After a many-months hiatus, we’re back with the monthly summary of security updates released by Microsoft for its array of consumer and enterprise products. The world has changed since my last post on this topic almost a year ago, but if anything, computers and the Internet have become even more important parts of our lives. That means keeping systems secure is even more vital than before.
Working from home has gone from a privilege enjoyed by a few of us to a way of life for millions of us, at least intermittently. According to a Gartner survey, 80% say they will allow employees to continue working from home at least part of the time after the pandemic. But it’s not only that. Many more people are now shopping, banking, and taking care of most of their business online and are likely to continue doing so now that they’ve experienced the convenience and come to trust Internet transactions.
All this presents a challenge for organizations whose workers are accessing their networks from a variety of locations and local networks, often with their own personally owned devices. At a time when control is more crucial than ever, IT admins no longer have physical access to or physical control over the client computers, tablets, and smartphones that connect to the corporate network.
Thus, software vendors such as Microsoft need to work even harder to stay ahead of attackers and get patches out for security vulnerabilities as soon as possible, and you need to be extra diligent about your process of testing and getting those patches on your servers and ensuring that your users’ systems get updated in a timely manner.
Let’s take a look at this month’s critical and important updates.
As usual, you can download the Excel spreadsheet from the Microsoft Security Update Guide web site for a full list of the February releases. You’ll find that these apply to a long list of Microsoft products and features, including:
.NET Core, .NET Framework, Azure IoT, Developer Tools, Microsoft Azure Kubernetes Service, Microsoft Dynamics, Microsoft Edge for Android, Microsoft Exchange Server, Microsoft Graphics Component, Microsoft Office Excel, Microsoft Office SharePoint, Microsoft Windows Codecs Library, Role: DNS Server, Hyper-V (Role), Windows Fax Service (Role), Skype for Business, SysInternals, System Center, Visual Studio, Windows Address Book, Windows Backup Engine, Windows Console Driver, Windows Defender, Windows DirectX, Windows Event Tracing, Windows Installer, Windows Kernel, Windows Mobile Device Management, Windows Network File System, Windows PFX Encryption, Windows PKU2U, Windows PowerShell, Windows Print Spooler Components, Windows Remote Procedure Call, Windows TCP/IP, and Windows Trust Verification API.
Surprisingly, given the large number of products being updated, this slate of patches fixes “only” fifty-six vulnerabilities (of course the same vulnerabilities are found across multiple products). We’ll focus on the critical issues since they pose the greatest threat.
Critical and exploited vulnerabilities
A number of critical Windows vulnerabilities are on the list this month, but the big news is the number of vulnerabilities that were publicly known prior to the release of the patches, including one that was already being exploited by attackers.
Critical vulnerabilities patched
The following vulnerabilities are rated critical:
CVE-2021-24074, CVE-2021-24086, and CVE-2021-24094 are vulnerabilities affecting the Windows TCP/IP stack. Two of these (24074 and 24094) are rated as critical remote code execution vulnerabilities. 24086 is an important Denial of Service vulnerability. The RCE exploits could be used to take control of an affected system, and the DoS issue could be exploited to remotely cause a stop error.
CVE-2021-1722 is a Windows Fax Service Remote Code Execution Vulnerability that affects all supported versions of Windows client and server operating systems and is rated critical. For those who are unable to apply the update, there is a workaround that involves uninstalling the Windows Fax and Scan feature (instructions are in the MSRC link).
CVE-2021-24081 is a Microsoft Windows Codecs Library Remote Code Execution Vulnerability that is labeled as proof-of-concept code, which means that the code or technique isn’t functional in all situations and may require substantial modifications by a skilled attacker. Nonetheless it carries a high risk to confidentiality, integrity and availability and thus is rated as critical. It affects Windows 10 versions 1809, 1903, 1909, 2004 and Windows Server 2019.
CVE-2021-26701 is a .NET Core Remote Code Execution Vulnerability that is rated critical, with high risk to confidentiality, integrity, and availability. It affects .NET 5.0 and .NET Core 2.1 and 3.1. Visual Studio is not vulnerable to this issue. The update is offered to include the .NET files so any future applications built in Visual Studio which include .NET functionality will be protected from this issue. Exploitation is rated as less likely.
