With solely 53 updates within the February Patch Tuesday assortment launched this week — and no updates for Microsoft browsers — you would be forgiven for pondering we had one other straightforward month (after a light-weight December and January). Regardless of lower-than-average numbers for updates and patches, 4 vulnerabilities have been publicly disclosed and we’re seeing a rising variety of stories of exploits within the wild.
In brief: it is a massive, necessary replace that can require speedy consideration and a fast response to testing and deployment.
For instance, Microsoft has simply launched an out-of-band replace to repair a Wi-Fi difficulty that’s resulting in Blue Screens of Demise (BSODs). Someone goes to run into hassle except this will get mounted quick. We’ve got included a useful infographic that this month appears to be like slightly lopsided (once more), as all the consideration ought to be on the Home windows elements
Key testing eventualities
Working with Microsoft, we developed a system that interrogates Microsoft updates and matches any file adjustments (deltas) launched every month towards our testing library. The result’s a “hot-spot” matrix that helps drive our portfolio testing course of. This month, our evaluation of this Patch Tuesday launch generated the next testing eventualities:
There are not any high-risk useful adjustments anticipated this month, although we suggest the next testing regimes:
Identified points
Every month, Microsoft features a listing of identified points that relate to the working system and platforms which might be included on this replace cycle. I’ve referenced a number of key points that relate to the most recent builds from Microsoft, together with:
- Microsoft .NET (4.x ): In case you are nonetheless on Home windows 7 (or Server 2008) Microsoft has revealed a observe on WPF apps crashing for all presently supported variations of .NET.
- Home windows 10 1809, 1909, and 2004: System and person certificates would possibly get misplaced when updating a tool from Home windows 10, model 1809 or later, to a more moderen model of Home windows 10. This can be a results of mixing media and installations with totally different replace/patching strategies. The outcomes might imply that sure drivers and units could not begin or perform as anticipated after the replace.
It’s also possible to discover Microsoft’s abstract of Identified Points for this launch in a single web page.
Main revisions
This month, we’ve a number of main revisions to earlier updates that will require your consideration:
- CVE-2020-1472: This server replace dates again to final Aug. 11, when the primary of a two-part replace was launched. This can be a tremendous complicated replace that can require some analysis (learn: MS-NRPC) and would require a variety of adjustments to your website configuration (see: The right way to handle the adjustments in Netlogon safe channel connections related to CVE-2020-1472). I consider that this week is the enforcement part of a restricted safety mannequin for all affected servers, so some planning and deployment efforts are required.
- CVE-2020-17162: Microsoft addressed this safety vulnerability in September, however forgot to incorporate the documentation within the replace cycle. That is an informational replace solely. No additional motion required.
- CVE-2021-1692: This Microsoft CVE entry has been up to date to incorporate protection for Home windows 10 1803 (omitted beforehand). In case you are working later variations of Home windows 10, no additional motion required.
Mitigations and workarounds
This month, Microsoft has revealed a variety of complicated and necessary mitigations and workarounds, particularly for enterprise IT admins:
- CVE-2021-24094 and CVE-2021-24086: Microsoft has provided a reasonably technical workaround for mitigating this vulnerability, together with working the next command, “Netsh int ipv6 set international reassemblylimit=0” in your servers. A associated MSRC weblog states: “The IPv4 workaround merely requires additional hardening towards the usage of Supply Routing, which is disallowed in Home windows default state.” This workaround can also be documented in CVE-2021-24074 and could be utilized by Group Coverage or by working a NETSH command that doesn’t require a reboot. There may be a variety of studying to do when coping with this difficulty, with extra data out there right here.
- CVE-2021-24077: This replace pertains to the Microsoft FAX Service and associated drivers. The workaround provided right here is to cease the FAX service. (Hey, who makes use of a FAX anymore?) I feel it is a good concept, as this entire Home windows subsystem is ripe for abuse. Along with safety considerations, some legacy FAX-related drivers are not supported on later variations of Home windows 10 attributable to XDDM driver deprecations and compatibility points. Run a Service dependency scan in your software portfolio and see what functions are affected. (Trace: Castelle Faxpress).
Every month, we break down the replace cycle into product households (as outlined by Microsoft) with the next primary groupings:
- Browsers (Microsoft IE and Edge);
- Microsoft Home windows (each desktop and server);
- Microsoft Workplace (Together with Net Apps and Trade);
- Microsoft Growth platforms (NET Core, .NET Core and Chakra Core);
- Adobe Flash Participant.
