In the first Patch Tuesday edition of 2021, Microsoft released patches for 83 bugs, including a zero day flaw in Defender’s malware protection engine that is linked to the SolarWinds hack.
While it may seem like we rung in the new year just yesterday, it’s time for Microsoft security professionals to address the critical vulnerabilities across their products. In the first edition of Patch Tuesday, Microsoft issued fixes for 83 vulnerabilities, 10 of which are rated critical in severity while the remaining 73 are deemed as ‘Important.’
Some of the products that need to be patched are Microsoft Windows, Edge (EdgeHTML-based), Microsoft Office and Web Apps, Visual Studio, ChakraCore, Microsoft Malware Protection Engine, Azure, .NET Core, nnd ASP .NET.
IT professionals should pay more attention to a zero day vulnerability, tracked CVE-2021-1647 Opens a new window which was previously disclosed by Google. This zero dayOpens a new window bug affects the Microsoft Malware Protection Engine within Windows. Users are advised to prioritize patching this zero day flaw which is being linked to the recent SolarWinds hack that also compromised Microsoft’s infrastructure.
CVE-2021-1647 is a remote code execution (RCE) bug which is currently being exploited in the wild by threat actors. Kevin Breen, Director of Research at Immersive Labs, a cybersecurity company told Chris Kreb that the vulnerability can be exploited by something “as simple as sending a file.â€
“In fact, the user doesn’t need to interact with anything, as Defender will access it as soon as it is placed on the system,†said Breen.
Microsoft released another important patch for a privilege elevation flaw tracked as CVE-2021-1648Opens a new window . Dustin ChildsOpens a new window of the Zero Day Initiative wroteOpens a new window , “This bug was publicly disclosed by ZDI after it exceeded our disclosure timeline. It was also discovered by Google, likely because this patch corrects a bug introduced by a previous patch. The previous patch introduced a function to check an input string pointer, but in doing so, it introduced an Out-of-Bounds (OOB) Read condition.â€
 See Also: What To Expect From the Changing Threat Landscape in 2021
Other critical bugs fixed this month are:
| Vulnerability | Resides In | Vulnerability Type |
| CVE-2021-1705Opens a new window | Microsoft Edge (HTML-based) | Memory Corruption |
| CVE-2021-1665Opens a new window | Windows Graphics Device Interface | Remote Code Execution |
| CVE-2021-1660Opens a new window | Windows Remote Procedure Call | Remote Code Execution |
| CVE-2021-1668Opens a new window | Microsoft DTV-DVD Video Decoder | Remote Code Execution |
| CVE-2021-1643Opens a new window | HEVC Video Extensions | Remote Code Execution |
| CVE-2021-1673Opens a new window | Windows Remote Procedure Call | Remote Code Execution |
| CVE-2021-1658Opens a new window | Windows Remote Procedure Call | Remote Code Execution |
| CVE-2021-1666Opens a new window | Windows Remote Procedure Call | Remote Code Execution |
| CVE-2021-1667Opens a new window | Windows Remote Procedure Call | Remote Code Execution |
Â
Zero Day Initiative also noted another core security feature bypass vulnerability CVE-2021-1674 in Windows Remote Desktop Protocol (RDP) that has a CVSS score of 8.8 assigned to it. Of late, RDP has become a popular target and Childs advised restricting access to the protocol whenever possible.
A complete list of all critical and important vulnerabilities is available on Microsoft update portalOpens a new window .
Let us know if you liked this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!