🔒
There are new articles available, click to refresh the page.
Before yesterdayZero Day Initiative - Blog

The March 2021 Security Update Review

9 March 2021 at 18:31

It’s the third second Tuesday of the year, which means we get the latest security updates from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for their latest security offerings.

Adobe Patches for March 2021

For March, Adobe released three patches covering eight CVEs in Adobe Connect, Creative Cloud Desktop, and Framemaker. Two of these CVEs came through the ZDI program. The update for Framemaker fixes a single Out-of-Bounds (OOB) read vulnerability that could lead to remote code execution. The update for Creative Cloud addresses three different Critical-rated CVEs. Two of these bugs could lead to code execution while the third could allow a privilege escalation. The final Adobe patch for March covers one Critical and three Important-rated vulnerabilities in Adobe Connect. The Critical-rated bug could lead to arbitrary code execution while the other bugs addressed are all reflective cross-site scripting (XSS) bugs). None of the issues addressed by Adobe are listed as publicly known or under active attack at the time of release.

Updated March 10:

After the initial release, Adobe also shipped patches for PhotoShop and Animate to address nine additional CVEs. The Animate patch fixes two Critical and five Important-rated bugs. The Critical bugs are buffer overflows that could allow code execution while the Important-rated bugs could allow information disclosure. The patch for PhotoShop addresses two Critical rated bugs that could allow code execution. None of the issues are listed as publicly known or under active attack at the time of release.

Microsoft Patches for March 2021

Microsoft started the March patch cycle early by shipping an emergency patch for Exchange last week covering seven unique CVEs. Four of these bugs are listed as under active attack, which is why the patch was released outside the normal, patch Tuesday cycle. There has already been a mountain of information published about these vulnerabilities, so I won’t cover the bugs in more detail here. However, if you run Exchange on-premise, you need to follow the published guidance and apply the patches as soon as possible. Microsoft has even taken the extraordinary step of creating patches for out-of-support versions of Exchange. Ignore these updates at your own peril.

For all of March, Microsoft released patches for 89 unique CVEs covering Microsoft Windows components, Azure and Azure DevOps, Azure Sphere, Internet Explorer and Edge (EdgeHTML), Exchange Server, Office and Office Services and Web Apps, SharePoint Server, Visual Studio, and Windows Hyper-V. These 89 CVEs include the seven Exchange CVEs released last week. A total of 15 of these bugs came through the ZDI program. Of these 89 bugs, 14 are listed as Critical and 75 are listed as Important in severity. According to Microsoft, two of these bugs are listed as publicly known while five are listed as under active attack at the time of release.

Please note these CVE counts do not include the CVEs patched in the recent update to the Chromium version of the Edge browser. Last week, Version 89 of this browser was released.

 Let’s take a closer look at some of the more interesting updates for this month, starting with the other bug listed as being under active attack:

 -       CVE-2021-26411 – Internet Explorer Memory Corruption Vulnerability
This patch corrects a bug in Internet Explorer (IE) and Edge (EdgeHTML-based) that could allow an attacker to run their code on affected systems if they view a specially crafted HTML file. Microsoft lists this as both publicly known and under active attack at the time of release. While not as impactful as the Exchange bugs, enterprises that rely on Microsoft browsers should definitely roll this out quickly. Successful exploitation would yield code execution at the level of the logged-on user, which is another reminder not to browse web pages using an account with Administrative privileges.

 -        CVE-2021-26897 – Windows DNS Server Remote Code Execution Vulnerability
This is the second straight month with a DNS server RCE vulnerability, and this month’s bug has company. A total of 5 bugs are listed as DNS Server Remote Code Execution Vulnerabilities, but this CVE is the only one listed as Critical. All note that Secure Zone Updates lessen the likelihood of successful exploitation but are not a full mitigation. This implies dynamic updates may be involved in the exploitation of these bugs. All five of these bugs are listed as a CVSS 9.8, and there is the outside chance this could be wormable between DNS servers. Definitely prioritize the testing and deployment of these updates.

 -       CVE-2021-26867 – Windows Hyper-V Remote Code Execution Vulnerability
This bug could allow an authenticated attacker to execute code on the underlying Hyper-V server. While listed as a CVSS of 9.9, the vulnerability is really only relevant to those using the Plan-9 file system. Microsoft does not list other Hyper-V clients as impacted by this bug, but if you are using Plan-9, definitely roll this patch out as soon as possible.

 -       CVE-2021-27076 – Microsoft SharePoint Server Remote Code Execution Vulnerability
This patch fixes a code execution bug originally submitted through the ZDI program. For an attack to succeed, the attacker must be able to create or modify Sites with the SharePoint server. However, the default configuration of SharePoint allows authenticated users to create sites. When they do, the user will be the owner of this site and will have all the necessary permissions. This is similar to some other SharePoint bugs we have blogged about in the past, and we’ll have additional details about this vulnerability on our blog in the near future.

Here’s the full list of CVEs released by Microsoft for March 2021.

CVE Title Severity CVSS Public Exploited DOS
CVE-2021-26411 Internet Explorer Memory Corruption Vulnerability Critical 8.8 Yes Yes RCE
CVE-2021-26855 Microsoft Exchange Server Remote Code Execution Vulnerability Critical 9.1 No Yes RCE
CVE-2021-26857 Microsoft Exchange Server Remote Code Execution Vulnerability Critical 7.8 No Yes RCE
CVE-2021-27065 Microsoft Exchange Server Remote Code Execution Vulnerability Critical 7.8 No Yes RCE
CVE-2021-26858 Microsoft Exchange Server Remote Code Execution Vulnerability Important 7.8 No Yes RCE
CVE-2021-27077 Windows Win32k Elevation of Privilege Vulnerability Important 7.8 Yes No EoP
CVE-2021-27074 Azure Sphere Unsigned Code Execution Vulnerability Critical 6.2 No No RCE
CVE-2021-27080 Azure Sphere Unsigned Code Execution Vulnerability Critical 9.3 No No RCE
CVE-2021-21300 Git for Visual Studio Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-24089 HEVC Video Extensions Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-26902 HEVC Video Extensions Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-27061 HEVC Video Extensions Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-26412 Microsoft Exchange Server Remote Code Execution Vulnerability Critical 9.1 No No RCE
CVE-2021-26876 OpenType Font Parsing Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-26897 Windows DNS Server Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2021-26867 Windows Hyper-V Remote Code Execution Vulnerability Critical 9.9 No No RCE
CVE-2021-26890 Application Virtualization Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27075 Azure Virtual Machine Information Disclosure Vulnerability Important 6.8 No No Info
CVE-2021-24095 DirectX Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-24110 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27047 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27048 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27049 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27050 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27051 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27062 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27085 Internet Explorer Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-27053 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27054 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-26854 Microsoft Exchange Server Remote Code Execution Vulnerability Important 6.6 No No RCE
CVE-2021-27078 Microsoft Exchange Server Remote Code Execution Vulnerability Important 9.1 No No RCE
CVE-2021-27058 Microsoft Office ClickToRun Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-24108 Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27057 Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27059 Microsoft Office Remote Code Execution Vulnerability Important 7.6 No No RCE
CVE-2021-26859 Microsoft Power BI Information Disclosure Vulnerability Important 7.7 No No Info
CVE-2021-27056 Microsoft PowerPoint Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27052 Microsoft SharePoint Server Information Disclosure Vulnerability Important 5.3 No No Info
CVE-2021-27076 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-24104 Microsoft SharePoint Spoofing Vulnerability Important 4.6 No No Spoof
CVE-2021-27055 Microsoft Visio Security Feature Bypass Vulnerability Important 7 No No SFB
CVE-2021-26887 Microsoft Windows Folder Redirection Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26881 Microsoft Windows Media Foundation Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2021-27082 Quantum Development Kit for Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-26882 Remote Access API Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-27083 Remote Development Extension for Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-26880 Storage Spaces Controller Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26886 User Profile Service Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2021-27081 Visual Studio Code ESLint Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27084 Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability Important Unlisted No No RCE
CVE-2021-27060 Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27070 Windows 10 Update Assistant Elevation of Privilege Vulnerability Important 7.3 No No EoP
CVE-2021-26869 Windows ActiveX Installer Service Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-27066 Windows Admin Center Security Feature Bypass Vulnerability Important 4.3 No No SFB
CVE-2021-26860 Windows App-V Overlay Filter Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26865 Windows Container Execution Agent Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2021-26891 Windows Container Execution Agent Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26896 Windows DNS Server Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-27063 Windows DNS Server Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-26877 Windows DNS Server Remote Code Execution Vulnerability Important 9.8 No No RCE
CVE-2021-26893 Windows DNS Server Remote Code Execution Vulnerability Important 9.8 No No RCE
CVE-2021-26894 Windows DNS Server Remote Code Execution Vulnerability Important 9.8 No No RCE
CVE-2021-26895 Windows DNS Server Remote Code Execution Vulnerability Important 9.8 No No RCE
CVE-2021-24090 Windows Error Reporting Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26872 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26898 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26901 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-24107 Windows Event Tracing Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-26892 Windows Extensible Firmware Interface Security Feature Bypass Vulnerability Important 6.2 No No SFB
CVE-2021-26868 Windows Graphics Component Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26861 Windows Graphics Component Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-26862 Windows Installer Elevation of Privilege Vulnerability Important 6.3 No No EoP
CVE-2021-26884 Windows Media Photo Codec Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-26879 Windows NAT Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-26874 Windows Overlay Filter Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-1640 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26878 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26870 Windows Projected File System Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26866 Windows Update Service Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2021-26889 Windows Update Stack Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2021-1729 Windows Update Stack Setup Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2021-26899 Windows UPnP Device Host Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26873 Windows User Profile Service Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-26864 Windows Virtual Registry Provider Elevation of Privilege Vulnerability Important 8.4 No No EoP
CVE-2021-26871 Windows WalletService Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26885 Windows WalletService Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26863 Windows Win32k Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-26875 Windows Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26900 Windows Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP

