January 2021 Patch Tuesday: Microsoft plugs Defender zero-day RCE

On this January 2021 Patch Tuesday:

• Microsoft has plugged 83 CVEs, including a Microsoft Defender zero-day
• Adobe has delivered security updates for a variety of products
• SAP has released 10 security notes and updated 7 previously released ones
• Mozilla has fixed a critical vulnerability affecting Thunderbird

Microsoft’s updates

Microsoft has plugged 83 security holes, 10 of which are critical. One of the latter – a zero-day RCE (CVE-2021-1647) affecting Microsoft Defender antivirus – is being exploited in the wild, but Microsoft didn’t reveal more about these attacks.

“A remote code execution vulnerability in MS Defender is bad news. Because it must be able to scan all the files and processes on your system, Defender has some of the highest permissions available, so if you can run code in this context, you’ll gain full access to the system,” noted Kevin Breen, Director of Cyber Threat Research at Immersive Labs.

“Depending on the vector, which is not identified in the update, this could be trivial to exploit. In fact, it could be as simple as sending a file; the user doesn’t need to interact with anything, as Defender will access it as soon as it is placed onto the system. If there’s any indication that this vulnerability has been exploited on your networks, ensure you look for lateral movement – don’t just focus on the affected device.”

Luckily for everyone, patching in this instance is uncomplicated. “This bug in the Microsoft Malware Protection Engine may already be patched on your system as the engine auto-updates as needed. However, if your systems are not connected to the Internet, you’ll need to manually apply the patch,” Trend Micro Zero Day Initiative’s Dustin Childs commented.

Another fixed bug of note is CVE-2021-1648, an elevation of privilege vulnerability in the Microsoft splwow64 service. Though details about it and PoC exploit code have been publicly released by Trend Micro ZDI, it is still not exploited by attackers, but it’s possible it will be soon.

Among the critical flaws fixed on this January 2021 Patch Tuesday by Microsoft are five Remote Procedure Call runtime RCEs (CVE-2021-1658, CVE-2021-1660, CVE-2021-1666, CVE-2021-1667 and CVE-2021-1673).

“CVE-2020-1660 is listed as a remote code execution via the network with a CVSS of 8.8. This sounds pretty bad at first glance, but Microsoft has taken the decision to remove detailed descriptions from the release, leaving us with little context,” Breen pointed out.

Allan Liska, Senior Security Architect at Recorded Future, noted that “while these vulnerabilities are considered critical, and it is concerning that so many vulnerabilities around the same component were released simultaneously, two previous vulnerabilities in RPC Runtime, CVE-2019-1409 and CVE-2018-8514, were not widely exploited.”

Childs has also singled out CVE-2021-1677, an Azure Active Directory Pod vulnerability that may allow identity spoofing, as worthy of special mention (though classed only as “important” by Microsoft.

“This vulnerability exists in the way that the Azure Active Directory (AAD) pod identity allows users to assign identities to pods in Kubernetes clusters. When an identity is assigned to a pod, the pod can access to the Azure Instance Metadata Service (IMDS) endpoint and get a token of that identity,” he explained.

“This could allow an attacker to laterally steal the identities that are associated with different pods. This is also requires more than just a patch to fix. Anyone with an existing installation will need to re-deploy their cluster and use Azure CNI instead of the default Kubernetes.”

Other critical vulnerabilities patched are found in GDI+, HEVC Video Extensions, Microsoft DTV-DVD Video Decoder, and Microsoft Edge. The rest of the patched flaws (mostly “important” and a few “moderate”) affect a wide variety of Microsoft solutions, including the Bot Framework SDK, Hyper-V, Microsoft Office, SharePoint, Windows Bluetooth, Windows CSC Service, and so on.

Adobe’s updates

Adobe has released security updates for Photoshop, Illustrator, Animate, Campaign, Classic, InCopy, Bridge, and Captivate.

All of the security updates except the one for Captivate fix at least one critical vulnerability that could lead to arbitrary code execution, but as none of them are publicly known and/or under active attack. In addition to this, all of these applications (except Campaign) have historically not been a target for attackers, so administrators don’t have to rush to implement the updates immediately.

What administrators should do (if they haven’t already) is to remove any Adobe Flash Player version from the machines they are responsible for, as it has finally reached end-of-life.

“Some enterprise customers may still require Flash Player commercial support and licensing beyond 2020 to run internal business systems (i.e. content on a company’s intranet, interactive dashboards, digital training). For these instances, enterprise customers should contact our official distribution licensing partner – HARMAN – to see what options are available,” Adobe advised.

SAP’s updates

For January 2021 Patch Tuesday, SAP has released 10 new security notes and updated 7 previously released ones.

The most crucial updates in this batch are for SAP Business Warehouse and SAP BW/4HANA, fixing several code injection vulnerabilities. Check out Onapsis’s blog post for a more in-depth explanation about the most critical flaws fixed and patching process particulars.

Mozilla’s updates

Following a critical security update for Firefox, Firefox ESR and Firefox for Android released last week, Mozilla has released Thunderbird 78.6.1 on Monday and fixed the same bug in its email client.