12
Jan 21

Microsoft Patch Tuesday, January 2021 Edition

Microsoft today released updates to plug more than 80 security holes in its Windows operating systems and other software, including one that is actively being exploited and another which was disclosed prior to today. Ten of the flaws earned Microsoft’s most-dire “critical” rating, meaning they could be exploited by malware or miscreants to seize remote control over unpatched systems with little or no interaction from Windows users.

Most concerning of this month’s batch is probably a critical bug (CVE-2021-1647) in Microsoft’s default anti-malware suite — Windows Defender — that is seeing active exploitation. Microsoft recently stopped providing a great deal of detail in their vulnerability advisories, so it’s not entirely clear how this is being exploited.

But Kevin Breen, director of research at Immersive Labs, says depending on the vector the flaw could be trivial to exploit.

“It could be as simple as sending a file,” he said. “The user doesn’t need to interact with anything, as Defender will access it as soon as it is placed on the system.”

Fortunately, this bug is probably already patched by Microsoft on end-user systems, as the company continuously updates Defender outside of the normal monthly patch cycle.

Breen called attention to another critical vulnerability this month — CVE-2020-1660 — which is a remote code execution flaw in nearly every version of Windows that earned a CVSS score of 8.8 (10 is the most dangerous).

“They classify this vulnerability as ‘low’ in complexity, meaning an attack could be easy to reproduce,” Breen said. “However, they also note that it’s ‘less likely’ to be exploited, which seems counterintuitive. Without full context of this vulnerability, we have to rely on Microsoft to make the decision for us.”

CVE-2020-1660 is actually just one of five bugs in a core Microsoft service called Remote Procedure Call (RPC), which is responsible for a lot of heavy lifting in Windows. Some of the more memorable computer worms of the last decade spread automatically by exploiting RPC vulnerabilities.

Allan Liska, senior security architect at Recorded Future, said while it is concerning that so many vulnerabilities around the same component were released simultaneously, two previous vulnerabilities in RPC — CVE-2019-1409 and CVE-2018-8514 — were not widely exploited.

The remaining 70 or so flaws patched this month earned Microsoft’s less-dire “important” ratings, which is not to say they’re much less of a security concern. Case in point: CVE-2021-1709, which is an “elevation of privilege” flaw in Windows 8 through 10 and Windows Server 2008 through 2019.

“Unfortunately, this type of vulnerability is often quickly exploited by attackers,” Liska said. “For example, CVE-2019-1458 was announced on December 10th of 2019, and by December 19th an attacker was seen selling an exploit for the vulnerability on underground markets. So, while CVE-2021-1709 is only rated as [an information exposure flaw] by Microsoft it should be prioritized for patching.”

Trend Micro’s ZDI Initiative pointed out another flaw marked “important” — CVE-2021-1648, an elevation of privilege bug in Windows 8, 10 and some Windows Server 2012 and 2019 that was publicly disclosed by ZDI prior to today.

“It was also discovered by Google likely because this patch corrects a bug introduced by a previous patch,” ZDI’s Dustin Childs said. “The previous CVE was being exploited in the wild, so it’s within reason to think this CVE will be actively exploited as well.”

Separately, Adobe released security updates to tackle at least eight vulnerabilities across a range of products, including Adobe Photoshop and Illustrator. There are no Flash Player updates because Adobe retired the browser plugin in December (hallelujah!), and Microsoft’s update cycle from last month removed the program from Microsoft’s browsers.

Windows 10 users should be aware that the operating system will download updates and install them all at once on its own schedule, closing out active programs and rebooting the system. If you wish to ensure Windows has been set to pause updating so you have ample opportunity to back up your files and/or system, see this guide.

Please back up your system before applying any of these updates. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once. You never know when a patch roll-up will bork your system or possibly damage important files. For those seeking more flexible and full-featured backup options (including incremental backups), Acronis and Macrium are two that I’ve used previously and are worth a look.

That said, there don’t appear to be any major issues cropping up yet with this month’s update batch. But before you apply updates consider paying a visit to AskWoody.com, which usually has the skinny on any reports about problematic patches.

As always, if you experience glitches or issues installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.

Tags: , , , , , , , , , , , , , ,

36 comments

  1. Why does anyone accept this as normal? Every.single.month.

    • This is all because Windows 10 is built upon a base of Windows NT, which was released almost 20 years ago when security wasn’t taken as seriously as it is today. They’ve spend the last 20 years cleaning it up (and introducing more flaws).

