12
Jan 21

Microsoft Patch Tuesday, January 2021 Edition

Microsoft today released updates to plug more than 80 security holes in its Windows operating systems and other software, including one that is actively being exploited and another which was disclosed prior to today. Ten of the flaws earned Microsoft’s most-dire “critical” rating, meaning they could be exploited by malware or miscreants to seize remote control over unpatched systems with little or no interaction from Windows users.

Most concerning of this month’s batch is probably a critical bug (CVE-2021-1647) in Microsoft’s default anti-malware suite — Windows Defender — that is seeing active exploitation. Microsoft recently stopped providing a great deal of detail in their vulnerability advisories, so it’s not entirely clear how this is being exploited.

But Kevin Breen, director of research at Immersive Labs, says depending on the vector the flaw could be trivial to exploit.

“It could be as simple as sending a file,” he said. “The user doesn’t need to interact with anything, as Defender will access it as soon as it is placed on the system.”

Fortunately, this bug is probably already patched by Microsoft on end-user systems, as the company continuously updates Defender outside of the normal monthly patch cycle.

Breen called attention to another critical vulnerability this month — CVE-2020-1660 — which is a remote code execution flaw in nearly every version of Windows that earned a CVSS score of 8.8 (10 is the most dangerous).

“They classify this vulnerability as ‘low’ in complexity, meaning an attack could be easy to reproduce,” Breen said. “However, they also note that it’s ‘less likely’ to be exploited, which seems counterintuitive. Without full context of this vulnerability, we have to rely on Microsoft to make the decision for us.”

CVE-2020-1660 is actually just one of five bugs in a core Microsoft service called Remote Procedure Call (RPC), which is responsible for a lot of heavy lifting in Windows. Some of the more memorable computer worms of the last decade spread automatically by exploiting RPC vulnerabilities.

Allan Liska, senior security architect at Recorded Future, said while it is concerning that so many vulnerabilities around the same component were released simultaneously, two previous vulnerabilities in RPC — CVE-2019-1409 and CVE-2018-8514 — were not widely exploited.

The remaining 70 or so flaws patched this month earned Microsoft’s less-dire “important” ratings, which is not to say they’re much less of a security concern. Case in point: CVE-2021-1709, which is an “elevation of privilege” flaw in Windows 8 through 10 and Windows Server 2008 through 2019.

“Unfortunately, this type of vulnerability is often quickly exploited by attackers,” Liska said. “For example, CVE-2019-1458 was announced on December 10th of 2019, and by December 19th an attacker was seen selling an exploit for the vulnerability on underground markets. So, while CVE-2021-1709 is only rated as [an information exposure flaw] by Microsoft it should be prioritized for patching.”

Trend Micro’s ZDI Initiative pointed out another flaw marked “important” — CVE-2021-1648, an elevation of privilege bug in Windows 8, 10 and some Windows Server 2012 and 2019 that was publicly disclosed by ZDI prior to today.

“It was also discovered by Google likely because this patch corrects a bug introduced by a previous patch,” ZDI’s Dustin Childs said. “The previous CVE was being exploited in the wild, so it’s within reason to think this CVE will be actively exploited as well.”

Separately, Adobe released security updates to tackle at least eight vulnerabilities across a range of products, including Adobe Photoshop and Illustrator. There are no Flash Player updates because Adobe retired the browser plugin in December (hallelujah!), and Microsoft’s update cycle from last month removed the program from Microsoft’s browsers.

Windows 10 users should be aware that the operating system will download updates and install them all at once on its own schedule, closing out active programs and rebooting the system. If you wish to ensure Windows has been set to pause updating so you have ample opportunity to back up your files and/or system, see this guide.

Please back up your system before applying any of these updates. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once. You never know when a patch roll-up will bork your system or possibly damage important files. For those seeking more flexible and full-featured backup options (including incremental backups), Acronis and Macrium are two that I’ve used previously and are worth a look.

That said, there don’t appear to be any major issues cropping up yet with this month’s update batch. But before you apply updates consider paying a visit to AskWoody.com, which usually has the skinny on any reports about problematic patches.

As always, if you experience glitches or issues installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.

Tags: , , , , , , , , , , , , , ,

24 comments

  1. Why does anyone accept this as normal? Every.single.month.

    • This is all because Windows 10 is built upon a base of Windows NT, which was released almost 20 years ago when security wasn’t taken as seriously as it is today. They’ve spend the last 20 years cleaning it up (and introducing more flaws).

      • None of the major OS were originally designed with security as the primary objective . One can certainly make a solid case that linux/Unix had better security out of the box than Windows NT did, but none were birthed in an era where hacking was such a mortal threat as it is today so lots of holes were left unplugged and compromises made in creating those OS. It’s the reality we have to deal with.

