Cookie Consent by Free Privacy Policy Generator 📌 The January 2021 Security Update Review

🏠 Team IT Security News

TSecurity.de ist eine Online-Plattform, die sich auf die Bereitstellung von Informationen,alle 15 Minuten neuste Nachrichten, Bildungsressourcen und Dienstleistungen rund um das Thema IT-Sicherheit spezialisiert hat.
Ob es sich um aktuelle Nachrichten, Fachartikel, Blogbeiträge, Webinare, Tutorials, oder Tipps & Tricks handelt, TSecurity.de bietet seinen Nutzern einen umfassenden Überblick über die wichtigsten Aspekte der IT-Sicherheit in einer sich ständig verändernden digitalen Welt.

16.12.2023 - TIP: Wer den Cookie Consent Banner akzeptiert, kann z.B. von Englisch nach Deutsch übersetzen, erst Englisch auswählen dann wieder Deutsch!

Google Android Playstore Download Button für Team IT Security



📚 The January 2021 Security Update Review


💡 Newskategorie: Hacking
🔗 Quelle: thezdi.com

Welcome to the new year, and welcome to the first Patch Tuesday of 2021. Take a break from your regularly scheduled activities and join us as we review the details for the latest security offerings from Microsoft and Adobe. 

Adobe Patches for January 2021

This month, Adobe released seven updates addressing eight CVEs in Adobe Campaign Classic, Photoshop, Illustrator, Animate, InCopy, Captivate, and Bridge. Two of these bugs came through the ZDI program. The patch for Campaign Classic fixes a single Server-side request forgery (SSRF) vulnerability. The Photoshop patch fixes a single heap-based buffer overflow. The update for Illustrator corrects a Critical-rated uncontrolled search path element vulnerability. That’s the same story for the Animate and InCopy patches. The update for Captivate also fixes an uncontrolled search path element bug, but this one is only rated Important. The final Adobe patch for January fixes two Out-Of-Bounds (OOB) write bugs in Bridge. None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release.

Microsoft Patches for January 2021

For January, Microsoft released patches for 83 CVEs covering Microsoft Windows, Edge (EdgeHTML-based), ChakraCore, Office and Microsoft Office Services and Web Apps, Visual Studio, Microsoft Malware Protection Engine, .NET Core, ASP .NET, and Azure. Seven of these CVEs were submitted through the ZDI program. Of these 83 CVEs, 10 are listed as Critical and 73 are listed as Important in severity. According to Microsoft, one bug is publicly known, and one other bug is known to be actively exploited at the time of release.

Let’s take a closer look at some of the more interesting updates for this month, starting with the bug listed as being under active attack:

 -       CVE-2021-1647 - Microsoft Defender Remote Code Execution Vulnerability
This bug in the Microsoft Malware Protection Engine may already be patched on your system as the engine auto-updates as needed. However, if your systems are not connected to the Internet, you’ll need to manually apply the patch. While Microsoft does not state how wide-spread the active attacks are, there is certainly the possibility that this is related to recent news indicating Microsoft networks had been compromised. 

 -       CVE-2021-1648 - Microsoft splwow64 Elevation of Privilege Vulnerability
This bug was publicly disclosed by ZDI after it exceeded our disclosure timeline. It was also discovered by Google, likely because this patch corrects a bug introduced by a previous patch. The previous patch introduced a function to check an input string pointer, but in doing so, it introduced an Out-of-Bounds (OOB) Read condition. Additional bugs are also covered by this patch, including an untrusted pointer deref. The previous CVE was being exploited in the wild, so it’s within reason to think this CVE will be actively exploited as well.

