09
Feb 21

Microsoft Patch Tuesday, February 2021 Edition

Microsoft today rolled out updates to plug at least 56 security holes in its Windows operating systems and other software. One of the bugs is already being actively exploited, and six of them were publicized prior to today, potentially giving attackers a head start in figuring out how to exploit the flaws.

Nine of the 56 vulnerabilities earned Microsoft’s most urgent “critical” rating, meaning malware or miscreants could use them to seize remote control over unpatched systems with little or no help from users.

The flaw being exploited in the wild already — CVE-2021-1732 — affects Windows 10, Server 2016 and later editions. It received a slightly less dire “important” rating and mainly because it is a vulnerability that lets an attacker increase their authority and control on a device, which means the attacker needs to already have access to the target system.

Two of the other bugs that were disclosed prior to this week are critical and reside in Microsoft’s .NET Framework, a component required by many third-party applications (most Windows users will have some version of .NET installed).

Windows 10 users should note that while the operating system installs all monthly patch roll-ups in one go, that rollup does not typically include .NET updates, which are installed on their own. So when you’ve backed up your system and installed this month’s patches, you may want to check Windows Update again to see if there are any .NET updates pending.

A key concern for enterprises is another critical bug in the DNS server on Windows Server 2008 through 2019 versions that could be used to remotely install software of the attacker’s choice. CVE-2021-24078 earned a CVSS Score of 9.8, which is about as dangerous as they come.

Recorded Future says this vulnerability can be exploited remotely by getting a vulnerable DNS server to query for a domain it has not seen before (e.g. by sending a phishing email with a link to a new domain or even with images embedded that call out to a new domain). Kevin Breen of Immersive Labs notes that CVE-2021-24078 could let an attacker steal loads of data by altering the destination for an organization’s web traffic — such as pointing internal appliances or Outlook email access at a malicious server.

Windows Server users also should be aware that Microsoft this month is enforcing the second round of security improvements as part of a two-phase update to address CVE-2020-1472, a severe vulnerability that first saw active exploitation back in September 2020.

The vulnerability, dubbed “Zerologon,” is a bug in the core “Netlogon” component of Windows Server devices. The flaw lets an unauthenticated attacker gain administrative access to a Windows domain controller and run any application at will. A domain controller is a server that responds to security authentication requests in a Windows environment, and a compromised domain controller can give attackers the keys to the kingdom inside a corporate network.

Microsoft’s initial patch for CVE-2020-1472 fixed the flaw on Windows Server systems, but did nothing to stop unsupported or third-party devices from talking to domain controllers using the insecure Netlogon communications method. Microsoft said it chose this two-step approach “to ensure vendors of non-compliant implementations can provide customers with updates.” With this month’s patches, Microsoft will begin rejecting insecure Netlogon attempts from non-Windows devices.

A couple of other, non-Windows security updates are worth mentioning. Adobe today released updates to fix at least 50 security holes in a range of products, including Photoshop and Reader. The Acrobat/Reader update tackles a critical zero-day flaw that Adobe says is actively being exploited in the wild against Windows users, so if you have Adobe Acrobat or Reader installed, please make sure these programs are kept up to date.

There is also a zero-day flaw in Google’s Chrome Web browser (CVE-2021-21148) that is seeing active attacks. Chrome downloads security updates automatically, but users still need to restart the browser for the updates to fully take effect. If you’re a Chrome user and notice a red “update” prompt to the right of the address bar, it’s time to save your work and restart the browser.

Standard reminder: While staying up-to-date on Windows patches is a must, it’s important to make sure you’re updating only after you’ve backed up your important data and files. A reliable backup means you’re less likely to pull your hair out when the odd buggy patch causes problems booting the system.

So do yourself a favor and backup your files before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.

Keep in mind that Windows 10 by default will automatically download and install updates on its own schedule. If you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches, see this guide.

And as always, if you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.

Tags: , , , , , , , , ,

44 comments

  1. I am so happy to have left windows behind after Windows 7 was no longer supported. Switched to Mac and haven’t looked back. Except to read articles like this and cringe or laugh. I was a windows admin until 2017 and retired rather than “upgrade” the enterprise.

    • Because, y’know, there wasn’t a vulnerability that existed in sudo for the last decade that was exploitable with local access. See CVE-2021-3156.

      By no means am I a proponent of Microsoft. I’m pretty new in the enterprise field. But the blind tribalism of “MICROSOFT BAD, LINUX/MAC BETTER DOES NOT HAVE VULNERABILITIES” doesn’t do anyone any good when it’s demonstrably not true.

