Hear what Automox Patch Tuesday experts have to say about this month’s Patch Tuesday releases. You can view a full list of the latest patches and updates from Microsoft and other third-party applications in our Patch Tuesday Index.
February 2021 Overview
Nick Colyer — General Overview
This month Microsoft addresses 56 new vulnerabilities, of which 11 are critical severity and a high-rated vulnerability that is being actively exploited in the wild. Overall, this represents a decrease from the previous Patch Tuesday for the second release of 2021. At the same time, officials in Florida reportedly thwarted attempts by an unknown malicious threat actor who was attempting to poison a local town's water supply. This serves as a polarizing yet important reminder that cybersecurity hygiene is not only contextual to security outcomes of digital and physical assets, but can also have profound impacts on human life.
Nicholas Colyer — Adobe Updates
Adobe has released 11 security updates addressing multiple security issues affecting productivity and e-commerce offerings. In highlight, APSB21-09 specifically addresses updates for Adobe Reader that are currently being exploited in the wild. Adobe has related that attacks are limited and localized to Windows users specifically; however, in prioritization of risk it’s always recommended to address critical vulnerabilities in active exploitation, as observed with APSB21-09 for Adobe Reader.
Critical Vulnerability Breakdown
Nick Colyer — CVE-2021-24081 Microsoft Windows Codecs Library Remote Code Execution Vulnerability
CVE-2021-24081 is a critically rated remote code execution vulnerability affecting Microsoft’s Windows Codec Library. While granular attack vector details are currently sparse, it has been noted that proof-of-concept exploit code exists. Overall, the difficulty required for exploitation is considered to be low currently, with end-user interaction required for successful exploitation. In recurrent themes of similar past vulnerabilities and in absence of clarifying context, cybersecurity awareness goes a long way in helping combat attacks that require end-user participation by empowering employees to make better decisions when facing uncertainties.
Nick Colyer — CVE-2021-21148 Google Chrome Zero-Day Vulnerability
CVE-2021-21148 is a critical Google Chrome Zero-Day Vulnerability currently believed to be exploited in the wild. No publicly published exploit code has yet surfaced; however Windows, macOS, and Linux versions of the browser all appear impacted. Browser vulnerabilities with remote code execution implications can be particularly vexing for organizations reliant on VPN technology to patch or remediate devices. In keeping with the convention of cybersecurity best practices, Automox recommends taking action in prioritizing patching for CVE-2021-21148 as soon as possible.
Nick Colyer — CVE-2021-1733 Sysinternals PsExec Elevation of Privilege Vulnerability
CVE-2021-1733 is a high severity privilege escalation vulnerability discovered to be impacting Sysinternals PsExec utility. PsExec, which has been popular in the past for use in remote administration tasks such as patching remote systems, has also had a fair share of scrutiny due to the utility’s weaponization by criminals in malware. Proof-of-concept code has not been independently verified, but it is notable that in January 2021 Microsoft released a patch to resolve a remote code execution vulnerability for the same utility indicating that it is getting attention. Robust endpoint management is necessary for any organization’s continued success and it is advisable to consider alternatives in the modern era of software-as-a-service.
Eric Feldman — CVE-2021-1722 Windows Fax Service Remote Code Execution Vulnerability; CVE-2021-24077 Windows Fax Service Remote Code Execution Vulnerability
These are both critical vulnerabilities impacting the Microsoft Windows Fax Service component. Windows Fax Service specifies settings for faxes, including how they are sent, received, viewed, and printed. The Windows Fax Service is used by the Windows Fax and Scan application included in all versions of Microsoft Windows 7, Windows 8, Windows 10, and some earlier versions. An attacker who successfully exploited the vulnerability could take control of the affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. Even if you do not use Windows Fax and Scan, the Windows Fax Services is enabled by default.
