Microsoft on Tuesday issued fixes for 56 flaws, like a critical vulnerability that’s identified to be actively exploited in the wild.
In all, 11 are listed as Essential, 43 are stated as Important, and two are mentioned as Reasonable in severity — 6 of which are previously disclosed vulnerabilities.
The updates deal with .Web Framework, Azure IoT, Microsoft Dynamics, Microsoft Edge for Android, Microsoft Exchange Server, Microsoft Place of work, Microsoft Windows Codecs Library, Skype for Small business, Visible Studio, Windows Defender, and other core elements these kinds of as Kernel, TCP/IP, Print Spooler, and Distant Technique Get in touch with (RPC).
A Home windows Gain32k Privilege Escalation Vulnerability
The most critical of the flaws is a Windows Acquire32k privilege escalation vulnerability (CVE-2021-1732, CVSS rating 7.8) that makes it possible for attackers with entry to a target process to run destructive code with elevated permissions. Microsoft credited JinQuan, MaDongZe, TuXiaoYi, and LiHao of DBAPPSecurity for getting and reporting the vulnerability.
In a separate specialized produce-up, the researchers stated a zero-working day exploit leveraging the flaw was detected in a “really constrained number of attacks” against victims situated in China by a menace actor named Bitter APT. The attacks were being found in December 2020.
“This zero-day is a new vulnerability which triggered by get32k callback, it could be used to escape the sandbox of Microsoft [Internet Explorer] browser or Adobe Reader on the most recent Home windows 10 model,” DBAPPSecurity researchers stated. “The vulnerability is higher high quality and the exploit is sophisticated.”
It really is worth noting that Adobe, as aspect of its February patch, resolved a vital buffer overflow flaw in Adobe Acrobat and Reader for Home windows and macOS (CVE-2021-21017) that it claimed could direct to arbitrary code execution in the context of the present user.
The company also warned of energetic exploitation makes an attempt against the bug in the wild in minimal attacks focusing on Adobe Reader end users on Windows, mirroring aforementioned results from DBAPPSecurity.
Though neither Microsoft nor Adobe has furnished more specifics, the concurrent patching of the two flaws raises the likelihood that the vulnerabilities are becoming chained to have out the in-the-wild assaults.
Netlogon Enforcement Method Goes Into Influence
Microsoft’s Patch Tuesday update also resolves a range of distant code execution (RCE) flaws in Home windows DNS Server (CVE-2021-24078), .Internet Core, and Visual Studio (CVE-2021-26701), Microsoft Windows Codecs Library (CVE-2021-24081), and Fax Services (CVE-2021-1722 and CVE-2021-24077).
The RCE in Home windows DNS server part is rated 9.8 for severity, producing it a important vulnerability that, if remaining unpatched, could allow an unauthorized adversary to execute arbitrary code and likely redirect respectable traffic to malicious servers.
Microsoft is also taking this thirty day period to force the second round of fixes for the Zerologon flaw (CVE-2020-1472) that was initially solved in August 2020, next which experiences of active exploitation concentrating on unpatched techniques emerged in September 2020.
Setting up February 9, the area controller “enforcement method” will be enabled by default, as a result blocking “vulnerable [Netlogon] connections from non-compliant equipment.”
In addition, the Patch Tuesday update rectifies a bug in Edge browser for Android (CVE-2021-24100) that could disclose individually identifiable details and payment information of a consumer.
RCE Flaws in Home windows TCP/IP Stack
And finally, the Windows maker produced a set of fixes affecting its TCP/IP implementation — consisting of two RCE flaws (CVE-2021-24074 and CVE-2021-24094) and a single denial of provider vulnerability (CVE-2021-24086) — that it explained could be exploited with a DoS attack.
“The DoS exploits for these CVEs would permit a remote attacker to lead to a halt error,” Microsoft said in an advisory. “Buyers could possibly receive a blue display on any Windows procedure that is instantly uncovered to the net with minimal community site visitors. Hence, we propose customers transfer rapidly to use Windows protection updates this thirty day period.”
The tech big, nevertheless, noted that the complexity of the two TCP/IP RCE flaws would make it hard to produce useful exploits. But it expects attackers to generate DoS exploits a lot additional simply, turning the stability weak spot into an excellent candidate for exploitation in the wild.
To install the most current stability updates, Home windows customers can head to Get started > Configurations > Update & Protection > Windows Update or by picking Test for Home windows updates.