Moving on to the remaining Critical-rated patches, two affect Azure Sphere, but you likely won’t need to take any action. Devices running Azure Sphere are connected to the Internet receive automatic updates. If your devices are isolated, you should make sure these updates are applied. There are four patches to correct bugs in the HEVC Video Extensions, and these updates are available from the Windows Store. There’s a patch for a bug in OpenType Fonts that could be exploited by viewing a specially crafted font. Finally, there’s an intriguing update for Git for Visual Studio that fixes a bug that requires no privileges but some level of user interaction. The attack complexity is also listed as low, so we may hear more about this vulnerability in the future.

Shifting to the Important-rated patches, there are still a bunch of code execution bugs to look at. In fact, 45 of the 90 bugs patched this month are listed as some form of remote code execution. Many of the affected components have matching Important updates to go with their Critical counterparts. These include Exchange, DNS Server, HVEC Video Extensions, and IE. This month’s release included five RCE bugs impacting Visual Studio. Most are straightforward, however, the update for the Quantum Development Kit for Visual Studio must be manually downloaded. This can be done through the extensions page within Visual Studio. There are also the expected updates for Office and Office components. Similar to last month, users of Microsoft Office 2019 for Mac will need to wait for their update to be made available.

Looking at the 30 Elevation of Privilege (EoP) bugs addressed in this month’s release, most require an attacker to log on to an affected system and run specially crafted code to escalate privileges. Almost all of these patches impact the Windows kernel and various Windows components. One bug to note had previously been disclosed by ZDI as Microsoft stated it did not meet their bar for servicing. At some point after we published our advisory, Microsoft changed course and produced a patch to address this issue. We’re glad they changed their mind.

This month’s release includes patches for six information disclosure bugs. Usually, these types of cases only lead to leaks consisting of unspecified memory contents. That’s true for three of these bugs, but the others leak some significant info. The vulnerability in Azure Virtual Machine could allow a low-privileged user to gain virtual machine credentials as well as credentials to extensions associated with the virtual machine. Speaking of credentials, the bug in Microsoft Power BI could expose NTLM hashes, which could then be brute-forced to reveal plaintext passwords. Finally, according to the Microsoft write-up, the info leak in SharePoint Server could allow an attacker access to an “organizational's email, sites, filename, url of file...” There’s nothing more than this generic description listed, but assume valuable information could be exposed by an attacker.

Three components receive patches to fix security feature bypasses (SFB) this month. The bypasses for Windows Extensible Firmware Interface and the Windows Admin Center receive patches but no documentation. The SFB for Visio does get some additional information, but the attack scenario seems far from common. Systems would be affected only with a specific Group Policy Object. An attacker would still need to modify a macro-enabled template that ships with Excel. If those two conditions occur and the user runs a malicious file on a system affected by that Group Policy, some form of bypass can occur. Based on the write-up, it doesn’t read like imminent danger, but still probably best to roll out the patch.

This month’s release is rounded out by four denial-of-service (DoS) bugs and a spoofing vulnerability. The spoofing bug occurs in the SharePoint server, but no further information is provided. Two of the DoS bugs impact the DNS Server service, and they have the same caveats as the previously mentioned code execution bugs. There’s also a DoS in the NAT Server service. For these bugs, it’s not clear if the service can just be restarted or if a full system reboot is required. The final DoS was reported through the ZDI program, but it doesn’t impact a service. Instead, it notes a bug in the User Profile Service. By creating a junction, an attacker can abuse the service to overwrite the contents of a chosen file, thus creating a DoS condition.

Finally, the servicing stack advisory (ADV990001) was revised for multiple versions of Windows. No additional advisories were released this month.

Looking Ahead

The next Patch Tuesday falls on April 13, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The March 2021 Security Update Review

The February 2021 Security Update Review

9 February 2021 at 18:26

It’s the second Tuesday of the month, and that means the latest security updates from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of their latest security offerings.

Adobe Patches for February 2021

For February, Adobe released six patches addressing 50 CVEs in Adobe Dreamweaver, Illustrator, Animate, Photoshop, Magento, and Reader. A total of 14 of these bugs came through the ZDI program. The update for Adobe Reader fixes a total of 23 CVEs, 17 of which are rated Critical, and eight of which were reported through the ZDI program. CVE-2021-21017, a heap-based buffer overflow, is listed as being under “limited” active attacks on Reader for Windows. Definitely prioritize the testing and deployment of this update.

The update for Magento is also significant as it patches 18 bugs, seven of which are rated Critical. In the worst-case scenario, successful exploitation could lead to arbitrary code execution at the level of the current process. The update for Dreamweaver fixes a single, Important-rated info disclosure bug. The patch for Illustrator fixes two Out-Of-Bounds (OOB) write bugs that could lead to code execution. There’s also an OOB write being fixed in the patch for Animate. The patch for Photoshop fixes five Critical-rated bugs that could allow code execution.

Besides the previously mentioned CVE-2021-21017, none of the other bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release.

Microsoft Patches for February 2021

For February, Microsoft released patches for 56 CVEs covering Microsoft Windows components, .NET Framework, Azure IoT, Azure Kubernetes Service, Microsoft Edge for Android, Exchange Server, Office and Office Services and Web Apps, Skype for Business and Lync, and Windows Defender. Seven of these CVEs were submitted through the ZDI program. Of these 56 CVEs, 11 are listed as Critical, 43 are listed as Important, and two are listed as Moderate in severity. According to Microsoft, one bug is known to be actively exploited and six other bugs are listed as being publicly known at the time of release. This is roughly half the volume as what they patched in February 2020, but this release does contain an unusually high number of publicly known CVEs. Microsoft provides no information on where these CVEs were publicly exposed.

Let’s take a closer look at some of the more interesting updates for this month, starting with the bug listed as being under active attack:

-       CVE-2021-1732 - CVE-2021-1732 - Windows Win32k Elevation of Privilege Vulnerability
This local privilege escalation would allow a logged-on user to execute code of their choosing at higher privileges. Bugs of this nature are typically paired with another bug that allows code execution a the logged-on user level. For example, this could be paired with an Adobe Reader exploit. An attacker would entice a user to open a specially crafted PDF, which would result in code execution through the Reader bug then escalation through this bug. This is also a common tactic for malware.