 -       CVE-2021-1677 - Azure Active Directory Pod Identity Spoofing Vulnerability
This vulnerability exists in the way that the Azure Active Directory (AAD) pod identity allows users to assign identities to pods in Kubernetes clusters. When an identity is assigned to a pod, the pod can access to the Azure Instance Metadata Service (IMDS) endpoint and get a token of that identity. This could allow an attacker to laterally steal the identities that are associated with different pods. This is also requires more than just a patch to fix. Anyone with an existing installation will need to re-deploy their cluster and use Azure CNI instead of the default Kubernetes.

 -       CVE-2021-1674 – Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability
This patch is a bit of a mystery. It carries a relatively high CVSS score (8.8), but without an executive summary, we can only guess what security feature in RDP Core is being bypassed. Short of reversing the patches, we don’t even know how this is different than CVE-2021-1669 - Windows Remote Desktop Security Feature Bypass Vulnerability. What we do know is that RDP has been a popular target in recent memory, and these bugs should be taken seriously. Without any solid information to act on, defenders should assume the worst-case scenario and restrict access to RDP wherever possible.  

Here’s the full list of CVEs released by Microsoft for January 2021. 

CVE Title Severity Public Exploited Type
CVE-2021-1647 Microsoft Defender Remote Code Execution Vulnerability Critical No Yes RCE
CVE-2021-1648 Microsoft splwow64 Elevation of Privilege Vulnerability Important Yes No EoP
CVE-2021-1665 GDI+ Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1643 HEVC Video Extensions Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1668 Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1705 Microsoft Edge (HTML-based) Memory Corruption Vulnerability Critical No No RCE
CVE-2021-1658 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1660 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1666 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1667 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1673 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1723 .NET Core and Visual Studio Denial of Service Vulnerability Important No No DoS
CVE-2021-1649 Active Template Library Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1677 Azure Active Directory Pod Identity Spoofing Vulnerability Important No No Spoofing
CVE-2021-1725 Bot Framework SDK Information Disclosure Vulnerability Important No No Info
CVE-2021-1651 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1680 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1644 HEVC Video Extensions Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1691 Hyper-V Denial of Service Vulnerability Important No No DoS
CVE-2021-1692 Hyper-V Denial of Service Vulnerability Important No No DoS
CVE-2021-1713 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1714 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1711 Microsoft Office Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1712 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1719 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1707 Microsoft SharePoint Server Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1718 Microsoft SharePoint Server Tampering Vulnerability Important No No Tampering
CVE-2021-1641 Microsoft SharePoint Spoofing Vulnerability Important No No Spoofing
CVE-2021-1717 Microsoft SharePoint Spoofing Vulnerability Important No No Spoofing
CVE-2021-1636 Microsoft SQL Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1710 Microsoft Windows Media Foundation Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1715 Microsoft Word Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1716 Microsoft Word Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1678 NTLM Security Feature Bypass Vulnerability Important No No SFB
CVE-2021-1664 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1671 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1700 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1701 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1656 TPM Device Driver Information Disclosure Vulnerability Important No No Info
CVE-2020-26870 Visual Studio Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1699 Windows (modem.sys) Information Disclosure Vulnerability Important No No Info
CVE-2021-1642 Windows AppX Deployment Extensions Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1685 Windows AppX Deployment Extensions Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1638 Windows Bluetooth Security Feature Bypass Vulnerability Important No No SFB
CVE-2021-1683 Windows Bluetooth Security Feature Bypass Vulnerability Important No No SFB
CVE-2021-1684 Windows Bluetooth Security Feature Bypass Vulnerability Important No No SFB
CVE-2021-1679 Windows CryptoAPI Denial of Service Vulnerability Important No No DoS
CVE-2021-1652 Windows CSC Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1653 Windows CSC Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1654 Windows CSC Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1655 Windows CSC Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1659 Windows CSC Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1688 Windows CSC Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1693 Windows CSC Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1637 Windows DNS Query Information Disclosure Vulnerability Important No No Info
CVE-2021-1645 Windows Docker Information Disclosure Vulnerability Important No No Info
CVE-2021-1703 Windows Event Logging Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1662 Windows Event Tracing Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1657 Windows Fax Compose Form Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1708 Windows GDI+ Information Disclosure Vulnerability Important No No Info
CVE-2021-1696 Windows Graphics Component Information Disclosure Vulnerability Important No No Info
CVE-2021-1704 Windows Hyper-V Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1661 Windows Installer Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1697 Windows InstallService Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1682 Windows Kernel Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1706 Windows LUAFV Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1689 Windows Multipoint Management Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1676 Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability Important No No Info
CVE-2021-1695 Windows Print Spooler Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1663 Windows Projected File System FS Filter Driver Information Disclosure Vulnerability Important No No Info
CVE-2021-1670 Windows Projected File System FS Filter Driver Information Disclosure Vulnerability Important No No Info
CVE-2021-1672 Windows Projected File System FS Filter Driver Information Disclosure Vulnerability Important No No Info
CVE-2021-1674 Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability Important No No SFB
CVE-2021-1669 Windows Remote Desktop Services ActiveX Client Security Feature Bypass Vulnerability Important No No SFB
CVE-2021-1702 Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1650 Windows Runtime C++ Template Library Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1694 Windows Update Stack Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1681 Windows WalletService Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1686 Windows WalletService Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1687 Windows WalletService Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1690 Windows WalletService Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1709 Windows Win32k Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1646 Windows WLAN Service Elevation of Privilege Vulnerability Important No No EoP