      • And yet it’s about attack surfaces and CHAINED exploits.

        Windows has multitudes MORE vulns. You’re using a straw man to distract from that fact. Nobody is claiming OSX/Linux is bug free.

        Windows is enough of a pariah without you trotting out strawmen to pretend anyone is making the absurd null hypothesis you just did.

        Having that many more installs and that many more out of date versions populated with known long-lasting vulns ready to chain?
        Yeah, it’s an ongoing issue – worse than OSX’s, demonstrably.
        Way more attack surface to choose from and every month more.

    • I still run Windows, but my wife has a MacBook Pro. She gets notified of security updates for her Office for Mac components and other Microsoft products.

    • The “get a mac” thing still makes me cringe (and laugh).

      Old school.

    • Thanks for that oh so helpful comment, it’s something I had not heard in over an hour.

    • > …Switched to Mac and haven’t looked back”.

      “Meet the new boss, same as the old boss….”

      Apple Security Shock As Mac Threats Outpace Microsoft Windows By 2 To 1

      https://www.forbes.com/sites/daveywinder/2020/02/11/platform-wars-2020-apple-security-threats-outpace-microsoft-windows-for-first-time/

  2. This batch of updates installed with no problems on my Win10 system. An update for 21-02 Cumulative Update for .NET Framework downloaded and installed with the rest of the updates – didn’t have to do it separately.

    Interestingly, one of the Quality Updates that installed was “Security Update For Adobe Flash Player” (KB4580325). According to the Microsoft Update website, this is an update from Oct 2020. I’ve never had Flash installed on this computer, so I don’t know why it would need an update.

    • Maybe a malware in the past needed flash, installed it without notifying you?

    • Or they are just ensuring flash is removed now that it isn’t supported by adobe. I still haven’t removed it. Just being lazy and pissed about it because I visit 3 sites where I still need flash although it won’t work anymore at the sites. And 2 of the sites are using g flash emulators now, tho…gonna check my pc tonight, however, after seeing your comet about flash. I effing hate win10 for the record. Wish I’d never upgraded to it.

  3. Updates installed, situation normal.

  4. This batch of updates installed with no problems on my Win10 system.
    Great share

  5. Windows Malicious Software Removal Tool (KB890830) typically shows up every other month — most recently in Jan 2021 — but it’s on offer again this month. I installed it uneventfully. No mention of what’s Special.

  6. The Sunshine State

    Two Windows machines, one Windows 10 20H2 and the other Windows 8.1. ,updated no problems

  7. Also worth adding re: Adobe Reader — Sumatra v3.1.2 — https://www.sumatrapdfreader.org/free-pdf-reader.html continues to do the job for Windows users. I can’t suggest equivalent alternatives for other operating systems. Most system-agnostic browsers display .pdf documents. Also, Libre Office Draw displays .pdf documents in its own weird way. Bottom line: there’s little “need” for the Adobe alternative.

  8. Has everyone forgotten about 0Patch (Acros)? They were all over these like white on rice. Yeah, I run WIN 7, and will continue to do so until the machine fails, and I have a Linux Mint machine going full guns.

    …and as an IT vet of 21 years, I’d rather eat worms than run Win 10.

    • Ulrich Sollberger

      There are quite a number of tasty worms available if you are so enclined. I am also an IT professional (retired after 40 years) and use 3 PC’s under W10 without any problems. As a sideline, I also use an old laptop running under Ubuntu – works well.

      • I started using Red Hat Linux in the mid 1990s, and Linux Mint since about 2012. I have not had any virus/malware problems and I can do anything that I need to do, including reading/writing Microsoft Office stuff. Mint is easy to use and maintain.The sudo problem made great headlines AND was patched immediately

      • I run Windows 10, Server 2019 DC through 2012 Standard, Ubuntu (LTS versions only) and Kali. Windows 10 has definitely improved by magnitudes from previous incarnations. However I detest using that Windows 10 style GUI on a server, and they should supply something more utilitarian, IMHO.

        BTW, since we’re seeing who can urinate the farthest, when I started in Windows it was called WIN386. My first year in school I had the dubious distinction of crashing the community college’s PDP11-780 with a goto loop, simulating a monopoly board! 😀 Retirement will happen when they throw dirt on the casket…

    • 0patch has issued FREE micropatches for this unpatched remotely exploitable vulnerability in Internet Explorer for most widely used Windows versions last Friday. See https://twitter.com/0patch/status/1359917469197074443

  9. Thanks for the information Brian.
    Its a shame such articles bring out folk who want to slag others who post about their experience. Doesn’t seem to add to the experience.
    Maybe turning off comments on these sort of articles would be better.

