What’s to not love with this month’s Patch Tuesday?
With solely 53 updates within the February Patch Tuesday assortment launched this week — and no updates for Microsoft browsers — you would be forgiven for pondering we had one other straightforward month (after a lightweight December and January). Regardless of lower-than-average numbers for updates and patches, 4 vulnerabilities have been publicly disclosed and we’re seeing a rising variety of experiences of exploits within the wild.
Briefly: this can be a huge, necessary replace that may require rapid consideration and a fast response to testing and deployment.
For instance, Microsoft has simply launched an out-of-band replace to repair a Wi-Fi challenge that’s resulting in Blue Screens of Dying (BSODs). Anyone goes to run into bother until this will get mounted quick. We have now included a useful infographic that this month seems a bit lopsided (once more), as the entire consideration ought to be on the Home windows elements
Key testing situations
Working with Microsoft, we developed a system that interrogates Microsoft updates and matches any file modifications (deltas) launched every month in opposition to our testing library. The result’s a “hot-spot” matrix that helps drive our portfolio testing course of. This month, our evaluation of this Patch Tuesday launch generated the next testing situations:
There are not any high-risk purposeful modifications anticipated this month, although we advocate the next testing regimes:
Identified points
Every month, Microsoft features a checklist of identified points that relate to the working system and platforms which are included on this replace cycle. I’ve referenced a couple of key points that relate to the newest builds from Microsoft, together with:
- Microsoft .NET (4.x ): In case you are nonetheless on Home windows 7 (or Server 2008) Microsoft has printed a be aware on WPF apps crashing for all presently supported variations of .NET.
- Home windows 10 1809, 1909, and 2004: System and consumer certificates may get misplaced when updating a tool from Home windows 10, model 1809 or later, to a more moderen model of Home windows 10. This can be a results of mixing media and installations with completely different replace/patching strategies. The outcomes might imply that sure drivers and gadgets might not begin or perform as anticipated after the replace.
You can too discover Microsoft’s abstract of Identified Points for this launch in a single web page.
Main revisions
This month, we have now a number of main revisions to earlier updates which will require your consideration:
- CVE-2020-1472: This server replace dates again to final Aug. 11, when the primary of a two-part replace was launched. This can be a tremendous complicated replace that may require some analysis (learn: MS-NRPC) and would require a lot of modifications to your website configuration (see: handle the modifications in Netlogon safe channel connections related to CVE-2020-1472). I imagine that this week is the enforcement section of a restricted safety mannequin for all affected servers, so some planning and deployment efforts are required.
- CVE-2020-17162: Microsoft addressed this safety vulnerability in September, however forgot to incorporate the documentation within the replace cycle. That is an informational replace solely. No additional motion required.
- CVE-2021-1692: This Microsoft CVE entry has been up to date to incorporate protection for Home windows 10 1803 (omitted beforehand). In case you are operating later variations of Home windows 10, no additional motion required.
Mitigations and workarounds
This month, Microsoft has printed a lot of complicated and necessary mitigations and workarounds, particularly for enterprise IT admins:
- CVE-2021-24094 and CVE-2021-24086: Microsoft has provided a reasonably technical workaround for mitigating this vulnerability, together with operating the next command, “Netsh int ipv6 set international reassemblylimit=0” in your servers. A associated MSRC weblog states: “The IPv4 workaround merely requires additional hardening in opposition to using Source Routing, which is disallowed in Home windows default state.” This workaround can be documented in CVE-2021-24074 and could be utilized by way of Group Coverage or by operating a NETSH command that doesn’t require a reboot. There may be a variety of studying to do when coping with this challenge, with extra info out there right here.
- CVE-2021-24077: This replace pertains to the Microsoft FAX Service and associated drivers. The workaround provided right here is to cease the FAX service. (Hey, who makes use of a FAX anymore?) I feel this can be a good concept, as this complete Home windows subsystem is ripe for abuse. Along with safety issues, some legacy FAX-related drivers are now not supported on later variations of Home windows 10 resulting from XDDM driver deprecations and compatibility points. Run a Service dependency scan in your software portfolio and see what purposes are affected. (Trace: Castelle Faxpress).
Every month, we break down the replace cycle into product households (as outlined by Microsoft) with the next fundamental groupings:
- Browsers (Microsoft IE and Edge);
- Microsoft Home windows (each desktop and server);
- Microsoft Workplace (Together with Internet Apps and Trade);
- Microsoft Improvement platforms (NET Core, .NET Core and Chakra Core);
- Adobe Flash Participant.
