Microsoft patches 83 security vulnerabilities in first 2021 Patch Tuesday update
The vulnerabilities include a zero-day flaw that impacts the Microsoft Defender antivirus software
Microsoft has released its first Patch Tuesday security update of 2021, addressing a total of 83 vulnerabilities across various products and platforms.
Of all the security holes plugged this month, 10 are rated as 'critical', while 73 are deemed 'important.
The most serious flaw is a zero-day bug impacting Microsoft Defender antivirus software. Indexed as CVE-2021-1647, this remote code execution (RCE) flaw could enable attackers to run arbitrary code on vulnerable devices by tricking a user into opening a malicious document on a machine running Microsoft Defender.
Microsoft said that while a proof-of-concept code is available for the bug, the code/technique may not work in all situations.
"An attacker would need to have access to the local machine already or trick the user into triggering the execution of the exploit," said Chris Hass, director of information security and research at Automox.
CVE-2021-1647 can affect Microsoft Malware Protection Engine versions from 1.1.17600.5 to 1.1.17700.4 running on Windows 10, Windows Server 2004 and Windows 7.
Some security researchers believe hackers exploited this vu;nerability as part of the massive SolarWinds hack, which was disclosed last month and targeted multiple federal agencies in the US.
The news of the zero-day comes weeks after Microsoft admitted that the hackers behind the attack were able to view its source code in a number of repositories. The company also said that the hackers could not access customer data or production services, and that its machines were not used to launch attacks against other organisations.
"This bug in the Microsoft Malware Protection Engine may already be patched on your system as the engine auto-updates as needed," says Dustin Childs of Trend Micro's Zero Day Initiative (ZDI) project.
"However, if your systems are not connected to the internet, you'll need to manually apply the patch."
Microsoft has also addressed an elevation-of-privilege security flaw, indexed as CVE-2021-1648, which was uncovered by Trend Micro's ZDI Project team last month and was found to affect the Windows splwow64 print driver process.
The bug has not been exploited in the wild, Microsoft said, despite its details being in the public domain for some time.
Childs said Microsoft is essentially addressing a vulnerability caused by an earlier bug fix with this specific patch.
"The previous CVE was being exploited in the wild, so it's within reason to think this CVE will be actively exploited as well," Childs said.
CVE-2021-1705 is another RCE bug the software giant addressed this month. The memory-related flaw impacts Microsoft's Edge web browser and arises due to browser's improper way of accessing objects in memory.
Other critical bugs covered in January 2021 security update include CVE-2021-1665 (impacting Windows Graphics Device Interface), CVE-2020-1643 (HEVC Video Extensions) and CVE-2020-1668 (Microsoft DTV-DVD Video Decoder).
Overall, the January 2021 security update includes patches for nine products, including Microsoft Windows, Visual Studio, the Edge browser, ChakraCore, Microsoft Malware Protection Engine, ASP .NET, .NET Core, Azure, and Office and Microsoft Office Services and Web Apps.