Microsoft has released the January 2021 Security updates that includes patches for 83 vulnerabilities, 10 of those rated Critical and 1 zero-day RCE vulnerability CVE-2021-1647 in Microsoft Defender.
A remote attacker could exploit some of these vulnerabilities to take control of unpatched systems.
In all, the Microsoft security updates address vulnerabilities in the following products:
- .NET Core
- .NET Repository
- ASP .NET
- Microsoft Edge (EdgeHTML-based)
- Microsoft Malware Protection Engine
- Microsoft Office and Microsoft Office Services and Web Apps
- Microsoft Windows
- Microsoft Windows Codecs Library
- SQL Server
- Visual Studio.
Microsoft Defender RCE zero-day
Microsoft patched a Critical Defender remote code execution (RCE) vulnerability (CVE-2021-1647) as part of the recent patch release for Microsoft Malware Protection Engine.
Microsoft warned there was “exploitation detected” on this RCE vulnerability.
To safeguard against future attacks, Microsoft included the patch as part of the Microsoft Malware Protection Engine and should install automatically.
Microsoft addressed 10 Critical vulnerabilities, to include the previously mentioned Defender zero-day and 9 other RCE vulnerabilities. The patches cover Windows, Windows Defender and Browser products, as well as Extended Security Updates (ESU) for end of life software.
Critical Windows RCE patches
Microsoft patched the following Critical Windows RCE vulnerabilities:
- HEVC Video Extensions Remote Code Execution Vulnerability: CVE-2021-1643
- Remote Procedure Call Runtime Remote Code Execution Vulnerabilities: CVE-2021-1658, CVE-2021-1660, CVE-2021-1666, CVE-2021-1667 and CVE-2021-1673
- GDI+ Remote Code Execution Vulnerability: CVE-2021-1665
- Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability: CVE-2021-1668
To add, the tech giant also published extended security updates (ESUs) for certain paying customers that address most of the above Critical vulnerabilities in end of life products (such as Windows 7 and Windows Server 2008). The exception being no ESUs are offered for CVE-2021-1643 (HEVC Video) and CVE-2021-1647 (Defender).
Microsoft confirmed there were no known exploits against any of these Critical vulnerabilities at the time of the advisories.
Critical Edge browser RCE patch
Moreover, Microsoft also patched a Microsoft Edge (HTML-based) Memory Corruption Vulnerability CVE-2021-1705.
A bad actor also does not require any privileges to pull off an attack against this vulnerability.
In addition to the Critical RCEs, Microsoft also patched 73 other vulnerabilities across multiple products to include Azure, Developer Tools, Office, SQL Server and Windows. Of these patches, 72 are rated Important and 1 is rated Moderate.
Microsoft also added a MITRE Corporation CVE update CVE-2020-26870 to help document a vulnerability in Cure53 DOMPurify, open source software used by Visual Studio. Microsoft confirmed the Visual Studio updates incorporate the Cure53 DOMPurify updates to address the vulnerability.
- Microsoft: Widespread Adrozek malware campaign hijacks browsers on thousands of systems
- Microsoft December 2020 Security Updates
- Microsoft November 2020 Security Updates, zero-day patch for CVE-2020-17087
- Microsoft warns of ongoing exploits against Zerologon vulnerability (CVE-2020-1472)
- Microsoft releases security update for Edge, zero-day exploited in the wild