Of the remaining Critical-rated patches, five involve remote code execution (RCE) bugs in the Remote Procedure Call (RPC) runtime. What’s really curious is that there are four Important-rated patches for RPC as well. However, the CVSS and other descriptors are all identical. There’s no indication why some are listed as Critical and others are listed as Important. Similarly, there’s a Critical-rated patch for HEVC Video Extensions that is documented the same as the Important-rated patch for HEVC Video Extensions. Either way, you’ll get the update for both through the Microsoft Store. Those who use either the Microsoft Store for Business or the Microsoft Store for Education will be able to get this update through their organizations. Rounding out the Critical-rated patches is an update for Edge and patch for GDI+. 

Moving on to the other patches, the update for the Active Template Library (ATL) stand out. Back in 2009, multiple bulletins and advisories were required to correct a typo. It’s not clear if the situation is that dire with this update, but if you created anything using ATL, you will likely need to apply the patch then recompile your program. That’s also like true for the patch to fix an EoP in the Windows Runtime C++ Template Library.

In looking at the Important-rated bugs that could allow RCE, the SharePoint bug should not be ignored. It does require authentication, but it could allow an authenticated user to take complete control of the system. The patch for Visual Studio also stands out. This update fixes a bug in Cure53 DOMPurify, which is an open-source library used by Visual Studio. The fix for this has been available since September, so you should treat this as though it was publicly disclosed. The remaining code execution bugs cover “Open-and-Own” bugs in Office components. An attacker would need to send a specially crafted file and convince a user to open it with an affected component. That would allow the attacker to execute code of their choice at the level of the logged-on user.

Similar to last month, there are multiple security feature bypasses being fixed this month. In addition to the two already mentioned, there are three impacting the Bluetooth component and one impacting NTLM. CVE-2021-1638 is definitely intriguing as it requires no authentication and no user interaction. The other Bluetooth bugs do require some level of user interaction. The bypass for NTLM requires some level of user interaction but no authentication. Again, without executive summaries, we can only speculate the true severity of these bypasses.

There are a total of 34 EoP bugs getting patches this month. For almost all of these, an attacker would need to log on to a system then execute specially crafted code to elevate their permissions. Most of these are in various Windows, but the ones in Hyper-V and SharePoint stand out. Speaking of SharePoint, this month’s release also includes patches to fix a tampering bug and two spoofing bugs in SharePoint.   

