Automox Experts Weigh In on January 2021 Patch Tuesday Release
ear what Automox Patch Tuesday experts have to say about this month’s Patch Tuesday releases. You can view a full list of the latest patches and updates from Microsoft and other third-party applications in our Patch Tuesday Index.
January 2021 Overview
Justin Knapp — General Overview
Microsoft ushers in the new year with 83 new vulnerabilities addressed, 10 of critical severity, and one that’s already been exploited in the wild. 2020 delivered a massive number of security fixes and we have every reason to suspect that 2021 will continue the trend. January’s patch release represents an increase over last month’s batch and features this year’s first zero-day exploit for operations teams to tackle; a critical remote code execution vulnerability within Microsoft Defender. With the Solarwinds breach still fresh from December and the scope of impact growing by the day, there’s a reaffirmed urgency for organizations to implement best practices for even the most basic security habits. Whether it's patching zero-day vulnerabilities within a 24-hour window or implementing strong password protocols, the need for security diligence has never been more evident.
Nicholas Colyer — Adobe Updates
Adobe has released 6 security updates and 1 hotfix addressing multiple remote code execution vulnerabilities, privilege escalations, and sensitive information disclosures across their product estate. Often it is the case that libraries are reused across multiple products and as such when a vulnerability is discovered, a host of different products may become vulnerable. Adobe’s security updates are a series from APSB21-01 through APSB21-07 encapsulating Photoshop, Illustrator, Animate, Campaign Classic, InCopy, Captivate, and Bridge respectively. In keeping convention with Automox recommendations, patching these vulnerabilities within a 72-hour window is highly recommended to maintain security continuum of care. In addition, Adobe Flash Player is officially end of life, seemingly closing the book on a major source of security concern for years in review. As of writing, Adobe has officially recommended the removal of Adobe Flash on all endpoints.
Critical Vulnerability Breakdown
Justin Knapp — CVE-2021-1705 Microsoft Edge (HTML-based) Memory Corruption Vulnerability
CVE-2021-1705 is a remote code execution vulnerability that exists when Microsoft Edge improperly accesses objects in memory. Successful exploitation of the vulnerability could enable an attacker to gain the same privileges as the current user. If the current user is logged on with admin rights, an attacker could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. An attacker could host a specially crafted website that is designed to exploit the vulnerability through Microsoft Edge, and then convince a user to view the website. The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements by adding specially crafted content that could exploit the vulnerability.
Chris Hass — CVE-2021-1647 Microsoft Defender Remote Code Execution Vulnerability
CVE-2021-1657, a critical remote code execution vulnerability found in Microsoft’s Malware Protection Engine, has already been seen in the wild by Microsoft. This vulnerability does not affect the network stack. An attacker would need to have access to the local machine already or trick the user into triggering the execution of the exploit, likely in the form of a malicious document delivered via a phishing campaign. Affected versions of Defender date back to late October 2020. It’s possible the attackers have been exploiting this Zero Day undetected for nearly three months, meaning applying this patch now is extraordinarily essential. This marks the 20th vulnerability and 8th critical vulnerability found in Microsoft Defender.
Eric Feldman — CVE-2021-1665 GDI+ Remote Code Execution Vulnerability
The Windows Graphics Device Interface (GDI+) is an operating system component that is responsible for representing graphical objects and transmitting them to output devices such as monitors and printers. GDI performs tasks such as drawing lines and curves, rendering fonts and handling color palettes. An attacker who successfully exploited this vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. This security update addresses the vulnerability by correcting the way that the Windows GDI handles objects in the memory.
Jay Goodman — CVE-2020-1643 HEVC Video Extensions
CVE-2021-1643 is a critical vulnerability identified in HEVC Video Extensions. HEVC Video Extensions are used by largely all videos in any app on Windows 10 devices. This vulnerability can lead to remote code execution. Remote code execution, or RCEs, are vulnerabilities that are highly impactful given that they enable attackers to directly run malicious code on the exploited systems. RCE vulnerabilities are a consistent struggle for system administrators moving into 2021. 2020 saw a significant amount of RCEs and the early indications are that this trend will continue. This particular vulnerability was discovered by FireEye and Vingroup. Microsoft does not provide mitigation recommendations aside from patching, however they do provide users a quick PowerShell command to check and verify if the vulnerability exists on a system.
Jay Goodman — CVE-2020-1668 Microsoft DTV-DVD Video Decoder
CVE-2021-1668 is a critical vulnerability identified in the Microsoft DTV-DVD Video Decoder. DTV-DVD is a built in video and audio decoder to handle DVD and digital TV encoding and decoding within Windows 7, 8, and 10. This is yet another vulnerability that can lead to remote code execution. Remote code execution, or RCEs, are vulnerabilities that are highly impactful given that they enable attackers to directly run malicious code on the exploited systems. RCE is a foundational goal for many adversaries as it can give complete control over a system, giving attackers a beachhead to spread malware and attacks laterally within an organization. System administrators should quickly patch any RCEs in their environment. Latent vulnerabilities in less visible applications or services like DTV-DVD can lie dormant for long periods of time, providing attackers with the tools necessary to fully exploit a system.
Nicholas Colyer — CVE-2021-1658 // 1660 // 1666 // 1667 // 1673: Microsoft RPC RCE Vulnerability
CVE-2021-1658, CVE-2021-1660, CVE-2021-1666, CVE-2021-1667, and CVE-2021-1673 are all Remote Procedure Call Remote Code Execution vulnerabilities that affected Microsoft products. Context specifics are not available at this time and exploitability is currently classed less-likely. The expectation of elevated impact is presented with most RPC RCE vulnerabilities, but absent additional context with no known exploitation code belies any more specific recommendations aside from exercise of added due diligence to the security function in reviewing anomalous activity.
To see all the latest details and advice on this month’s Patch Tuesday, check out the Automox Patch Tuesday Rapid Response Center.
About Automox Automated Patch Management
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, macOS, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.