-       CVE-2021-24078 - Windows DNS Server Remote Code Execution Vulnerability
This patch fixes a bug in the Windows DNS Server that could allow remote code execution on affected systems. Fortunately, if your system is not configured to be a DNS server, it is not impacted by this bug. However, for those systems that are configured as DNS servers, this bug allows code execution in a privileged service from a remote, unauthenticated attacker. This is potentially wormable, although only between DNS servers. Prioritize this update if you depend on Microsoft DNS servers.

-       CVE-2021-24074 - Windows TCP/IP Remote Code Execution Vulnerability
There are two TCP/IP bugs in this month’s release, but I chose to highlight this vulnerability over CVE-2021-24094 since this bug affects IPv4 while the other impacts IPv6. Both bugs could allow remote, unauthenticated code execution on affected systems. For CVE-2021-24074, the vulnerability resides in IPv4 source routing, which should be disabled by default. You can also block source routing at firewalls or other perimeter devices. The IPv6 bug involves packet fragmentation where a large number of fragments could lead to code execution.

-       CVE-2021-26701 - .NET Core and Visual Studio Remote Code Execution Vulnerability
This is the only Critical-rated bug to be listed as publicly known, and without more information from Microsoft, that’s about all we know about it. Based on the CVSS, this could all remote, unauthenticated attackers to execute arbitrary code on an affected system. Regardless, if you rely on the .NET Framework or .NET Core, make sure you test and deploy this one quickly.

Here’s the full list of CVEs released by Microsoft for February 2021.

CVE Title Severity CVSS Public Exploited Type
CVE-2021-1732 Windows Win32k Elevation of Privilege Vulnerability Important 7.8 No Yes EoP
CVE-2021-26701 .NET Core and Visual Studio Remote Code Execution Vulnerability Critical 8.1 Yes No RCE
CVE-2021-1721 .NET Core and Visual Studio Denial of Service Vulnerability Important 6.5 Yes No DoS
CVE-2021-1733 Sysinternals PsExec Elevation of Privilege Vulnerability Important 7.8 Yes No EoP
CVE-2021-24098 Windows Console Driver Denial of Service Vulnerability Important 5.5 Yes No DoS
CVE-2021-24106 Windows DirectX Information Disclosure Vulnerability Important 5.5 Yes No Info
CVE-2021-1727 Windows Installer Elevation of Privilege Vulnerability Important 7.8 Yes No EoP
CVE-2021-24112 .NET Core for Linux Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2021-24081 Microsoft Windows Codecs Library Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-24091 Windows Camera Codec Pack Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-24078 Windows DNS Server Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2021-1722 Windows Fax Service Remote Code Execution Vulnerability Critical 8.1 No No RCE
CVE-2021-24077 Windows Fax Service Remote Code Execution Vulnerability Critical 8.4 No No RCE
CVE-2021-24093 Windows Graphics Component Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-24088 Windows Local Spooler Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-24074 Windows TCP/IP Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2021-24094 Windows TCP/IP Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2021-24111 .NET Framework Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-24087 Azure IoT CLI extension Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-24101 Microsoft Dataverse Information Disclosure Vulnerability Important 6.5 No No Info
CVE-2021-24092 Microsoft Defender Elevation of Privilege Vulnerability Important 7.8 No No Info
CVE-2021-1724 Microsoft Dynamics Business Central Cross-site Scripting Vulnerability Important 6.1 No No XSS
CVE-2021-24100 Microsoft Edge for Android Information Disclosure Vulnerability Important 5 No No Info
CVE-2021-24067 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-24068 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-24069 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-24070 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-1730 Microsoft Exchange Server Spoofing Vulnerability Important 5.4 No No Spoof
CVE-2021-24085 Microsoft Exchange Server Spoofing Vulnerability Important 6.5 No No Spoof
CVE-2021-24071 Microsoft SharePoint Information Disclosure Vulnerability Important 5.3 No No Info
CVE-2021-24066 Microsoft SharePoint Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-24072 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-1726 Microsoft SharePoint Spoofing Vulnerability Important 8 No No Spoof
CVE-2021-24114 Microsoft Teams iOS Information Disclosure Vulnerability Important 5.7 No No Info
CVE-2021-24076 Microsoft Windows VMSwitch Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-24082 Microsoft.PowerShell.Utility Module WDAC Security Feature Bypass Vulnerability Important 4.3 No No SFB
CVE-2021-24105 Package Managers Configurations Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-1731 PFX Encryption Security Feature Bypass Vulnerability Important 5.5 No No SFB
CVE-2021-24099 Skype for Business and Lync Denial of Service Vulnerability Important 6.5 No No DoS
CVE-2021-24073 Skype for Business and Lync Spoofing Vulnerability Important 6.5 No No Spoof
CVE-2021-1728 System Center Operations Manager Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2021-26700 Visual Studio Code npm-script Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-1639 Visual Studio Code Remote Code Execution Vulnerability Important 7 No No RCE
CVE-2021-24083 Windows Address Book Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-24079 Windows Backup Engine Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-24102 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-24103 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-24096 Windows Kernel Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-24084 Windows Mobile Device Management Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-24075 Windows Network File System Denial of Service Vulnerability Important 6.8 No No DoS
CVE-2021-25195 Windows PKU2U Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-1734 Windows Remote Procedure Call Information Disclosure Vulnerability Important 7.5 No No Info
CVE-2021-24086 Windows TCP/IP Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-1698 Windows Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-24109 Microsoft Azure Kubernetes Service Elevation of Privilege Vulnerability Moderate 6.8 No No EoP
CVE-2021-24080 Windows Trust Verification API Denial of Service Vulnerability Moderate 6.5 No No DoS

You’ll notice we have added the CVSS scores to the table. This is to provide further detail on the severity of the patches since Microsoft is now relying on CVSS scores so heavily. We recommend balancing the Microsoft severity (i.e., Critical, Important, Moderate, etc…) with the CVSS score to help determine prioritization for your enterprise.

Moving on to the remaining Critical-rated patches, two involve codec libraries and were reported by ZDI vulnerability researcher Hossein Lotfi. Both of these bugs are OOB Writes that result from the lack of proper validation of user-supplied data. This can lead to a write past the end of an allocated buffer and allow an attacker to execute code in the context of the current user. There are two Critical-rated bugs impacting the Fax Service, but the Windows Fax and Scan feature needs to be enabled for a system to be affected by this vulnerability. There’s a patch for the Windows graphics component to correct a bug that allows code execution when viewing a specially crafted image. The Windows Spooler service also receives a Critical-rated patch to prevent remote code execution, although the exploit path is not as clear here. The final Critical-rated bug addresses a vulnerability in the .NET Core for Linux. In this case, a .NET application utilizing libgdiplus on a non-Windows system could allow code execution if an attacker sends a specially crafted request.

Shifting our focus to Important-rated updates, there are nine bugs that could result in remote code execution. The most interesting of these are two that impact the SharePoint Server. One of these came from an anonymous contributor to our program and could allow code execution if an authenticated user can trigger through deserialization of untrusted data by tampering with client-side data. There are four patches for Excel – two that came through our program – that would allow code execution when opening a specially crafted file in Excel. Note that the updates for Microsoft Office 2019 for Mac are not currently available. Hopefully, Microsoft gets those out soon.

There are a couple of updates to Visual Studio addressing code execution bugs. In one case, a user would need to clone a malicious repository from inside Visual Studio Code. Once completed, attacker code would execute once the targeted user viewed contents of the repository. That’s not the most likely scenario. The Windows Address Book gets a patch for a bug found by ZDI vulnerability researcher Mat Powell. The bug results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. Finally, there’s a significant bug in the Windows package manager that can only be addressed by reconfiguring installation tools and workflows. Microsoft provides several resources with additional information on this vulnerability and how to mitigate it. It is highly recommended to read and heed all information here. Considering the complexity in resolving this issue, this is a bug that could stick with us for a while.

