1667, CVE-2021-1673, and CVE-2021-1666 are all RPC vulnerabilities which can be executed across the network without user interaction required. These vulnerabilities all have a CVSS score of 8.8, the highest in this month’s batch. This vulnerability affects Windows 7 through the current version of Windows 10, including the corresponding server and core versions.

Next is a GDI+ Remote Code Execution Vulnerability, CVE-2021-1665. This vulnerability requires user interaction by clicking on an attachment and would give the attacker full access to the target system. It has a CVSS of 7.8 and is listed by Microsoft as exploitation less likely.

CVE-2021-1643 is a HEVC Video Extensions Remote Code Execution Vulnerability in the Microsoft Store Apps that uses the video extension. It’s listed as exploitation less likely. These apps generally update themselves unless you have blocked updates in the Windows Store. The vulnerability in the link includes a PowerShell script you can use to determine if you need to update any affected apps by checking the version of the extension’s package.

The final “Critical” on the operating system side is CVE-2021-1668, titled Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability. This vulnerability requires user interaction (such as opening a malicious file) on the system and would give the attacker the ability to execute code. It’s also listed as exploitation less likely.

Browsers

There is only one critical vulnerability in the browsers this month. CVE-2021-1705 is a Microsoft Edge (HTML-based) Memory Corruption Vulnerability which would grant an attacker full access to a system if a user visited a malicious site from a spam or phishing email. It’s also listed as exploitation less likely. This vulnerability affects all systems that support the Edge-HTML version of Microsoft Edge. As you’re aware, the newest versions of Edge are based on Chromium and self-update. It might be time to consider moving to that flavor if you have not already.

Other applications

CVE-2021-1647 is a Microsoft Defender Remote Code Execution Vulnerability that Microsoft states is currently under active attack. Listed as exploitation detected, this vulnerability requires access to the system. Vulnerabilities like this are used many times in multi-stage attacks, using one vector to gain access to the system, and then a vulnerability like this to execute additional code for the next stage in their attack. Luckily, Microsoft updates their engine along with their definitions in regular updates. Simply ensure any systems running Windows Defender are configured for regular updates and it will resolve itself. In this case, make sure Defender is running Microsoft Malware Protection Engine version 1.1.17700.4 or later.

Important vulnerabilities worth some attention

We often run across vulnerabilities that are only listed as important but Microsoft marks them as exploitation more likely. This month we have two of those.

CVE-2021-1707 is a Microsoft SharePoint Server Remote Code Execution Vulnerability that would allow code to be executed on the kernel of the system hosting SharePoint if an application package were uploaded to the server. This is a higher-complexity attack as the attacker needs to have access to a user account with permissions to upload to SharePoint. It also has a CVSS score of 8.8, which is on the higher end of the scale. This vulnerability affects SharePoint Foundation 2010 and 2013, SharePoint Enterprise Server 2016, and SharePoint Server 2019.

Finally, we have a Windows Win32k Elevation of Privilege Vulnerability, CVE-2021-1709. It’s a locally exploited vulnerability that requires no user interaction. An attacker could use this vulnerability to gain higher privileges during an attack with the intention of moving to other systems during a multi-stage attack. It has a CVSS of 7.0, and affects Windows 7 up to the current version of Windows 10, including Server and Core versions.

Microsoft also issued fixes for Office, SQL, Windows Installer, ASP.Net, Hyper-V, and Windows DNS. From a priority standpoint, if you’re running Windows Defender, make sure it’s receiving updates as expected. Next, focus on workstations, your SharePoint servers, and then move to your SQL and Office updates. Also make sure you take the time to update any DNS servers in your environment, as they can sometimes get skipped in favor of maintaining uptime.

 

Gill Langston is head security nerd for SolarWinds MSP. You can follow Gill on Twitter at @cybersec_nerd