Patch Tuesday Update - February 2021

A quiet one for Microsoft, but a big one for Adobe

Keeping it rolling this month, Microsoft has addressed a total of 56 security flaws, including 11 important ones and one zero-day that has been seen exploited in the wild. The CVEs covered Windows components .NET Framework, Azure, Exchange Server, Office and Office Services and Web Apps, Skype for Business and Lync, and Windows Defender.

We typically only cover Microsoft vulnerabilities in this blog, but for this month we’ll make an exception. Adobe delivered a whopping 50 CVEs just for their suite of products! This release includes updates for Dreamweaver, Illustrator, Animate, Photoshop & Magneto… but the ones to pay particular attention to are for Acrobat/Reader. They’re most likely far more prevalent (and ignored) in most environments, and they contain a slew of critical and important issues including one (CVE-2021-21017) that has been seen exploited in “limited” attacks on Windows.

Let’s start with the Microsoft CVEs. The big one this month is CVE-2021-1732, which exists in the Win32k package for Windows. From the Cybersecurity & Infrastructure Security Agency (CISA) bulletin released today:

“Microsoft has released a security advisory to address an escalation of privileges vulnerability, CVE-2021-1732, in Microsoft Win32k. A local attacker can exploit this vulnerability to take control of an affected system. This vulnerability was detected in exploits in the wild.

CISA encourages users and administrators to review Microsoft Advisory for CVE-2021-1732 and apply the necessary patch to Windows 10 and Windows 2019 servers.”

Another privilege escalation vulnerability CVE-2021-1727 exists in Windows installer that affects all supported versions of Windows. This flaw is rated as “Exploitation Likely” by Microsoft, meaning that reliable exploit code could be written by attackers for this vulnerability but none such attack has been detected yet.

Rounding out the list of exploited & publicly disclosed vulnerabilities include:

CVE-2021-24098, which is a denial of service (DoS) affecting Windows 10 and Server 2019; CVE-2021-24106, an information disclosure vulnerability for DirectX in Windows 10 and Server 2019; and
CVE-2021-26701, a Remote Code Execution (RCE) flaw in .NET Core.

All affected Microsoft software this month:

• .NET Core
• .NET Framework
• Azure IoT
• Developer Tools
• Microsoft Azure Kubernetes Service
• Microsoft Dynamics
• Microsoft Edge for Android
• Microsoft Exchange Server
• Microsoft Graphics Component
• Microsoft Office Excel
• Microsoft Office SharePoint
• Microsoft Windows Codecs Library
• Role: DNS Server
• Role: Hyper-V
• Role: Windows Fax Service
• Skype for Business
• SysInternals
• System Center
• Visual Studio
• Windows Address Book
• Windows Backup Engine
• Windows Console Driver
• Windows Defender
• Windows DirectX
• Windows Event Tracing
• Windows Installer
• Windows Kernel
• Windows Mobile Device Management
• Windows Network File System
• Windows PFX Encryption
• Windows PKU2U
• Windows PowerShell
• Windows Print Spooler Components
• Windows Remote Procedure Call
• Windows TCP/IP
• Windows Trust Verification API

For more information or to access the security updates, see
https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/2021-Feb

As always, Balbix can identify all affected assets within 1 hour of release. To view the list of affected assets for a specific CVE in your Balbix dashboard:

Enter the CVE in the Search field and hit Enter. Balbix automatically prioritizes the search results for remediation. You can also use the filtered search functionality to search for the CVE by site, subnet, location, or other distinguishing factors.

If you have additional questions, please contact support@balbix.com.