Browsers
This month, Microsoft has not launched any updates (but once more) to its in-house browsers. As a substitute we have now benefitted from the Open Source Chromium group’s “early and infrequently” launch cycle with the next (a number of) updates since our final Patch Tuesday launch:
- Feb. 5: Microsoft launched the newest Microsoft Edge Secure Channel (Model 88.0.705.63). This replace contains the newest Chromium Safety Updates, of which CVE-2021-21148 has been reported as having been exploited within the wild.
- Feb. 4: Microsoft launched the newest Microsoft Edge Secure Channel (Model 88.0.705.62), which includes the newest Safety Updates of Chromium.
- Jan. 21: Microsoft launched the newest Microsoft Edge Secure Channel (Model 88.0.705.50),
All of those updates are properly contained inside the Chromium desktop libraries, and from our analysis we discover it troublesome to think about they’d have an effect on different purposes or trigger compatibility points. Add these updates to your normal launch schedule.
Microsoft Home windows
This February replace cycle for the Home windows ecosystem brings 9 updates rated crucial, 18 average, and the remainder rated as low by Microsoft. Unusually, 4 Home windows updates this month have been publicly disclosed, although all are rated as necessary: CVE-2021-1733, CVE2021-1727, CVE-2021-24098, and CVE-2021-24106. Quoting from Microsoft MSRC: “We imagine attackers will be capable to create DoS exploits rather more rapidly and count on all three points may be exploited with a DoS assault shortly after launch. Thus, we advocate clients transfer rapidly to use Home windows safety updates this month.”
Along with these already regarding disclosures, the next two vulnerabilities have been reported as exploited within the wild:
- CVE-2021-1732: Home windows Win32ok Elevation of Privilege Vulnerability.
- CVE-2021-1647: Microsoft Defender Distant Code Execution Vulnerability.
Although we solely have 9 updates rated as crucial by Microsoft, they have an effect on core areas inside the Home windows desktop, together with:
The remaining characteristic groupings are affected by Microsoft’s necessary updates
- Home windows Crypto Libraries and PFX Encryption.
- Home windows Fax Service.
- Home windows Installer.
- Home windows Backup Engine.
- Home windows PowerShell.
- Home windows Occasion Tracing.
Following the testing suggestions listed above, I’d make this replace a precedence, noting that the testing cycle for these updates might require in-depth evaluation, some {hardware} (printing) and distant customers (testing throughout a VPN). Add these Home windows updates to your “Check earlier than Deploy” replace launch schedule.
Microsoft Workplace
Microsoft has launched 11 updates, all rated as necessary, to the Microsoft Workplace and SharePoint platforms overlaying the next software or characteristic groupings:
SharePoint Identified Points: in case your custom-made SharePoint pages use the SPWorkflowDataSource or FabricWorkflowInstanceProvider consumer management, some capabilities on these pages might not work. To resolve this challenge, see KB 5000640. Add these updates to your common Workplace replace schedule.
Microsoft growth platforms
Microsoft launched eight updates to the Microsoft growth platforms, two rated as crucial and the remaining six rated as necessary. They have an effect on the next platforms or purposes:
Sadly, there have been a lot of experiences that the newest safety roll-up replace to .NET (for all supported variations) causes WP purposes to crash with the next error:
"Exception Information: System.NullReferenceException at System.Home windows.Interop.HwndMouseInputProvider.HasCustomChrome(System.Home windows.Interop.HwndSource, RECT ByRef)"
Microsoft has printed a workaround that avoids the crash, however this workaround re-introduces the vulnerability mounted by the replace. Not good. The 2 crucial Improvement instrument updates (CVE-2021-24112 and CVE-2021-26701) each require native entry, whereas the latter has already been reported as exploited within the wild. Although among the Visible Studio (graphics libraries) vulnerabilities might lead to comparatively straightforward distant code execution (RCE) assaults, Microsoft has stated these vulnerabilities don’t apply to current Home windows libraries. These updates are to forestall future safety points in developed code.
Regardless of these future proofing efforts, there’s sufficient concern in these publicly exploited vulnerabilities for a “Patch Now” advice.
Adobe Flash Participant
This month Adobe launched updates for Acrobat and Reader, Dreamweaver, Photoshop, Illustrator, Animate, and the CMS system Magento. I feel that the main target for many enterprises ought to be on the safety fixes for Adobe Reader with 23 updates, seven of that are rated as crucial by Adobe.
Adobe has reported that one crucial rated vulnerability (CVE-2021-21017) has been reported as exploited within the wild (on Home windows desktops). This can be a huge replace for Adobe Reader and will require some testing earlier than deployment, which can trigger complications this launch cycle as Adobe has beneficial that this replace be deployed inside 72 hours of launch.
Add the Adobe Reader updates to your “Patch Now” launch schedule.
Copyright © 2021 IDG Communications, Inc.