Vulnerabilities exposed prior to patch release
In addition to the exploited 1732 critical vulnerability mentioned above, details for the following were posted to the public prior to the patch release:
CVE-2021-1732 tops this list, as an elevation of privilege issue in the Win32 component of Windows operating systems that a local attacker can exploit to take control of an affected system. It affects the Windows 10 and Windows Server 2019 operating systems. Microsoft reported that exploits of this vulnerability have been detected in the wild. It is rated Important.
CVE-2021-1721 is a .NET Core and Visual Studio Denial of Service Vulnerability, for which there is a proof-of-concept exploit. It affects Visual Studio 2017 and 2019, .NET 5.0 and .NET Core 2.1 and 3.1. Because it poses a high risk to availability but no risk to confidentiality and integrity, it is rated Important.
CVE-2021-1727 is a Windows Installer Elevation of Privilege Vulnerability, another that has a proof-of-concept exploit but no exploit has been detected in the wild. It affects Windows 10, Windows 8.1, and Windows 7 client operating systems and Windows Server 2019), 2016, 2012, 2008/2008 R2, 2004, 1909, and 20H2 (including server core installations). It is rated Important.
CVE-2021-1733 is a Sysinternals PsExec Elevation of Privilege Vulnerability, yet another with a proof-of-concept exploit. It affects PsExec, which is a tool in the downloadable PsTools suite for executing processes remotely. Exploitation probability is rated as less likely.
CVE-2021-24106 is a Windows DirectX Information Disclosure Vulnerability. The type of information that could be disclosed if an attacker successfully exploited this vulnerability is uninitialized memory. It affects Windows 10, Server 2019, Server 1909 and Server 20H2. No exploit code is deemed to be available and although it presents a high risk to confidentiality, there is no risk to integrity or availability. Exploitation is rated as less likely. It is rated Important.
CVE-2021-24098 is a Windows Console Driver Denial of Service Vulnerability. It affects Windows 10, Server 2019, Server 1909 and Server 20H2. There is no risk to integrity or confidentiality, although the risk to availability is high. However, user interaction is required to exploit this vulnerability (user must visit a compromised web site) and no exploit code is deemed to be available, so exploitation is rated as less likely and it is rated Important.
Applying the updates
Most organizations will deploy Microsoft and third party software updates automatically to their servers and managed client systems using a patch management system of their choice, such as GFI’s LanGuard. Automated patch management saves time and reduces the risk of botched installations.
Most home users will receive the updates via the Windows Update service that’s built into the operating system.
Microsoft provides direct downloads for those who need to install the updates manually. You can download these from the Microsoft Update Catalog. Following are links to the downloadable updates for the most recent versions of Windows 10:
- KB4601345 — 2021-02 Cumulative Update for Windows 10 Version 1809
- KB4601315 — 2021-02 Cumulative Update for Windows 10 Version 1903
- KB4601315 — 2021-02 Cumulative Update for Windows 10 Version 1909
- KB4601319 — 2021-02 Cumulative Update for Windows 10 Version 2004
- KB4601319 — 2021-02 Cumulative Update for Windows 10 Version 20H2
Before installing updates, you should always research whether there are known issues that could affect your particular machines and configurations before rolling out an update to your production systems. There are a large number of such known issues that impact this month’s updates. A full list of links to the KB articles detailing these issues can be found here in the release notes for this month’s updates.
Malicious Software Removal Tool (MSRT) update
The MSRT is used to find and remove malicious software from Windows systems and its definitions are updated regularly. The updates are normally installed via Windows Update but if you need to download and install them manually, you’ll find the links for the 32- and 64-bit versions in KB890830.
Third party releases
In addition to Microsoft’s security updates, this month’s Patch Tuesday brought six updates from Adobe to address fifty vulnerabilities across their products (Acrobat, Reader, Dreamweaver, Photoshop, Illustrator, Animate, and Magento CMS). These include one vulnerability, CVE-2021-21017, that has already been used in “limited” attacks.