Microsoft emits 83 security fixes – and miscreants are already exploiting one of the vulns in Windows Defender

Redmond keeps us hanging with on-premises Exchange flaw still to be fixed


Patch Tuesday Microsoft on Tuesday released updates addressing 83 vulnerabilities in its software, which doesn't include the 13 flaws fixed in its Edge browser last week.

That's up from 58 repairs made in December, 2020, a relatively light month by recent standards.

Affected applications include: Microsoft Windows, Microsoft Edge (EdgeHTML-based), Microsoft Office and Microsoft Office Services and Web Apps, Microsoft Windows Codecs Library, Visual Studio, SQL Server, Microsoft Malware Protection Engine, .NET Core, .NET Repository, ASP .NET, and Azure.

In the current crop of 83, 10 vulnerabilities are critical and 73 are rated important. One of these bugs (CVE-2021-1648) is publicly known, according to Microsoft, while another, a remote-code execution hole (CVE-2021-1647) in the Windows Defender security system, is actively being exploited.

CVE-2021-1647 is a Microsoft Defender remote code execution (RCE) vulnerability. In a blog post, Zero Day Initiative's Dustin Childs speculates that the flaw, which for some may already have been patched automatically, could have played a role in the SolarWinds fiasco.

A bug in the code

Patch Tuesday brings bug fixes for OpenSSL, IBM, SAP, Kubernetes, Adobe, and Red Hat. And Microsoft, of course

READ MORE

CVE-2021-1648 is a Microsoft splwow64 elevation of privilege problem that was created by a previous patch, according to Childs. He singles out two other critical vulnerabilities of note: CVE-2021-1677, an Azure Active Directory pod identity spoofing flaw that could allow an attacker to obtain identities associated with different Kubernetes pods, and CVE-2021-1674, a Windows Remote Desktop Protocol (RDP) core security feature bypass.

Conspicuously absent from January's Patch Tuesday is a fix to address a bypass for CVE-2020-16875, an Exchange Server RCE supposedly repaired in September, 2020.

Infosec researcher Steven Seeley, who says he reported the initial flaw through Microsoft's Office 365 Cloud Bounty program, subsequently identified two ways around the patch, one of which was fixed last month via CVE-2020-17132.

The second bypass has yet to be addressed. "I reported this patch bypass on the 9th of December, 2020 just one day after Patch Tuesday and unfortunately at this time there is no mitigation against this attack for on-premise deployments of Exchange Server," he wrote in a blog post on Tuesday.

In a message to The Register, Seeley explained that an authenticated attacker with the "Data Loss Prevention" role is required to exploit this vulnerability and gain RCE as SYSTEM, the highest privilege level available on Windows under Ring 3.

In other patch-paloozas, SAP rolled out 10 security advisories and seven updates to previous advisories. One of these, 2622660, which revises the browser control Google Chromium delivered with SAP Business Client, carries a CVSS (im)perfect score of 10.

Adobe, meanwhile, released advisories covering eight CVEs in Bridge, Captivate, InCopy, Campaign Classic, Animate, Illustrator, and Photoshop.

On Monday, Mozilla issued a critical fix for Thunderbird, CVE-2020-16044, a user-after-free write bug that's been patched to prevent potential usage for running arbitrary remote code.

And earlier this month, Google published 43 CVEs, covering Android, Google Play, and components from hardware partners MediaTek and Qualcomm. Two of the flaws are critical (CVE-2021-0313 and CVE-2021-0316). The latter bug could allow a remote attacker to execute arbitrary code on an Android device.

Two critical flaws are also addressed in the fixes for Qualcomm's closed-source components but details have not been made public. As ever with Android updates, get it direct from Google if you can, or wait for your carrier and manufacturer to catch up. ®


Biting the hand that feeds IT © 1998–2021