Browsers
This month, Microsoft has not launched any updates (but once more) to its in-house browsers. As a substitute we’ve benefitted from the Open Supply Chromium crew’s “early and sometimes” launch cycle with the next (a number of) updates since our final Patch Tuesday launch:
- Feb. 5: Microsoft launched the most recent Microsoft Edge Secure Channel (Model 88.0.705.63). This replace consists of the most recent Chromium Safety Updates, of which CVE-2021-21148 has been reported as having been exploited within the wild.
- Feb. 4: Microsoft launched the most recent Microsoft Edge Secure Channel (Model 88.0.705.62), which includes the most recent Safety Updates of Chromium.
- Jan. 21: Microsoft launched the most recent Microsoft Edge Secure Channel (Model 88.0.705.50),
All of those updates are effectively contained inside the Chromium desktop libraries, and from our analysis we discover it tough to think about they’d have an effect on different functions or trigger compatibility points. Add these updates to your normal launch schedule.
Microsoft Home windows
This February replace cycle for the Home windows ecosystem brings 9 updates rated vital, 18 reasonable, and the remaining rated as low by Microsoft. Unusually, 4 Home windows updates this month have been publicly disclosed, although all are rated as necessary: CVE-2021-1733, CVE2021-1727, CVE-2021-24098, and CVE-2021-24106. Quoting from Microsoft MSRC: “We consider attackers will have the ability to create DoS exploits rather more rapidly and anticipate all three points is likely to be exploited with a DoS assault shortly after launch. Thus, we suggest clients transfer rapidly to use Home windows safety updates this month.”
Along with these already regarding disclosures, the next two vulnerabilities have been reported as exploited within the wild:
- CVE-2021-1732: Home windows Win32k Elevation of Privilege Vulnerability.
- CVE-2021-1647: Microsoft Defender Distant Code Execution Vulnerability.
Although we solely have 9 updates rated as vital by Microsoft, they have an effect on core areas inside the Home windows desktop, together with:
The remaining function groupings are affected by Microsoft’s necessary updates
- Home windows Crypto Libraries and PFX Encryption.
- Home windows Fax Service.
- Home windows Installer.
- Home windows Backup Engine.
- Home windows PowerShell.
- Home windows Occasion Tracing.
Following the testing suggestions listed above, I’d make this replace a precedence, noting that the testing cycle for these updates could require in-depth evaluation, some {hardware} (printing) and distant customers (testing throughout a VPN). Add these Home windows updates to your “Take a look at earlier than Deploy” replace launch schedule.
Microsoft Workplace
Microsoft has launched 11 updates, all rated as necessary, to the Microsoft Workplace and SharePoint platforms overlaying the next software or function groupings:
SharePoint Identified Points: in case your personalized SharePoint pages use the SPWorkflowDataSource or FabricWorkflowInstanceProvider person management, some features on these pages could not work. To resolve this difficulty, see KB 5000640. Add these updates to your common Workplace replace schedule.
Microsoft growth platforms
Microsoft launched eight updates to the Microsoft growth platforms, two rated as vital and the remaining six rated as necessary. They have an effect on the next platforms or functions:
Sadly, there have been a variety of stories that the most recent safety roll-up replace to .NET (for all supported variations) causes WP functions to crash with the next error:
"Exception Information: System.NullReferenceException at System.Home windows.Interop.HwndMouseInputProvider.HasCustomChrome(System.Home windows.Interop.HwndSource, RECT ByRef)"
Microsoft has revealed a workaround that avoids the crash, however this workaround re-introduces the vulnerability mounted by the replace. Not good. The 2 vital Growth software updates (CVE-2021-24112 and CVE-2021-26701) each require native entry, whereas the latter has already been reported as exploited within the wild. Although a number of the Visible Studio (graphics libraries) vulnerabilities might lead to comparatively straightforward distant code execution (RCE) assaults, Microsoft has mentioned these vulnerabilities don’t apply to present Home windows libraries. These updates are to forestall future safety points in developed code.
Regardless of these future proofing efforts, there’s sufficient concern in these publicly exploited vulnerabilities for a “Patch Now” advice.
Adobe Flash Participant
This month Adobe launched updates for Acrobat and Reader, Dreamweaver, Photoshop, Illustrator, Animate, and the CMS system Magento. I feel that the main focus for many enterprises ought to be on the safety fixes for Adobe Reader with 23 updates, seven of that are rated as vital by Adobe.
Adobe has reported that one vital rated vulnerability (CVE-2021-21017) has been reported as exploited within the wild (on Home windows desktops). This can be a massive replace for Adobe Reader and should require some testing earlier than deployment, which can trigger complications this launch cycle as Adobe has really helpful that this replace be deployed inside 72 hours of launch.
Add the Adobe Reader updates to your “Patch Now” launch schedule.