There are only 11 Elevation of Privilege (EoP) bugs addressed in this month’s release, and we’ve already covered the one under active attack. Two are publicly known, and the more interesting of those impacts Sysinternals PsExec. If you’re not familiar with this tool, it’s a lightweight utility that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. It’s also often used by red teams when penetrating a network. We’ll likely see this bug end up in different toolkits should an exploit become available. The other publicly known bug impacts Windows Installer, but there’s no additional information about this vulnerability. Other EoP fixes of note include one for PKU2U, which is a peer-to-peer authentication protocol. Although systems not running PKU2U are not affected, Microsoft still recommends installing this update to all potentially impacted OSes.

Two different security feature bypasses receive fixes this month. The first covers a bypass in PowerShell, although no further information on what is bypassed is provided. The second covers a bypass in PFX encryption. When exporting a SID-protected PFX file, keys encrypted using AES are not properly protected. You’ll need to do more than just patch here as well. Any SID-protected PFX files using AES for key encryption should be regenerated and exported after this update is installed and all copies of the original PFX files must be securely destroyed.

There are 10 different patches for information disclosure bugs in this month’s release. The info leak impacting DirectX is another of the publicly known bugs. While most of these cases only lead to leaks consisting of unspecified memory contents, some do yield some interesting data. The bug fixed in the patch for Edge for Android could disclose personally identifiable information (PII) and payment information of a user. The vulnerability in Microsoft Dataverse could expose underlying datasets in Dataverse, which could include PII. This vulnerability in Microsoft Teams iOS exposes the Skype token value in the preview URL for images in the Teams iOS app. The SharePoint bug leaks SQL table columns that would normally be restricted. Finally, the bug in Mobile Device Management could allow an attacker to read from the file system.

There are a handful of notable Denial-of-Service (DoS) bugs patched this month, and the fix for TCP/IP leads the way. Similar to CVE-2021-24094, this bug also involves IPv6 fragmentation, although there’s no patch to code execution here. Disallowing IPv6 UDP fragmentation at the perimeter could have some side effects but implementing the workaround to drop out-of-order packets seems more reasonable. Still, this should be tested before updating production systems. The DoS bugs impacting .NET Core and the Windows Console Driver are listed as publicly known, but Microsoft provides no further details. There’s a patch for a DoS vulnerability in Skype for Business and Lync. If you’re still using either of those messaging tools, definitely look to patch soon.

Speaking of Skype for Business and Lync, these also receive a patch to fix a spoofing bug. Microsoft doesn’t indicate what is spoofed, but they do note user interaction is required. There’s also a spoofing bug in Exchange that dates back to September of 2020. Since the bug was in the Exchange Server installer, it could only be addressed in a complete release as opposed to a cumulative update. Microsoft allowed time for customers to move to the September release before disclosing the vulnerability. The other Exchange spoofing bug comes from Pwn2Own winner Steven Seeley and allows an authenticated attacker to leak a CERT file, which would allow an attacker to forge CSRF tokens. The final spoofing bug for this month fixes a SharePoint bug that could allow an authenticated attacker to manipulate the SharePoint blog sharing functionality to produce a bogus message or link.

The only cross-site scripting (XSS) bug in this month’s release impacts Microsoft Dynamics Business Central. Rounding out this month’s release are Moderate-rated bugs in Azure Kubernetes and the Windows Trust Verification API. Those using the Azure Kubernetes Service should be automatically updated to an unaffected version, but you should still verify your version number to be sure.  

Finally, the servicing stack advisory (ADV990001) was revised for multiple versions of Windows. No additional advisories were released this month.

Looking Ahead

The next Patch Tuesday falls on March 9, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The February 2021 Security Update Review

The January 2021 Security Update Review

12 January 2021 at 18:27

Welcome to the new year, and welcome to the first Patch Tuesday of 2021. Take a break from your regularly scheduled activities and join us as we review the details for the latest security offerings from Microsoft and Adobe. 

Adobe Patches for January 2021

This month, Adobe released seven updates addressing eight CVEs in Adobe Campaign Classic, Photoshop, Illustrator, Animate, InCopy, Captivate, and Bridge. Two of these bugs came through the ZDI program. The patch for Campaign Classic fixes a single Server-side request forgery (SSRF) vulnerability. The Photoshop patch fixes a single heap-based buffer overflow. The update for Illustrator corrects a Critical-rated uncontrolled search path element vulnerability. That’s the same story for the Animate and InCopy patches. The update for Captivate also fixes an uncontrolled search path element bug, but this one is only rated Important. The final Adobe patch for January fixes two Out-Of-Bounds (OOB) write bugs in Bridge. None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release.

Microsoft Patches for January 2021

For January, Microsoft released patches for 83 CVEs covering Microsoft Windows, Edge (EdgeHTML-based), ChakraCore, Office and Microsoft Office Services and Web Apps, Visual Studio, Microsoft Malware Protection Engine, .NET Core, ASP .NET, and Azure. Seven of these CVEs were submitted through the ZDI program. Of these 83 CVEs, 10 are listed as Critical and 73 are listed as Important in severity. According to Microsoft, one bug is publicly known, and one other bug is known to be actively exploited at the time of release.

Let’s take a closer look at some of the more interesting updates for this month, starting with the bug listed as being under active attack:

 -       CVE-2021-1647 - Microsoft Defender Remote Code Execution Vulnerability
This bug in the Microsoft Malware Protection Engine may already be patched on your system as the engine auto-updates as needed. However, if your systems are not connected to the Internet, you’ll need to manually apply the patch. Microsoft does not state how wide-spread the active attacks are.

 -       CVE-2021-1648 - Microsoft splwow64 Elevation of Privilege Vulnerability
This bug was publicly disclosed by ZDI after it exceeded our disclosure timeline. It was also discovered by Google, likely because this patch corrects a bug introduced by a previous patch. The previous patch introduced a function to check an input string pointer, but in doing so, it introduced an Out-of-Bounds (OOB) Read condition. Additional bugs are also covered by this patch, including an untrusted pointer deref. The previous CVE was being exploited in the wild, so it’s within reason to think this CVE will be actively exploited as well.

 -       CVE-2021-1677 - Azure Active Directory Pod Identity Spoofing Vulnerability
This vulnerability exists in the way that the Azure Active Directory (AAD) pod identity allows users to assign identities to pods in Kubernetes clusters. When an identity is assigned to a pod, the pod can access to the Azure Instance Metadata Service (IMDS) endpoint and get a token of that identity. This could allow an attacker to laterally steal the identities that are associated with different pods. This is also requires more than just a patch to fix. Anyone with an existing installation will need to re-deploy their cluster and use Azure CNI instead of the default Kubernetes.

 -       CVE-2021-1674 – Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability
This patch is a bit of a mystery. It carries a relatively high CVSS score (8.8), but without an executive summary, we can only guess what security feature in RDP Core is being bypassed. Short of reversing the patches, we don’t even know how this is different than CVE-2021-1669 - Windows Remote Desktop Security Feature Bypass Vulnerability. What we do know is that RDP has been a popular target in recent memory, and these bugs should be taken seriously. Without any solid information to act on, defenders should assume the worst-case scenario and restrict access to RDP wherever possible.  

Here’s the full list of CVEs released by Microsoft for January 2021. 

