Updated on 1/14/2021 7 p.m. PST to include TippingPoint® Next-Generation Intrusion Prevention System (NGIPS) Protection rules.
Microsoft welcomed the first month of 2021 with a total of 83 security updates — which is an uptick from December’s relatively lighter list. The January Patch Tuesday features 10 Critical and 73 Important patches. All of this month’s Critical patches are meant to fix remote code execution (RCE) vulnerabilities among certain Microsoft products, including Microsoft Defender, Microsoft Edge, and Microsoft DTV-DVD Video Decoder. Meanwhile, security fixes classified as Important patched vulnerabilities that could lead to RCE, elevation of privilege, spoofing, tampering, information disclosure, and security feature bypass.
Out of the 83 patches issued this month, seven were reported by Trend Micro’s Zero Day Initiative (ZDI). As of writing time, one of the security updates in the list is being actively exploited.
Critical flaw in Windows Defender can lead to RCE
CVE-2021-1647 is a vulnerability in the Microsoft Malware Protection Engine of Microsoft Defender that can allow an attacker to perform RCE on an affected system. Although the Microsoft automatically updates the Defender engine, these patches are typically documented as part of Patch Tuesday. However, users should update immediately as this vulnerability is already being actively exploited. Microsoft has not disclosed the degree and pervasiveness of the exploitation.
Microsoft splwow64 bug possibly next in line for active exploitation
CVE-2021-1648, an elevation of privilege bug on Microsoft splwow64, has been publicly disclosed by Google Project Zero and ZDI. This month’s patch fixes bugs seen in the previous one, including the inadvertent introduction of an out-of-bounds (OOB) read condition in the function to check an input string pointer. It’s logical to assume that this CVE will be next in line for active exploitation as the CVE that preceded it was also actively exploited.
RCE from vulnerable HEVC video extensions, Visual Studio
Rated as Critical, CVE-2021-1643 is a vulnerability that stems from the improper input validation in High Efficiency Video Coding (HEVC) extensions. When exploited, it will allow a remote attacker to execute arbitrary code on a target system. Interestingly, CVE-2021-1644 is a patch for the same HEVC extensions and with the same documentation but rated as Important. The update for this vulnerability will be delivered via the Microsoft Store.
Meanwhile, CVE-2020-26870, a bug classified as Important, occurs in the open-source software utilized by Visual Studio. The software is Cure53 DOMPurify, a Direct Object Model-only (DOM) cross-site scripting (XSS) sanitizer for HTML, mathematical Markup Language (MathML), and Scalable Vector Graphics (SVG). This patch covers “Open-and-Own” bugs in Office components. To exploit the vulnerability, an attacker would need to send a specially crafted file and get the user to open the file on an affected component. Once the flaw has been exploited, the attacker can execute arbitrary code at the level of the logged-on user.
Trend Micro Solutions
A proactive, multilayered approach to security is key against threats that exploit vulnerabilities — from the gateway, endpoints, networks, and servers.
The Trend Micro™ Deep Security™ solution provides network security, system security, and malware prevention. Combined with Vulnerability Protection, it can protect user systems from a wide range of upcoming threats that may target vulnerabilities. Both solutions protect users from exploits that target these vulnerabilities via the following rules:
- 1010719 - Microsoft Excel Remote Code Execution Vulnerability (CVE-2021-1713)
- 1010702 - Microsoft SharePoint Authenticated Remote Code Execution Vulnerability (CVE-2021-1707)
- 1010700 - Microsoft Windows Defender Remote Code Execution Vulnerability (CVE-2021-1647)
- 1010701 - Microsoft Windows Defender Remote Code Execution Vulnerability Over SMB (CVE-2021-1647)
- 1010720 - Microsoft Word Remote Code Execution Vulnerability (CVE-2021-1715)
TippingPoint® Next-Generation Intrusion Prevention System (NGIPS) is a network traffic solution that uses comprehensive and contextual awareness analysis for advanced threats that exploit vulnerabilities.
TippingPoint protects customers through the following rules:
- 38680: HTTP: Microsoft SharePoint SetTemplateContent Code Execution Vulnerability (CVE-2021-1707)
- 38690: TCP: Microsoft Windows Defender ASPack Buffer Overflow Vulnerability (CVE-2021-1647)