      • None of the major OS were originally designed with security as the primary objective . One can certainly make a solid case that linux/Unix had better security out of the box than Windows NT did, but none were birthed in an era where hacking was such a mortal threat as it is today so lots of holes were left unplugged and compromises made in creating those OS. It’s the reality we have to deal with.

      • Actually NT was released almost 30 years ago

    • This is the reason:

      GM replies to Bill Gates

      At a recent computer expo (COMDEX), Bill Gates reportedly compared the computer industry with the auto industry and stated “if GM had kept up with the technology like the computer industry has, we would all be driving $25.00 cars that got 1,000 miles to the gallon.”

      In response to Bill’s comments, General Motors issued the following press release –

      If GM had developed technology like Microsoft, we would all be driving cars with the following characteristics –

      1. For no reason whatsoever, your car would crash twice a day.

      2. Every time they repainted the lines in the road, you would have to buy a new car.

      3. Occasionally your car would die on the freeway for no reason. You would have to pull over to the side of the road, close all of the windows, shut off the car, restart it, and reopen the windows before you could continue. For some reason you would simply accept this.

      4. Occasionally, executing a maneuver such as a left turn would cause your car to shut down and refuse to restart, in which case you would have to reinstall the engine.

      5. Only one person at a time could use the car unless you bought “car NT”, but then you would have to buy more seats.

      6. Macintosh would make a car that was powered by the sun, was reliable, five times as fast and twice as easy to drive – but would only run on five percent of the roads.

      7. The oil, water temperature, and alternator warning lights would all be replaced by a single “General Protection Fault” warning light.

      10. The airbag system would ask “are you sure?” before deploying.

      11. Occasionally, for no reason whatsoever, your car would lock you out and refuse to let you in until you simultaneously lifted the door handle, turned the key and grabbed hold of the radio antenna.

      12. GM would require all car buyers to also purchase a deluxe set of Rand McNally road maps (now a GM subsidiary), even though they neither need nor want them. Attempting to delete this option would immediately cause the cars performance to diminish by 50% or more. Moreover, GM would become a target for investigation by the Justice Dept.

      13. Every time GM introduced a new car, car buyers would have to learn to drive all over again because none of the controls would operate in the same manner as the old car.

      14. You’d have to press the “Start” button to turn the engine off.

      **********************************************

      found at whydidthechickencrosstheroad.org – attributed to David Atkinson

      • As for point #14… I’ve actually had rental cars where I’ve had to push the Start button to turn the engine off. And on one car, doing so would actually restart the engine because it had already turned itself off (gone to sleep) without my knowing it.

      • That’s an oldie but a goodie…not quite as old as: “To err is human, to really screw-up you need a computer.”

        BTW, anyone having stand-alone software that won’t work now because Adobe Flash has been disabled by MS? Here’s a simple work-around someone figured out:
        Control Panel > Clock and Region
        Date and Time
        Change date and time
        Date section (Calendar) change to 11/01/2020
        Click OK
        Run your Flash-dependent program
        After finished, change date back to actual date.

    • What’s the alternative? Ignore vulnerabilities?

      Vendors did that for years before the flaws with that model became readily apparent.

      Linux usually has vulnerabilities patched weekly (sometimes more often, depends on the project). Do you want to patch more often?

    • NO software is full proof. Microsoft has one of the largest code bases so it’s expected.

      • Povl H. Pedersen

        Microsoft has many issues with their code.
        Some of it likely comes from the time when their policy was, that if you can’t beat the other department then sabotage them. Increased your relative score in Stacked Ranking.

        If you look at the patchwork of inconsistencies in O365/Azure, it is clear that there is no direction and no management at Microsoft. Maybe people to cash in on the positions, but they really need some coordinated look and feel.

        Apple is doing better, they have a huge codebase as well, but at least they completely reworked it a few times. So not much old-school Motorola 68k MacOS 7 compatibility left in there.

        Sometimes rewriting software is better than making old code even more confusing.

        • …well, yes and no…

          …mac os x is still darwin (aka freebsd) underneath and therefor is actually as old as anything in the ms world…

  2. The Sunshine State

    Thunderbird email client also had a update today

  3. Ankunding Ankunding

    Thanks to this article I can learn more. Expand my knowledge and abilities. Actually the article is very real.

  4. Can someone tell me why I should trust updates from any vendor after the SolarWinds fiasco!? Seems to me we’re all taking a huge risk by accepting and applying “fixes” to our systems.