CVE Title Severity Public Exploited Type
CVE-2021-1647 Microsoft Defender Remote Code Execution Vulnerability Critical No Yes RCE
CVE-2021-1648 Microsoft splwow64 Elevation of Privilege Vulnerability Important Yes No EoP
CVE-2021-1665 GDI+ Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1643 HEVC Video Extensions Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1668 Microsoft DTV-DVD Video Decoder Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1705 Microsoft Edge (HTML-based) Memory Corruption Vulnerability Critical No No RCE
CVE-2021-1658 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1660 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1666 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1667 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1673 Remote Procedure Call Runtime Remote Code Execution Vulnerability Critical No No RCE
CVE-2021-1723 .NET Core and Visual Studio Denial of Service Vulnerability Important No No DoS
CVE-2021-1649 Active Template Library Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1677 Azure Active Directory Pod Identity Spoofing Vulnerability Important No No Spoofing
CVE-2021-1725 Bot Framework SDK Information Disclosure Vulnerability Important No No Info
CVE-2021-1651 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1680 Diagnostics Hub Standard Collector Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1644 HEVC Video Extensions Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1691 Hyper-V Denial of Service Vulnerability Important No No DoS
CVE-2021-1692 Hyper-V Denial of Service Vulnerability Important No No DoS
CVE-2021-1713 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1714 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1711 Microsoft Office Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1712 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1719 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1707 Microsoft SharePoint Server Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1718 Microsoft SharePoint Server Tampering Vulnerability Important No No Tampering
CVE-2021-1641 Microsoft SharePoint Spoofing Vulnerability Important No No Spoofing
CVE-2021-1717 Microsoft SharePoint Spoofing Vulnerability Important No No Spoofing
CVE-2021-1636 Microsoft SQL Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1710 Microsoft Windows Media Foundation Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1715 Microsoft Word Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1716 Microsoft Word Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1678 NTLM Security Feature Bypass Vulnerability Important No No SFB
CVE-2021-1664 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1671 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1700 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1701 Remote Procedure Call Runtime Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1656 TPM Device Driver Information Disclosure Vulnerability Important No No Info
CVE-2020-26870 Visual Studio Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1699 Windows (modem.sys) Information Disclosure Vulnerability Important No No Info
CVE-2021-1642 Windows AppX Deployment Extensions Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1685 Windows AppX Deployment Extensions Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1638 Windows Bluetooth Security Feature Bypass Vulnerability Important No No SFB
CVE-2021-1683 Windows Bluetooth Security Feature Bypass Vulnerability Important No No SFB
CVE-2021-1684 Windows Bluetooth Security Feature Bypass Vulnerability Important No No SFB
CVE-2021-1679 Windows CryptoAPI Denial of Service Vulnerability Important No No DoS
CVE-2021-1652 Windows CSC Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1653 Windows CSC Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1654 Windows CSC Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1655 Windows CSC Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1659 Windows CSC Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1688 Windows CSC Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1693 Windows CSC Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1637 Windows DNS Query Information Disclosure Vulnerability Important No No Info
CVE-2021-1645 Windows Docker Information Disclosure Vulnerability Important No No Info
CVE-2021-1703 Windows Event Logging Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1662 Windows Event Tracing Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1657 Windows Fax Compose Form Remote Code Execution Vulnerability Important No No RCE
CVE-2021-1708 Windows GDI+ Information Disclosure Vulnerability Important No No Info
CVE-2021-1696 Windows Graphics Component Information Disclosure Vulnerability Important No No Info
CVE-2021-1704 Windows Hyper-V Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1661 Windows Installer Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1697 Windows InstallService Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1682 Windows Kernel Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1706 Windows LUAFV Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1689 Windows Multipoint Management Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1676 Windows NT Lan Manager Datagram Receiver Driver Information Disclosure Vulnerability Important No No Info
CVE-2021-1695 Windows Print Spooler Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1663 Windows Projected File System FS Filter Driver Information Disclosure Vulnerability Important No No Info
CVE-2021-1670 Windows Projected File System FS Filter Driver Information Disclosure Vulnerability Important No No Info
CVE-2021-1672 Windows Projected File System FS Filter Driver Information Disclosure Vulnerability Important No No Info
CVE-2021-1674 Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability Important No No SFB
CVE-2021-1669 Windows Remote Desktop Services ActiveX Client Security Feature Bypass Vulnerability Important No No SFB
CVE-2021-1702 Windows Remote Procedure Call Runtime Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1650 Windows Runtime C++ Template Library Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1694 Windows Update Stack Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1681 Windows WalletService Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1686 Windows WalletService Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1687 Windows WalletService Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1690 Windows WalletService Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1709 Windows Win32k Elevation of Privilege Vulnerability Important No No EoP
CVE-2021-1646 Windows WLAN Service Elevation of Privilege Vulnerability Important No No EoP

Of the remaining Critical-rated patches, five involve remote code execution (RCE) bugs in the Remote Procedure Call (RPC) runtime. What’s really curious is that there are four Important-rated patches for RPC as well. However, the CVSS and other descriptors are all identical. There’s no indication why some are listed as Critical and others are listed as Important. Similarly, there’s a Critical-rated patch for HEVC Video Extensions that is documented the same as the Important-rated patch for HEVC Video Extensions. Either way, you’ll get the update for both through the Microsoft Store. Those who use either the Microsoft Store for Business or the Microsoft Store for Education will be able to get this update through their organizations. Rounding out the Critical-rated patches is an update for Edge and patch for GDI+. 

Moving on to the other patches, the update for the Active Template Library (ATL) stand out. Back in 2009, multiple bulletins and advisories were required to correct a typo. It’s not clear if the situation is that dire with this update, but if you created anything using ATL, you will likely need to apply the patch then recompile your program. That’s also like true for the patch to fix an EoP in the Windows Runtime C++ Template Library.

In looking at the Important-rated bugs that could allow RCE, the SharePoint bug should not be ignored. It does require authentication, but it could allow an authenticated user to take complete control of the system. The patch for Visual Studio also stands out. This update fixes a bug in Cure53 DOMPurify, which is an open-source library used by Visual Studio. The fix for this has been available since September, so you should treat this as though it was publicly disclosed. The remaining code execution bugs cover “Open-and-Own” bugs in Office components. An attacker would need to send a specially crafted file and convince a user to open it with an affected component. That would allow the attacker to execute code of their choice at the level of the logged-on user.

Similar to last month, there are multiple security feature bypasses being fixed this month. In addition to the two already mentioned, there are three impacting the Bluetooth component and one impacting NTLM. CVE-2021-1638 is definitely intriguing as it requires no authentication and no user interaction. The other Bluetooth bugs do require some level of user interaction. The bypass for NTLM requires some level of user interaction but no authentication. Again, without executive summaries, we can only speculate the true severity of these bypasses.

There are a total of 34 EoP bugs getting patches this month. For almost all of these, an attacker would need to log on to a system then execute specially crafted code to elevate their permissions. Most of these are in various Windows, but the ones in Hyper-V and SharePoint stand out. Speaking of SharePoint, this month’s release also includes patches to fix a tampering bug and two spoofing bugs in SharePoint.   

This month includes four patches to correct Denial-of-Service (DoS) bugs. Two of these bugs are in Hyper-V, and one is in .NET Core and Visual Studio. The last of these bugs resides in the Windows CryptoAPI and can be reached remotely. According to the CVSS rating, there is some level of user interaction involved, but no authentication is needed. 

Rounding out this release are 11 patches fixing information disclosure bugs. As expected, most of these cases only lead to leaks consisting of unspecified memory contents. However, the info leak in Windows Docker is a bit more severe. This vulnerability could allow an attacker to decrypt data that was encrypted by the data protection API (DPAPI). It’s not clear if you need to re-encrypt data after applying this patch, but this has been required for similar bugs in the past. Without specifics on the bug, it’s tough to offer specific guidance. The other info disclosure bug that piques curiosity is the bug impacting the Bot Framework SDK. For this component, we’re just told the information leaked is “sensitive information.” Still, if you use the SDK, make sure you get an unaffected version.

Finally, the servicing stack advisory (ADV990001) was revised for multiple versions of Windows. No additional advisories were released this month.

Looking Ahead

The next Patch Tuesday falls on February 9, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!

The January 2021 Security Update Review

The December 2020 Security Update Review

8 December 2020 at 18:24

December is upon us and with it comes the latest security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of security patches for this month.

Adobe Patches for December 2020

Adobe kicked off their December patch release with four CVEs fixed with updates for Adobe Prelude, Experience Manager, and Lightroom. The patch for Prelude fixes a Critical-rated uncontrolled search path vulnerability that could lead to remote code execution. The Experience Manager patch addresses a cross-site scripting (XSS) bug and an information disclosure bug caused by a blind server-side request forgery. The update for Lightroom addresses a Critical-rated uncontrolled search path element vulnerability that could lead to arbitrary code execution. None of these bugs are listed as publicly known or under active attack at the time of release.