    • You don’t have to read them.
      If there are 30 post and one is useful and the others just give me a feel for others attitudes, I’m fine with that.
      It’s better than being surrounded by yes men and restricted insight any day of the week.

  10. Why no mention of Microsoft releasing fixes affecting Windows TCP/IP implementation including 2 critical RCE vulnerabilities (CVE-2021-24074, CVE-2021-24094) and a DOS vulnerability (CVE-2021-24086)?

  11. For general digestion, Adobe for Macs is not left out and is getting the update. Not that I use Acrobat/Reader any more.

  12. Hmmm… my Adobe Acrobat Pro DC opens when clicked, then closes immediately. This is going to be a pain in my side.

    • Add/Remove programs -> Modify -> Repair fixed it and allowed the update to be downloaded and installed. I wonder what broke it.

  13. Update of Win. 10 was slow, but went thru.
    However, the battery icon (laptop) disappeared from the system tray. So far none of the suggestions I found for bringing it back have worked.

  14. I’m in my 50s and go back to the beginning of Microsoft and DOS. The old DOS debugger, manipulating memory to get enough to play certain games, etc. I still use Windows daily at work but a Mac or a Linux machine is so much better for most users.

    I got my first Mac about 15 years ago (laptop) and since then 2 desktop Macs and I’m not going to claim anything about security since everything has some issues but updates in my 15 years of experience simply work on the Mac. I had one issue where I thought it was dead but it recovered (w/o using any kind of backup) and worked fine.

    Windows registry is a mess. I wish I had a job where I could select what OS I could use. My previous job I was lucky enough to use a Mac most of the time.

    For some reason certain Windows users are just super sensitive when people prefer a Mac. Maybe just due to lack of knowledge.

    My father when he was in his 70s took my suggestion of getting a Mac and hasn’t had any issues in the 5+ years of owning one.

    The main reason for Windows is gaming and maybe saving a $$$ in exchange for a ton of headaches when things go wrong.

    • …I’m in my 60’s, pre-msdos, cpm days…

      …you can make windows plenty reliable and secure and unix/linux/mac os x plenty insecure…

      …your only as smart as you wish to be…

      …or not…

    • “For some reason certain Windows users are just super sensitive when people prefer a Mac. ”

      Probably because certain Mac people usually exhibit a holier-than-thou superior attitude about their computer choice.

  15. The kb4601393 is required for kb4601446 but this patch modify the registry for the Windows activación License?

  16. I think there’s a typo below, as this CVE only affects Server 2019 I believe?

    “The flaw being exploited in the wild already — CVE-2021-1732 — affects Windows 10, Server 2016 and later editions”

  17. Used Linux (Ubuntu) for over a year now without problems and the pestering Windows 10 gave; i will never go back.

  18. Update installed without issue. However, I cannot print from MS Outlook anymore. Simply pressing control-p or choose file -> print causes the program to freeze and need to be restarted. I haven’t yet figured out which add-in is now broken, but obviously one of them is, as I can print if I start Outlook in safe mode.

  19. Way OT (Sorry!) Just had another scam phone call this morning from another India boiler room operation. Did my best to play dumb and keep them on the line for as long as possible… [any time I can waste they can’t be scamming others].

    Just wanted to share that this time I pretended not to have a PC, just an iPad to talk to my family. Didn’t slow them for an instant. They directed me to the App Store and to install TeamViewer QuickSupport so they could take over the device and, presumably, either install more malware or look for mobile banking apps. Hadn’t seen that one before… pass the word.

  20. quitters and losers

    > The main reason for Windows is gaming

    If ALL of the people who dual boot Linux/Windows and use Windows for gaming suddenly stopped buying/playing the games on Windows and instead gathered together and demanded game developers release for Linux, there would be gamin on Linux.

    But, because people feel they are powerless, they retain Windows on their system(s) for gaming which solves nothing.

  21. you must not be using the same windows

    “you can make windows plenty reliable and secure”

    show me the code so we may audit it together.

    let’s make reproducible builds.

    let’s have 100% access FOSS to all code which includes every update, every attempt for M$ to add/remove software to your system, etc.

    PUT UP OR SHUT UP

    No one can make Windows “secure” and “plenty reliable” is a fscking joke.

  22. Yes microsoft confirm that ssu and lcu for windows 10 with current support go in the same packet.

  23. Lost access to MS Office 2016. When I try to open a Word file, I’m being told its updating. Help.

  24. The problem with Windows is.. Well. Microsoft.

    The problem with Mac is… Well. Apple.

    The problem with Linux is because reasons.

Leave a comment