      • Actually NT was released almost 30 years ago

    • This is the reason:

      GM replies to Bill Gates

      At a recent computer expo (COMDEX), Bill Gates reportedly compared the computer industry with the auto industry and stated “if GM had kept up with the technology like the computer industry has, we would all be driving $25.00 cars that got 1,000 miles to the gallon.”

      In response to Bill’s comments, General Motors issued the following press release –

      If GM had developed technology like Microsoft, we would all be driving cars with the following characteristics –

      1. For no reason whatsoever, your car would crash twice a day.

      2. Every time they repainted the lines in the road, you would have to buy a new car.

      3. Occasionally your car would die on the freeway for no reason. You would have to pull over to the side of the road, close all of the windows, shut off the car, restart it, and reopen the windows before you could continue. For some reason you would simply accept this.

      4. Occasionally, executing a maneuver such as a left turn would cause your car to shut down and refuse to restart, in which case you would have to reinstall the engine.

      5. Only one person at a time could use the car unless you bought “car NT”, but then you would have to buy more seats.

      6. Macintosh would make a car that was powered by the sun, was reliable, five times as fast and twice as easy to drive – but would only run on five percent of the roads.

      7. The oil, water temperature, and alternator warning lights would all be replaced by a single “General Protection Fault” warning light.

      10. The airbag system would ask “are you sure?” before deploying.

      11. Occasionally, for no reason whatsoever, your car would lock you out and refuse to let you in until you simultaneously lifted the door handle, turned the key and grabbed hold of the radio antenna.

      12. GM would require all car buyers to also purchase a deluxe set of Rand McNally road maps (now a GM subsidiary), even though they neither need nor want them. Attempting to delete this option would immediately cause the cars performance to diminish by 50% or more. Moreover, GM would become a target for investigation by the Justice Dept.

      13. Every time GM introduced a new car, car buyers would have to learn to drive all over again because none of the controls would operate in the same manner as the old car.

      14. You’d have to press the “Start” button to turn the engine off.

      **********************************************

      found at whydidthechickencrosstheroad.org – attributed to David Atkinson

    • What’s the alternative? Ignore vulnerabilities?

      Vendors did that for years before the flaws with that model became readily apparent.

      Linux usually has vulnerabilities patched weekly (sometimes more often, depends on the project). Do you want to patch more often?

    • NO software is full proof. Microsoft has one of the largest code bases so it’s expected.

  2. The Sunshine State

    Thunderbird email client also had a update today

  3. Ankunding Ankunding

    Thanks to this article I can learn more. Expand my knowledge and abilities. Actually the article is very real.

  4. Can someone tell me why I should trust updates from any vendor after the SolarWinds fiasco!? Seems to me we’re all taking a huge risk by accepting and applying “fixes” to our systems.

    • Because it’s pretty backward and idiotic.

      You are falling victim to a psychological vulnerability. A fallacy.

      Just because this major hack grabs all the headlines for weeks or months, does not make it more prevalent in the real world.

      Supply chain attacks are really difficult to pull off, which is why it was a nation state that did it.
      It’s probably 20 to 50 times more likely that in normal vulnerability will be exploited, something that could be patched if you were to apply the updates.

      This attack does not change the general security principles. Patch your damn systems.

  5. People have been accepting M$ bugs as “normal” ever since MS/DOS (if anyone remembers that). Heck, even CP/M was more reliable! In my day, if we found a bug in our stuff then not only did we drop everything and fixed it, we also searched for similar defects in other related software.

    MickeySoft has taught lusers to accept defective software as being OK (everybody knows that computers crash!). Not in our day they didn’t…

  6. Do Windows 10 vulnerabilities typically also affect Windows 7 ? (Don’t jump to conclusions, I run Win 10 – asking for a friend)

    • Windows 10 vulnerabilities do not always affect Windows 7, however certain high severity vulnerabilities are in common. It’s pretty safe to assume that there is more than one open vulnerability in Windows 7 – even with a current browser: a downloadable font exploit or graphic subsystem exploit would succeed for example.

  7. Nothing major – looks like there’s a typo (multiple places) on the page. CVE-2020-1660 should say CVE-2021-1660 as per hyperlink to the msrc article .

    Gotta love typing up dates at this time of year!

  8. This month’s patches broke “Your Phone”, a Microsoft app . . .

  9. I am not as fearful of hackers et al as I AM of Microsoft Updates.

    Since the Updates fiasco of August and September, 2019 affecting 8.1 , I have declined their offer to damage my computer again. No recompense – no apologies just who do they think they are?

  10. This update crashed my PC and cause RPC unavailable errors. this is what you are afraid of with windows updates.

  11. someone user had unexpectedly reboots or bsod with those patches installed kb4588289 and kb4598279?

  12. “But if I make the effort to patch THIS month, they’ll just release more patches NEXT month and I’ll have to do it ALL OVER AGAIN.”

    Actual excuse from a sysadmin

Leave a comment