Interestingly, Adobe also noted they will be releasing an update for Acrobat and Reader at some point this week. This blog will be updated once they do.

Update: The update for Acrobat and Reader was released on December 9, 2020. I fixes a single CVE that could lead to information disclosure.

Microsoft Patches for December 2020

For December, Microsoft released patches to correct 58 CVEs and one new advisory in Microsoft Windows, Edge (EdgeHTML-based), ChakraCore, Microsoft Office and Office Services and Web Apps, Exchange Server, Azure DevOps, Microsoft Dynamics, Visual Studio, Azure SDK, and Azure Sphere. December is historically a light month of patches from Microsoft and this remains true for 2020. It also brings their CVE total to 1,250 for the year. It will be interesting to see if these trends continue in 2021.

Of these 58 patches, nine are rated as Critical, 46 are rated as Important, and three are rated Moderate in severity. A total of six of these bugs came through the ZDI program. None of the bugs patched this month are listed as publicly known or under active attack at the time of release. Let’s begin take a closer look at some of the more severe bugs in this release, starting with the bug found by multiple researchers:

-       CVE-2020-17132 - Microsoft Exchange Remote Code Execution Vulnerability
This is one of several Exchange code execution bugs, and it is credited to three different researchers. This implies the bug was somewhat easy to find, and other researchers are likely to find the root cause, too. Microsoft doesn’t provide an attack scenario here but does note that the attacker needs be authenticated. This indicates that if you take over someone’s mailbox, you can take over the entire Exchange server. With all of the other Exchange bugs, definitely prioritize your Exchange test and deployment.

-       CVE-2020-17121 - Microsoft SharePoint Remote Code Execution Vulnerability
Originally reported through the ZDI program, this patch corrects a bug that could allow an authenticated user to execute arbitrary .NET code on an affected server in the context of the SharePoint Web Application service account. In its default configuration, authenticated SharePoint users are able to create sites that provide all of the necessary permissions that are prerequisites for launching an attack. Similar bugs patched earlier this year received quite a bit of attention. We suspect this one will, too.

-       CVE-2020-17095 - Hyper-V Remote Code Execution Vulnerability
This patch corrects a bug that could allow an attacker to escalate privileges from code execution in a Hyper-V guest to code execution on the Hyper-V host by passing invalid vSMB packet data. It appears that no special permissions are needed on the guest OS to exploit this vulnerability. This bug also has the highest CVSS score (8.5) for the release. However, if Microsoft is wrong about the attack complexity, this could rate as high as 9.9. 

-       CVE-2020-16996 - Kerberos Security Feature Bypass Vulnerability
This patch corrects a security feature bypass (SFB) bug in Kerberos, but thanks to Microsoft’s decision to remove executive summaries and only provide a CVSS score, we don’t know what specific features are being bypassed. We do know this impacts Kerberos Resource-Based Constrained Delegation (RBCD), as Microsoft has released guidance on managing the deployment of RBCD/Protected User changes in a new KB article. This likely helps to protect against RBCD attacks such as the one detailed here. This patch adds the NonForwardableDelegation registry key to enable protection on Active Directory domain controller servers. This will be enforced in a future update in February. 

Here’s the full list of CVEs released by Microsoft for December 2020. 

CVE Title Severity Public Exploited Type
CVE-2020-17131 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No RCE
CVE-2020-17095 Hyper-V Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17152 Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17158 Microsoft Dynamics 365 for Finance and Operations (on-premises) Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17117 Microsoft Exchange Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17132 Microsoft Exchange Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17142 Microsoft Exchange Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17118 Microsoft SharePoint Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17121 Microsoft SharePoint Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17145 Azure DevOps Server and Team Foundation Services Spoofing Vulnerability Important No No Spoof
CVE-2020-17135 Azure DevOps Server Spoofing Vulnerability Important No No Spoof
CVE-2020-17002 Azure SDK for C Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17160 Azure Sphere Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17137 DirectX Graphics Kernel Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17147 Dynamics CRM Webclient Cross-site Scripting Vulnerability Important No No XSS
CVE-2020-16996 Kerberos Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17133 Microsoft Dynamics Business Central/NAV Information Disclosure Important No No Info
CVE-2020-17126 Microsoft Excel Information Disclosure Vulnerability Important No No Info
CVE-2020-17122 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17123 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17125 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17127 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17128 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17129 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17130 Microsoft Excel Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17143 Microsoft Exchange Information Disclosure Vulnerability Important No No Info
CVE-2020-17141 Microsoft Exchange Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17144 Microsoft Exchange Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17119 Microsoft Outlook Information Disclosure Vulnerability Important No No Info
CVE-2020-17124 Microsoft PowerPoint Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17089 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17120 Microsoft SharePoint Information Disclosure Vulnerability Important No No Info
CVE-2020-17159 Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17150 Visual Studio Code Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17148 Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17156 Visual Studio Remote Code Execution Vulnerability Important No No RCE
CVE-2020-16958 Windows Backup Engine Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16959 Windows Backup Engine Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16960 Windows Backup Engine Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16961 Windows Backup Engine Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16962 Windows Backup Engine Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16963 Windows Backup Engine Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16964 Windows Backup Engine Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17103 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17134 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17136 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17097 Windows Digital Media Receiver Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17094 Windows Error Reporting Information Disclosure Vulnerability Important No No Info
CVE-2020-17138 Windows Error Reporting Information Disclosure Vulnerability Important No No Info
CVE-2020-17098 Windows GDI+ Information Disclosure Vulnerability Important No No Info
CVE-2020-17099 Windows Lock Screen Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17092 Windows Network Connections Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17096 Windows NTFS Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17139 Windows Overlay Filter Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17140 Windows SMB Information Disclosure Vulnerability Important No No Info
CVE-2020-16971 Azure SDK for Java Security Feature Bypass Vulnerability Moderate No No SFB
CVE-2020-17153 Microsoft Edge for Android Spoofing Vulnerability Moderate No No Spoof
CVE-2020-17115 Microsoft SharePoint Spoofing Vulnerability Moderate No No Spoof

Looking at the remaining Critical-rated updates, only one (surprisingly) impacts the browser. That patch corrects a bug within the JIT compiler. By performing actions in JavaScript, an attacker can trigger a memory corruption condition, which leads to code execution. The lack of browser updates could also be a conscious decision by Microsoft to ensure a bad patch for a browser does not disrupt online shopping during the holiday season. There are two patches for Dynamics 365 for Finance and Operations (on-premises), but both are listed as post-authentication. There’s another SharePoint patch, and multiple additional Exchange patches. Interestingly, there are two Important-rated Exchanges patches that are documented as being identical to the Critical rated ones. They have the same CVSS score, same FAQs, and affected products. Be on the safe side and count those as Critical-rated bugs, too.

Moving on to the Important-rated updates, we find 10 Office bugs impacting Outlook, PowerPoint, and Excel. Most are Excel open-and-own types of bugs, although there is also an Excel SFB that requires a group policy to be set. While these types of bugs aren’t typically all that exciting, there are currently no updates for Office 2019 for Mac. If you’re using that edition, be extra vigilant about clicking links until the update arrives.

There are a surprising number of security feature bypass (SFB) bugs getting patched this month. In addition to those previously mentioned, the Azure SDK for both C and Java receive patches. Azure Sphere also gets an SFB fixed, although this should have been automatically applied to IoT devices running Sphere. You only need to take action on that one if your devices are isolated from the update service. There’s an SFB-related patch for the Windows Overlay Filter. There’s no information about it from Microsoft but given the researcher who found it, we’ll likely see some details soon. Perhaps the most interesting SFB this month is in the Windows lock screen. An attacker with physical access could bypass the lock screen of someone who had logged in and locked their session. I’m sure this bug will be a favorite for on-site red teams for years to come.

There are a handful of information disclosure bugs getting patched this month. As expected, most of these cases only lead to leaks consisting of unspecified memory contents. However, there is a bug in the Windows Error Reporting service that could allow an attacker to read from the file system. The info disclosure bug in SharePoint could allow an attacker to view SQL table columns that are normally hidden. There’s a mysterious info disclosure bug being patched in Exchange. Microsoft simply states the information disclosed is “sensitive information.” With no further information to work with, assume a successful attacker could expose any email on the server.

