Patch Tuesday Commentary from Chris Goettl, Senior Director of Product Management, Security at Ivanti:
Here we are, another patch Tuesday and the first of 2021. Looks like we are going to ease into the year with a slightly lighter vulnerability count from Microsoft, but there is definitely some excitement in the mix as they are resolving one actively exploited vulnerability (CVE-2021-1647) and one publicly disclosed vulnerability (CVE-2021-1648). Microsoft has resolved a total of 83 CVEs this month with updates for Windows OS, Edge (HTML-based), Office, Visual Studio, .Net Core, .Net Repository, ASP .Net, Azure, Malware Protection Engine, and SQL Server.
Microsoft Defender received an update to resolve an actively exploited Remote Code Execution vulnerability (CVE-2021-1647). Microsoft frequently updates malware definitions and the malware protection engine and has already pushed the update to resolve the vulnerability. For organizations that are configured for automatic updating no actions should be required, but one of the first actions a threat actor or malware will try to attempt is to disrupt threat protection on a system so definition and engine updates are blocked. For this reason, it is recommended to ensure your Microsoft Malware Protection Engine is Version 1.1.17700.4 or higher.
Microsoft has resolved an important vulnerability in splwow64 that could allow an attacker to elevate their privilege level. The vulnerability (CVE-2021-1648) affects Windows 8.1, Windows 10 and related server builds. The vulnerability could also allow for information disclosure. A public disclosure means enough information, or a proof-of-concept, has been released to the public giving threat actors additional time to develop an exploit. In this case the first details about this CVE were released on December 15 by the Zero Day Initiative.
Microsoft has re-released a fix for Secure Boot that was originally released in February 2020. CVE-2020-0689 is a security feature bypass vulnerability that impacted the Windows Operating System and could bypass secure boot and install untrusted software. The re-release provides a more comprehensive resolution to the vulnerability but does have some known issues. There are some OEM firmware conflicts and BitLocker settings that could run into issues. For more details check out the details on the update page.
The Critical vulnerabilities this month all seem to be residing in the OS, browser, and malware protection engine, but don’t let that distract you from the other updates. While the SQL, .Net Core, ASP .Net and other dev tools updates this month are only resolving important severity vulnerabilities, the devops toolchain is an area of concern. Your development teams need to be aware of what tools they are using and what vulnerabilities may be exposed.
Aside from Microsoft, there were a number of Adobe updates this month and one security update for Mozilla Thunderbird that is Critical.
Adobe has posted updates for Adobe Bridge, Captivate, InCopy, Campaign Classic, Animate, Illustrator, and Photoshop. Adobe Bridge has resolved two Critical vulnerabilities, the rest of the updates resolve one Critical or one Important vulnerability each. Adobe has prioritized the Adobe Campaign Classic release as a priority 2, the rest as priority 3. For reference, Adobe’s prioritization has three tiers. A priority 2 has an elevated risk and their guidance is to resolve within 30 days. Priority 3 indicates the product or the type of vulnerability has not been targeted historically so update at their discretion. Given this guidance, administrators should look to update Adobe Campaign Classic in their monthly maintenance. The rest of the updates should be evaluated and updated as reasonable as it is never good to let software stagnate.
Adobe Flash Player reached its end of life on December 31, 2020. At this point companies should be removing the historically highly targeted application from their environments if you have not already done so. If you need to continue running Flash for any specific reason it should be specific exceptions in controlled circumstances. Also, Adobe has worked with Harman to transition extended support for enterprise customers. You should reach out to Harman for additional services or coverage past the end of life date. For details see the Flash Player Enterprise End-of-Life page: https://www.adobe.com/products/flashplayer/enterprise-end-of-life.html