    • Because it’s pretty backward and idiotic.

      You are falling victim to a psychological vulnerability. A fallacy.

      Just because this major hack grabs all the headlines for weeks or months, does not make it more prevalent in the real world.

      Supply chain attacks are really difficult to pull off, which is why it was a nation state that did it.
      It’s probably 20 to 50 times more likely that in normal vulnerability will be exploited, something that could be patched if you were to apply the updates.

      This attack does not change the general security principles. Patch your damn systems.

  5. People have been accepting M$ bugs as “normal” ever since MS/DOS (if anyone remembers that). Heck, even CP/M was more reliable! In my day, if we found a bug in our stuff then not only did we drop everything and fixed it, we also searched for similar defects in other related software.

    MickeySoft has taught lusers to accept defective software as being OK (everybody knows that computers crash!). Not in our day they didn’t…

  6. Do Windows 10 vulnerabilities typically also affect Windows 7 ? (Don’t jump to conclusions, I run Win 10 – asking for a friend)

    • Windows 10 vulnerabilities do not always affect Windows 7, however certain high severity vulnerabilities are in common. It’s pretty safe to assume that there is more than one open vulnerability in Windows 7 – even with a current browser: a downloadable font exploit or graphic subsystem exploit would succeed for example.

  7. Nothing major – looks like there’s a typo (multiple places) on the page. CVE-2020-1660 should say CVE-2021-1660 as per hyperlink to the msrc article .

    Gotta love typing up dates at this time of year!

  8. This month’s patches broke “Your Phone”, a Microsoft app . . .

  9. I am not as fearful of hackers et al as I AM of Microsoft Updates.

    Since the Updates fiasco of August and September, 2019 affecting 8.1 , I have declined their offer to damage my computer again. No recompense – no apologies just who do they think they are?

    • “No recompense – no apologies just who do they think they are?”

      The ones that own the operating system on your computer and only license the use of said operating system software to you?

      The ones that you agreed could do anything they wanted to said operating system software regarding updates and that they aren’t responsible if those updates render your computer unusable?

      Just saying.

      • The ones with a near monopoly on operating systems.

        The ones collecting data on you to monetize (Win 10 is free for a reason – well Apple does the same thing on their phones, so let’s not rehash MS v Apple).

        The best one can do is, once you have a stable operating system, unplug it from the Internet. Have a system for browsing which has nothing personal or identifiable on it and reinstall it (using a system image) once a week or so.

        Remember, there could low-level spyware in some hardware components, like hard drives, video cards, motherboards, etc., that could “call home” and no software patch is going to stop those!

  10. This update crashed my PC and cause RPC unavailable errors. this is what you are afraid of with windows updates.

  11. someone user had unexpectedly reboots or bsod with those patches installed kb4588289 and kb4598279?

  12. “But if I make the effort to patch THIS month, they’ll just release more patches NEXT month and I’ll have to do it ALL OVER AGAIN.”

    Actual excuse from a sysadmin

  13. Remember when Microsoft said Windows 10 was going to be so much better at security. I never believed it for a second, because it’s Windows and while we can all be told it’s better. It’s still basically filled with code from Windows NT. It’s also still a huge target given all the devices that run Windows. If you want to be safer, use a obscure OS that only has a small market share. Even if it has many flaws unpatched nobody is probably targeting them. Only way to stay safe on Windows is update and hope it doesn’t break something.

  14. Mr. Krebs –
    I have always wondered how you determine the heading for each of your articles. For example, they all seem to be numbered based on nothing obvious, and many are duplicates for no apparent reason.
    And the date is always in the future? Today’s article that I am reading on the 18 of January, is dated January 21?
    I’ve looked around your site for some logical reason for you cataloging system, but it makes no sense that I can make head or tails of.
    Just curious,
    Herb.

    • The big number is the day. There is also a precise date and timestamp (albeit in small type) at the bottom of every post. E.g., the one at the bottom of this post says:

      This entry was posted on Tuesday, January 12th, 2021 at 8:32 pm and is filed under Time to Patch

      • Hello,

        Please, at least for IT community’s sake, use only full ISO 8601 dates (YYYY-MM-DD), never ever (!) any shortcuts (YY) or confusing US format (MM/DD/YY). Neither names (Jan/Feb/…).

        Thank you.

  15. Well, well, well. I’m not surprised. I¿m tired of seeing big companies not listening to their security advisors. Like, they keep their software week in terms of security on purpose, and that’s horrible.

Leave a comment