This month includes four patches to correct Denial-of-Service (DoS) bugs. Two of these bugs are in Hyper-V, and one is in .NET Core and Visual Studio. The last of these bugs resides in the Windows CryptoAPI and can be reached remotely. According to the CVSS rating, there is some level of user interaction involved, but no authentication is needed. 

Rounding out this release are 11 patches fixing information disclosure bugs. As expected, most of these cases only lead to leaks consisting of unspecified memory contents. However, the info leak in Windows Docker is a bit more severe. This vulnerability could allow an attacker to decrypt data that was encrypted by the data protection API (DPAPI). It’s not clear if you need to re-encrypt data after applying this patch, but this has been required for similar bugs in the past. Without specifics on the bug, it’s tough to offer specific guidance. The other info disclosure bug that piques curiosity is the bug impacting the Bot Framework SDK. For this component, we’re just told the information leaked is “sensitive information.” Still, if you use the SDK, make sure you get an unaffected version.

Finally, the servicing stack advisory (ADV990001) was revised for multiple versions of Windows. No additional advisories were released this month.

Looking Ahead

The next Patch Tuesday falls on February 9, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

...



📌 The January 2021 Security Update Review


📈 24.03 Punkte

📌 The January 2019 Security Update Review


📈 20.5 Punkte

📌 The January 2020 Security Update Review


📈 20.5 Punkte

📌 The January 2023 Security Update Review


📈 20.5 Punkte

📌 The January 2024 Security Update Review


📈 20.5 Punkte

📌 Computer-Based Training: January 2021 Release in Review


📈 19.61 Punkte

📌 Java January vs. JS January… Which Do You Pick? 🔥


📈 19.31 Punkte

📌 January 1, 1970 => January 19, 2038 Error!


📈 19.31 Punkte

📌 The Missing Review of FBI’s January 6 Intelligence and Law Enforcement Failures


📈 16.07 Punkte

📌 Apple's got $3 trillion, Intel says it's got an M1 killer, and more - Apple's January 2022 in review


📈 16.07 Punkte

📌 New Macs, HomePod and an event deleted scene -- January 2023 in review


📈 16.07 Punkte

📌 Cybersecurity Industry News Review – 31 January 2023


📈 16.07 Punkte

📌 January 2021 Update for Netsparker Enterprise On-Premises 1.9.3


📈 15.71 Punkte

📌 Rocky Linux: January 2021 Community Update


📈 15.71 Punkte

📌 The Kate Text Editor - January 2021 Status Update


📈 15.71 Punkte

📌 January 2021 Update for Netsparker Standard 6.0


📈 15.71 Punkte

📌 Community Update - January 2021


📈 15.71 Punkte

📌 Microsoft Surface Pro 7 January 2021 Firmware Update Now Available


📈 15.71 Punkte

📌 Google Releases January 2021 Security Updates for Android


📈 15.11 Punkte

📌 Samsung Galaxy S20 Now Getting January 2021 Security Patch


📈 15.11 Punkte

📌 January 2021 Patch Tuesday forecast: New focus on security and software development


📈 15.11 Punkte

📌 Cyber Security Roundup for January 2021


📈 15.11 Punkte

📌 Oracle's January 2021 CPU Contains 329 New Security Patches


📈 15.11 Punkte

📌 Grounded is getting a new patch update for the January Content Update


📈 14.68 Punkte

📌 The February 2021 Security Update Review


📈 14.38 Punkte

📌 The March 2021 Security Update Review


📈 14.38 Punkte

📌 The April 2021 Security Update Review


📈 14.38 Punkte

📌 The May 2021 Security Update Review


📈 14.38 Punkte

📌 The June 2021 Security Update Review


📈 14.38 Punkte

📌 The July 2021 Security Update Review


📈 14.38 Punkte

📌 The August 2021 Security Update Review


📈 14.38 Punkte

📌 Microsoft Security Bulletin Advisory Update For January, 2018


📈 14.08 Punkte











matomo