The December release also contains a fair number of Elevation of Privilege (EoP) fixes. The majority of these are found in the Windows Backup Engine and the Cloud Files Mini Filter Driver. In most of these cases, an attacker would need to log in to a target system then run a specially crafted program to escalate privileges. There are a handful of spoofing bugs receiving fixes this month, but without a description, it’s difficult to guess what these might be. The release is rounded out by a Cross-Site Scripting (XSS) bug in Dynamics CRM Webclient.

Looking at the new advisory for December, ADV200013 provides guidance on a spoofing vulnerability in the DNS Resolver. While they provide no information on whether this is being exploited in the wild, they recommend limiting the UDP buffer size to 1221. Implementing this will cause larger DNS queries to switch to TCP, so it seems a relatively safe change to make. The other advisory for this month is the monthly revision update to the Windows Servicing Stack, which adds updates for all supported versions of Windows.

Looking Ahead

The first Patch Tuesday for 2021 falls on January 12, and we’ll return with details and patch analysis then. Until then, stay safe, enjoy your patching, and may all your reboots be smooth and clean! Merry Christmahanakwanzika!

The December 2020 Security Update Review

The November 2020 Security Update Review

10 November 2020 at 18:25

November is here and with it comes the latest security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details of security patches for this month.

Adobe Patches for November 2020

Adobe kicked off their November patch cycle a bit early by releasing an update for Acrobat and Reader last Tuesday. The patch fixes 14 CVEs, four of which were reported through the ZDI program. Four of these CVEs are rated as Critical and could lead to code execution if a user opened a specially crafted PDF.

Today, Adobe released patches for Reader for Android and Connect fixing three total CVEs. The update for Reader for Android fixes an info disclosure bug. The two CVEs addressed by the Connect patch cover reflective cross-site scripting (XSS) bugs. None of the CVEs fixed by Adobe this or last week were listed as publicly known or under active attack at the time of release.

Microsoft Patches for November 2020

For November, Microsoft released patches to correct 112 CVEs in Microsoft Windows, Office and Office Services and Web Apps, Internet Explorer (IE), Edge (EdgeHTML-based and Chromium-based), ChakraCore, Exchange Server, Microsoft Dynamics, Azure Sphere, Windows Defender, Microsoft Teams, and Visual Studio. After a brief dip in October, we’re back into the 110+ CVEs per month volume of patches again. That makes eight months this year with this level of patches, so we really need to think of this as the new normal.

Of these 112 patches, 17 are rated as Critical, 93 are rated as Important, and two are rated Low in severity. A total of six of these bugs came through the ZDI program. Only one bug is listed as publicly known and under active attack. You’ll notice some big changes in the documentation for this month’s release (see below for details). Microsoft has decided to withhold the amount of information it publishes about the bugs being patched. Consequently, you’ll see less detail in this blog as well. We’ll still do what we can to parse the release with what data Microsoft does publish and our deep knowledge of bug reports. We do see quite a few of them. Let’s begin take a closer look at some of the more severe bugs in this release, starting with the bug currently being exploited:

-       CVE-2020-17087 - Windows Kernel Local Elevation of Privilege Vulnerability
This privilege escalation bug was publicly disclosed by Google in late October. They noted it was combined with a Chrome bug to escape the browser sandbox and execute code on the target system. While not explicitly stated, the language used makes it seem the exploit is not yet widespread. However, considering there is a full analysis of the bug weeks before the patch, it will likely be incorporated into other exploits quickly.

-       CVE-2020-17084 - Microsoft Exchange Server Remote Code Execution Vulnerability
This patch corrects a code execution bug in Exchange that was reported by Pwn2Own Miami winner Steven Seeley. With no details provided by Microsoft, we can only assume this is the bypass of CVE-2020-16875 he had previously mentioned. It is very likely he will his publish the details of these bugs soon. Microsoft rates this as Important, but I would treat it as Critical, especially since people seem to find it hard to patch Exchange at all.

-       CVE-2020-17051 - Windows Network File System Remote Code Execution Vulnerability
With no description to work from, we need to rely on the CVSS to provide clues about the real risk from this bug. At a 9.8, it’s about as critical as a bug can get. Considering this is listed as no user interaction with low attack complexity, and considering NFS is a network service, you should treat this as wormable until we learn otherwise.

-       CVE-2020-17040 - Windows Hyper-V Security Feature Bypass Vulnerability
Here’s another bug that could be helped by a description. It’s not clear which security feature in Hyper-V is being bypassed or how an attacker can abuse it. Again, the attack complexity is low, authentication is not required, and there is no user interaction. Additional details are needed to accurately judge the risk from this bug, but the title and CVSS values alone put this bug on everyone’s radar.

Here’s the full list of CVEs released by Microsoft for November 2020. 