Justin Knapp — CVE-2021-24091 Windows Camera Codec Pack Remote Code Execution Vulnerability
CVE-2021-24091 is yet another remote code execution vulnerability impacting Windows Camera Codec Pack. If successfully exploited, an attacker could run arbitrary code in the context of the current user. If the current user is logged on with admin privileges, the attacker could gain control of the affected system. This could enable an attacker to install programs; view, change, or delete data; or create new accounts with full user rights. Exploitation of the vulnerability requires the user to open a specially crafted file with an affected version of the codec pack. While there’s no way to force a user to open the file, bad actors could manipulate a user through an email or web-based attack vector where the user is effectively convinced or enticed into opening the malicious file.
Justin Knapp — CVE-2021-24078 Windows DNS Server Remote Code Execution Vulnerability
A critical remote code execution vulnerability was discovered in Windows Domain Name System (DNS) servers when they fail to properly handle requests. Successful exploitation of the vulnerability could allow an attacker to run arbitrary code in the context of the Local System Account. Only Windows servers that are configured as DNS servers are at risk of having this vulnerability exploited. To exploit the vulnerability, an unauthenticated attacker could send malicious requests to the Windows DNS server. Given the low level of attack complexity and “exploitation more likely” label assigned, this is a vulnerability that should be addressed immediately.
Chris Hass — CVE-2021-24074 Windows TCP/IP Remote Code Execution Vulnerability; CVE-2021-24094 Windows TCP/IP Remote Code Execution Vulnerability
While the number of vulnerabilities getting patched this Patch Tuesday appears to be on the lighter side, there was no shortage of critical RCEs affecting Windows implementation of TCP/IP. CVE-2021-24074, a critical RCE found in the way Windows handles ipv4 source routing. CVE-2021-24094, a critical RCE found in the way Windows handles ipv6 packet reassembly. Both vulnerabilities were discovered internally by Microsoft, and exploit code has not been seen out in the wild. Microsoft has also issued workaround guidance for both, which can easily be deployed in the Automox console if patching a device is not feasible at this time. However, because these affect the network stack, require zero interaction from a user, and can be exploited by sending malicious network traffic to a device, it is only a matter of time before we see attackers leveraging these vulnerabilities to carry out cyber attacks.
Chris Hass — CVE-2021-1732 Windows Win32k Elevation of Privilege Vulnerability - Exploited
CVE-2021-1732 is a locally exploited Windows Win32K elevation of privilege bug that is actively being exploited in the wild. To exploit this vulnerability, an attacker would first have to log on to the system, then run a specially crafted application. The exploitation of this vulnerability would allow an attacker to execute code in the context of the kernel and gain SYSTEM privileges, essentially giving the attacker free rein to do whatever they wanted with the compromised machine. Because this vulnerability is already being used by attackers, patching this vulnerability as soon as possible is absolutely crucial.
Jay Goodman — CVE-2021-24088 Windows Local Spooler Remote Code Execution Vulnerability
CVE-2021-24088 is a critical vulnerability in the Windows local spooler service. This service is an important component within the Windows operating system that stores print jobs in memory until the printer is ready to accept them. This vulnerability can lead to remote code execution. Remote code execution, or RCEs, are vulnerabilities that are highly impactful given that they enable attackers to directly run malicious code on the exploited systems. Microsoft does not provide mitigation recommendations aside from patching for this exploit. Luckily, the exploit is labeled as “Exploitation less likely,” however this is tempered by the fact that this vulnerability is a relatively easy one to exploit for attackers.
Jay Goodman — CVE-2021-24093 Windows Graphics Component Remote Code Execution Vulnerability
CVE-2021-24093 is a critical remote code execution vulnerability in the Windows graphic component. This vulnerability can lead to an RCE. RCEs are vulnerabilities that can greatly impact a device given that they enable attackers to directly run malicious code on the exploited systems. Microsoft does not provide mitigation recommendations aside from patching for this exploit. The exploit is marked “Exploitation less likely,” however the vulnerability is relatively easy to exploit for attackers.
To see all the latest details and advice on this month’s Patch Tuesday, check out the Automox Patch Tuesday Rapid Response Center.
About Automox Automated Patch Management
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, macOS, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.