Despite a lower-than-average number of updates and patches in February, four vulnerabilities have been publicly disclosed and we’re seeing increasing reports of exploits in the wild.
CVE-2020-1472: This server update dates back to last Aug. 11, when the first of a two-part update was released. This is a super complex update that will require some research (read: MS-NRPC) and will require a number of changes to your site configuration (see: How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472). I believe that this week is the enforcement phase of a restricted security model for all affected servers, so some planning and deployment efforts are required.
Mitigations and workarounds
This month, Microsoft has published a number of complex and important mitigations and workarounds, especially for enterprise IT admins:
- CVE-2021-24094 and CVE-2021-24086: Microsoft has offered a fairly technical workaround for mitigating this vulnerability, including running the following command, “Netsh int ipv6 set global reassemblylimit=0” on your servers. A related MSRC blog states: “The IPv4 workaround simply requires further hardening against the use of Source Routing, which is disallowed in Windows default state.” This workaround is also documented in CVE-2021-24074 and can be applied through Group Policy or by running a NETSH command that does not require a reboot. There is a lot of reading to do when dealing with this issue, with more information available here.
- CVE-2021-24077: This update relates to the Microsoft FAX Service and related drivers. The workaround offered here is to stop the FAX service. (Hey, who uses a FAX anymore?) I think this is a good idea, as this whole Windows subsystem is ripe for abuse. In addition to security concerns, some legacy FAX-related drivers are no longer supported on later versions of Windows 10 due to XDDM driver deprecations and compatibility issues. Run a Service dependency scan on your application portfolio and see what applications are affected. (Hint: Castelle Faxpress).
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge);
- Microsoft Windows (both desktop and server);
- Microsoft Office (Including Web Apps and Exchange);
- Microsoft Development platforms (NET Core, .NET Core and Chakra Core);
- Adobe Flash Player.
This month, Microsoft has not released any updates (yet again) to its in-house browsers. Instead we have benefitted from the Open Source Chromium team’s “early and often” release cycle with the following (multiple) updates since our last Patch Tuesday release:
- Feb. 5: Microsoft released the latest Microsoft Edge Stable Channel (Version 88.0.705.63). This update includes the latest Chromium Security Updates, of which CVE-2021-21148 has been reported as having been exploited in the wild.
- Feb. 4: Microsoft released the latest Microsoft Edge Stable Channel (Version 88.0.705.62), which incorporates the latest Security Updates of Chromium.
- Jan. 21: Microsoft released the latest Microsoft Edge Stable Channel (Version 88.0.705.50),
All of these updates are well contained within the Chromium desktop libraries, and from our research we find it difficult to imagine they would affect other applications or cause compatibility issues. Add these updates to your standard release schedule.
This February update cycle for the Windows ecosystem brings nine updates rated critical, 18 moderate, and the rest rated as low by Microsoft. Unusually, four Windows updates this month have been publicly disclosed, though all are rated as important: CVE-2021-1733, CVE2021-1727, CVE-2021-24098, and CVE-2021-24106. Quoting from Microsoft MSRC: “We believe attackers will be able to create DoS exploits much more quickly and expect all three issues might be exploited with a DoS attack shortly after release. Thus, we recommend customers move quickly to apply Windows security updates this month.”
In addition to these already concerning disclosures, the following two vulnerabilities have been reported as exploited in the wild:
- CVE-2021-1732: Windows Win32k Elevation of Privilege Vulnerability.
- CVE-2021-1647: Microsoft Defender Remote Code Execution Vulnerability.
Though we only have nine updates rated as critical by Microsoft, they affect core areas within the Windows desktop, including:
- Microsoft Graphics Component (CVE-2021-24093).
- Windows TCP/IP (CVE-2021-24074).
- DNS Server (CVE-2021-24078).
- Microsoft Windows Codecs Library (CVE-2021-24081).
- Windows Print Spooler Components (CVE-2021-24088).
The remaining feature groupings are affected by Microsoft’s important updates
- Windows Crypto Libraries and PFX Encryption.
- Windows Fax Service.
- Windows Installer.
- Windows Backup Engine.
- Windows PowerShell.
- Windows Event Tracing.
Following the testing recommendations listed above, I would make this update a priority, noting that the testing cycle for these updates may require in-depth analysis, some hardware (printing) and remote users (testing across a VPN). Add these Windows updates to your “Test before Deploy” update release schedule.
Microsoft has released 11 updates, all rated as important, to the Microsoft Office and SharePoint platforms covering the following application or feature groupings:
- Microsoft Office (CVE-2021-1711, CVE-2021-1713 – CVE-2021-1716).
- Microsoft Office SharePoint (CVE-2021-1641, CVE-2021-1707, CVE-2021-1712, CVE-2021-1718 – CVE-2021-1719).
- Microsoft SQL Server (CVE-2021-1636).
SharePoint Known Issues: if your customized SharePoint pages use the SPWorkflowDataSource or FabricWorkflowInstanceProvider user control, some functions on those pages may not work. To resolve this issue, see KB 5000640. Add these updates to your regular Office update schedule.
Microsoft development platforms
Microsoft released eight updates to the Microsoft development platforms, two rated as critical and the remaining six rated as important. They affect the following platforms or applications:
- .NET Core and .NET Framework (CVE-2021-26701, CVE-2021-1721, CVE-2021-24111, CVE-2021-24112).
- SysInternals (CVE-2021-1733).
- Visual Studio (CVE-2021-26700 and CVE-2021-1639).
Unfortunately, there have been a number of reports that the latest security roll-up update to .NET (for all supported versions) causes WP applications to crash with the following error:
“Exception Info: System.NullReferenceException at System.Windows.Interop.HwndMouseInputProvider.HasCustomChrome(System.Windows.Interop.HwndSource, RECT ByRef)”
Microsoft has published a workaround that avoids the crash, but this workaround re-introduces the vulnerability fixed by the update. Not good. The two critical Development tool updates (CVE-2021-24112 and CVE-2021-26701) both require local access, while the latter has already been reported as exploited in the wild. Though some of the Visual Studio (graphics libraries) vulnerabilities could result in relatively easy remote code execution (RCE) attacks, Microsoft has said these vulnerabilities do not apply to existing Windows libraries. These updates are to prevent future security issues in developed code.
Despite these future proofing efforts, there is enough concern in these publicly exploited vulnerabilities for a “Patch Now” recommendation.
Adobe Flash Player
This month Adobe released updates for Acrobat and Reader, Dreamweaver, Photoshop, Illustrator, Animate, and the CMS system Magento. I think that the focus for most enterprises should be on the security fixes for Adobe Reader with 23 updates, seven of which are rated as critical by Adobe.
Adobe has reported that one critical rated vulnerability (CVE-2021-21017) has been reported as exploited in the wild (on Windows desktops). This is a big update for Adobe Reader and may require some testing before deployment, which may cause headaches this release cycle as Adobe has recommended that this update be deployed within 72 hours of release.
Add the Adobe Reader updates to your “Patch Now” release schedule.