CVE Title Severity Public Exploited Type
CVE-2020-17087 Windows Kernel Local Elevation of Privilege Vulnerability Important Yes Yes EoP
CVE-2020-17105 AV1 Video Extension Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-16988 Azure Sphere Elevation of Privilege Vulnerability Critical No No EoP
CVE-2020-17048 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No RCE
CVE-2020-17101 HEIF Image Extensions Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17106 HEVC Video Extensions Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17107 HEVC Video Extensions Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17108 HEVC Video Extensions Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17109 HEVC Video Extensions Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17110 HEVC Video Extensions Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17053 Internet Explorer Memory Corruption Vulnerability Critical No No RCE
CVE-2020-17058 Microsoft Browser Memory Corruption Vulnerability Critical No No RCE
CVE-2020-17078 Raw Image Extension Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17079 Raw Image Extension Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17082 Raw Image Extension Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17052 Scripting Engine Memory Corruption Vulnerability Critical No No RCE
CVE-2020-17051 Windows Network File System Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-17042 Windows Print Spooler Remote Code Execution Vulnerability Critical No No RCE
CVE-2020-1325 Azure DevOps Server and Team Foundation Services Spoofing Vulnerability Important No No Spoof
CVE-2020-16986 Azure Sphere Denial of Service Vulnerability Important No No DoS
CVE-2020-16981 Azure Sphere Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16989 Azure Sphere Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16992 Azure Sphere Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16993 Azure Sphere Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16985 Azure Sphere Information Disclosure Vulnerability Important No No Info
CVE-2020-16990 Azure Sphere Information Disclosure Vulnerability Important No No Info
CVE-2020-16983 Azure Sphere Tampering Vulnerability Important No No Tampering
CVE-2020-16970 Azure Sphere Unsigned Code Execution Vulnerability Important No No RCE
CVE-2020-16982 Azure Sphere Unsigned Code Execution Vulnerability Important No No RCE
CVE-2020-16984 Azure Sphere Unsigned Code Execution Vulnerability Important No No RCE
CVE-2020-16987 Azure Sphere Unsigned Code Execution Vulnerability Important No No RCE
CVE-2020-16991 Azure Sphere Unsigned Code Execution Vulnerability Important No No RCE
CVE-2020-16994 Azure Sphere Unsigned Code Execution Vulnerability Important No No RCE
CVE-2020-17054 Chakra Scripting Engine Memory Corruption Vulnerability Important No No RCE
CVE-2020-16998 DirectX Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17049 Kerberos Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17090 Microsoft Defender for Endpoint Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17005 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important No No XSS
CVE-2020-17006 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important No No XSS
CVE-2020-17018 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important No No XSS
CVE-2020-17021 Microsoft Dynamics 365 (on-premises) Cross-site Scripting Vulnerability Important No No XSS
CVE-2020-17019 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17064 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17065 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17066 Microsoft Excel Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17067 Microsoft Excel Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17085 Microsoft Exchange Server Denial of Service Vulnerability Important No No DoS
CVE-2020-17083 Microsoft Exchange Server Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17084 Microsoft Exchange Server Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17062 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17063 Microsoft Office Online Spoofing Vulnerability Important No No Spoof
CVE-2020-17081 Microsoft Raw Image Extension Information Disclosure Vulnerability Important No No Info
CVE-2020-17086 Microsoft Raw Image Extension Information Disclosure Vulnerability Important No No Info
CVE-2020-16979 Microsoft SharePoint Information Disclosure Vulnerability Important No No Info
CVE-2020-17017 Microsoft SharePoint Information Disclosure Vulnerability Important No No Info
CVE-2020-17061 Microsoft SharePoint Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17016 Microsoft SharePoint Spoofing Vulnerability Important No No Spoof
CVE-2020-17060 Microsoft SharePoint Spoofing Vulnerability Important No No Spoof
CVE-2020-17091 Microsoft Teams Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17020 Microsoft Word Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17000 Remote Desktop Protocol Client Information Disclosure Vulnerability Important No No Info
CVE-2020-16997 Remote Desktop Protocol Server Information Disclosure Vulnerability Important No No Info
CVE-2020-17104 Visual Studio Code JSHint Extension Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17100 Visual Studio Tampering Vulnerability Important No No Tampering
CVE-2020-17102 WebP Image Extensions Information Disclosure Vulnerability Important No No Info
CVE-2020-17010 Win32k Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17038 Win32k Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17013 Win32k Information Disclosure Vulnerability Important No No Info
CVE-2020-17012 Windows Bind Filter Driver Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17113 Windows Camera Codec Information Disclosure Vulnerability Important No No Info
CVE-2020-17029 Windows Canonical Display Driver Information Disclosure Vulnerability Important No No Info
CVE-2020-17024 Windows Client Side Rendering Print Provider Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17088 Windows Common Log File System Driver Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17071 Windows Delivery Optimization Information Disclosure Vulnerability Important No No Info
CVE-2020-17007 Windows Error Reporting Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17036 Windows Function Discovery SSDP Provider Information Disclosure Vulnerability Important No No Info
CVE-2020-17068 Windows GDI+ Remote Code Execution Vulnerability Important No No RCE
CVE-2020-17004 Windows Graphics Component Information Disclosure Vulnerability Important No No Info
CVE-2020-17040 Windows Hyper-V Security Feature Bypass Vulnerability Important No No SFB
CVE-2020-17035 Windows Kernel Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17045 Windows KernelStream Information Disclosure Vulnerability Important No No Info
CVE-2020-17030 Windows MSCTF Server Information Disclosure Vulnerability Important No No Info
CVE-2020-17069 Windows NDIS Information Disclosure Vulnerability Important No No Info
CVE-2020-17047 Windows Network File System Denial of Service Vulnerability Important No No DoS
CVE-2020-17056 Windows Network File System Information Disclosure Vulnerability Important No No Info
CVE-2020-17011 Windows Port Class Library Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17041 Windows Print Configuration Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17001 Windows Print Spooler Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17014 Windows Print Spooler Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17025 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17026 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17027 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17028 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17031 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17032 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17033 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17034 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17043 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17044 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17055 Windows Remote Access Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-1599 Windows Spoofing Vulnerability Important No No Spoof
CVE-2020-17070 Windows Update Medic Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17073 Windows Update Orchestrator Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17074 Windows Update Orchestrator Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17076 Windows Update Orchestrator Service Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17077 Windows Update Stack Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17075 Windows USO Core Worker Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17037 Windows WalletService Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-16999 Windows WalletService Information Disclosure Vulnerability Important No No Info
CVE-2020-17057 Windows Win32k Elevation of Privilege Vulnerability Important No No EoP
CVE-2020-17015 Microsoft SharePoint Spoofing Vulnerability Low No No Spoof
CVE-2020-17046 Windows Error Reporting Denial of Service Vulnerability Low No No DoS

You’ll notice this month’s patch table does not contain the Exploitability Index (XI) rating. Originally, XI was intended to help sysadmins prioritize which patches to test and deploy first. The thought was that some would prioritize Important-rated bugs likely to be exploited over Critical-rated bugs that were unlikely to be exploit. Since that time, security patches from Microsoft have become cumulative. Today, it is rare that you apply one patch for one component – you apply the monthly rollup that fixes many CVEs. Therefore, you have to treat all bugs in that update as though it has the highest XI rating, provided at least one bug fixed has the highest rating. Therefore, it doesn’t make sense to call out the few XI=1 when the whole update should be treat as XI=1. The exploitability index was a good initiative when it was introduced [PDF] back in 2008. These days, it’s an outdated rating that has run its course.

The other big change this month relates to Microsoft’s removal of the description section of the CVE overview. In Microsoft’s examples on their blog explaining the change, they pick some simple cases to review. In those cases, an accurate CVSS is really all you need. After all, there’s only so much you can say about another SharePoint cross-site scripting (XSS) bug or a local privilege escalation that requires you to log on and run a specially crafted program. However, CVSS itself is not flawless. For example, “Privileges Required” and “User Interaction” are relatively straightforward to answer. Other fields, such as “Attack Complexity” does have gray areas where people can disagree on the rating. From Microsoft’s perspective, I’m sure they think they know best about how to rate a bug. There have been times when the researcher who found the bug disagreed.

As someone who has written many bulletins myself, I understand the repetitive nature of these descriptions. I have literally forgotten how many kernel EoP bugs I have written up - and they were all almost identical. However, there are those outlier cases where a description does matter. Two examples are above. Another example is CVE-2020-17049. What security feature in Kerberos is being bypassed? What is the likelihood? As a network defender, I have defenses to mitigate risks beyond just applying security patches. Should I employ those other technologies while the patches roll out? Until I have some idea of the answers to those questions, I can’t accurately assess the risk to my network from this or any of the other bugs with outstanding questions. Hopefully, Microsoft will decide to re-add the executive summaries in future releases.

Back to the actual patches…

Looking at the Critical-rated updates, most involve either one of the browsers or a video codec. We’re seeing more and more research into the multitude of codecs available for Windows, so expect this trend to continue. There’s also a code execution bug in the print spooler that could be worrying. There are quite a few bugs related to Azure Sphere, including a Critical rated one. However, you most likely won’t need to take any action on these bugs. IoT devices running Azure Sphere connected to the Internet check for updates every day and have likely already applied the patches. You only need to take action if your devices are not connected to the Internet or if you are a device manufacturer.

There are a relatively high number of remote code execution bugs getting fixes this month. Beyond the Critical-rated ones already mentioned, the bug in Microsoft Teams stands out – simply because so many students are using Teams right now and may not be as security savvy as adults. It does require user interaction, so remind your kids not to click on links from strangers. There’s also another Exchange Server code execution bug, but this one has a lower CVSS than the one previously mentioned. Steven has been a busy guy.

There are a total of 37 elevation of privilege (EoP) bugs getting fixes this month. In most of these cases, an attacker would need to log in to a target system then run a specially crafted program to escalate privileges. There are a couple of exceptions, such as CVE-2020-17012. IN this case, the specific flaw exists within the bindflt.sys driver. A crafted request with an IOCTL of 0x220000 can perform remapping of directories. This was reported through the ZDI program, so we do have a good understanding of this bug.

There are a significant number of information disclosure bugs being addressed this month as well. For the most part, the information leaked consists of unspecified memory contents. There are a couple of exceptions. The first impacts Azure Sphere and could allow attackers to find device information like resource IDs, SAS tokens, user properties, and other sensitive information. There’s also a bug in SharePoint that could allow attackers to read from the file system.

Six patches address spoofing bugs, but without a description, it’s difficult to guess what these might be. The spoofing bugs in SharePoint typically indicate XSS, but CVE-2020-1599 title “Windows Spoofing Vulnerability” could be just about anything. The same could be said for the tampering fixes for Azure Sphere and Visual Studio. The November release is rounded out by four patches to address XSS in Microsoft Dynamics 365.

The lone advisory for this month is the revision update to the Windows Servicing Stack, which adds updates for all supported versions of Windows.

Looking Ahead

The final Patch Tuesday for 2020 falls on December 8, and we’ll return with details and patch analysis then. Until then, stay safe, enjoy your patching, and may all your reboots be smooth and clean!

The November 2020 Security Update Review

  • There are no more articles
❌