With solely 53 updates within the February Patch Tuesday assortment launched this week — and no updates for Microsoft browsers — you would be forgiven for pondering we had one other simple month (after a lightweight December and January). Despite lower-than-average numbers for updates and patches, 4 vulnerabilities have been publicly disclosed and we’re seeing a rising variety of experiences of exploits within the wild.In quick: this can be a large, necessary replace that may require rapid consideration and a speedy response to testing and deployment.For instance, Microsoft has simply launched an out-of-band replace to repair a Wi-Fi problem that’s resulting in Blue Screens of Death (BSODs). Somebody goes to run into bother until this will get fastened quick. We have included a useful infographic that this month appears to be like a little bit lopsided (once more), as the entire consideration needs to be on the Windows componentsKey testing scenariosWorking with Microsoft, we developed a system that interrogates Microsoft updates and matches any file adjustments (deltas) launched every month in opposition to our testing library. The result’s a “hot-spot” matrix that helps drive our portfolio testing course of. This month, our evaluation of this Patch Tuesday launch generated the next testing eventualities:There are not any high-risk purposeful adjustments anticipated this month, although we advocate the next testing regimes:Known pointsEach month, Microsoft features a listing of identified points that relate to the working system and platforms which are included on this replace cycle. I’ve referenced a couple of key points that relate to the most recent builds from Microsoft, together with:Microsoft .NET (4.x ): If you’re nonetheless on Windows 7 (or Server 2008) Microsoft has revealed a word on WPF apps crashing for all at the moment supported variations of .NET.
Windows 10 1809, 1909, and 2004: System and person certificates would possibly get misplaced when updating a tool from Windows 10, model 1809 or later, to a more moderen model of Windows 10. This could also be a results of mixing media and installations with completely different replace/patching strategies. The outcomes might imply that sure drivers and gadgets might not begin or perform as anticipated after the replace.
You also can discover Microsoft’s abstract of Known Issues for this launch in a single web page.Major revisionsThis month, now we have a number of main revisions to earlier updates that will require your consideration:CVE-2020-1472: This server replace dates again to final Aug. 11, when the primary of a two-part replace was launched. This is a brilliant complicated replace that may require some analysis (learn: MS-NRPC) and would require quite a few adjustments to your website configuration (see: How to handle the adjustments in Netlogon safe channel connections related to CVE-2020-1472). I imagine that this week is the enforcement section of a restricted safety mannequin for all affected servers, so some planning and deployment efforts are required.
CVE-2020-17162: Microsoft addressed this safety vulnerability in September, however forgot to incorporate the documentation within the replace cycle. This is an informational replace solely. No additional motion required.
CVE-2021-1692: This Microsoft CVE entry has been up to date to incorporate protection for Windows 10 1803 (omitted beforehand). If you’re working later variations of Windows 10, no additional motion required.
Mitigations and workaroundsThis month, Microsoft has revealed quite a few complicated and necessary mitigations and workarounds, particularly for enterprise IT admins:CVE-2021-24094 and CVE-2021-24086: Microsoft has supplied a reasonably technical workaround for mitigating this vulnerability, together with working the next command, “Netsh int ipv6 set global reassemblylimit=0” in your servers. A associated MSRC weblog states: “The IPv4 workaround simply requires further hardening against the use of Source Routing, which is disallowed in Windows default state.” This workaround can be documented in CVE-2021-24074 and will be utilized by means of Group Policy or by working a NETSH command that doesn’t require a reboot. There is lots of studying to do when coping with this problem, with extra info accessible right here.
CVE-2021-24077: This replace pertains to the Microsoft FAX Service and associated drivers. The workaround supplied right here is to cease the FAX service. (Hey, who makes use of a FAX anymore?) I feel this can be a good concept, as this complete Windows subsystem is ripe for abuse. In addition to safety considerations, some legacy FAX-related drivers are not supported on later variations of Windows 10 on account of XDDM driver deprecations and compatibility points. Run a Service dependency scan in your software portfolio and see what functions are affected. (Hint: Castelle Faxpress).
Each month, we break down the replace cycle into product households (as outlined by Microsoft) with the next primary groupings:Browsers (Microsoft IE and Edge);
Microsoft Windows (each desktop and server);
Microsoft Office (Including Web Apps and Exchange);
Microsoft Development platforms (NET Core, .NET Core and Chakra Core);
Adobe Flash Player.
BrowsersThis month, Microsoft has not launched any updates (but once more) to its in-house browsers. Instead now we have benefitted from the Open Source Chromium crew’s “early and often” launch cycle with the next (a number of) updates since our final Patch Tuesday launch:Feb. 5: Microsoft launched the most recent Microsoft Edge Stable Channel (Version 88.0.705.63). This replace contains the most recent Chromium Security Updates, of which CVE-2021-21148 has been reported as having been exploited within the wild.
Feb. 4: Microsoft launched the most recent Microsoft Edge Stable Channel (Version 88.0.705.62), which contains the most recent Security Updates of Chromium.
Jan. 21: Microsoft launched the most recent Microsoft Edge Stable Channel (Version 88.0.705.50),
All of those updates are effectively contained inside the Chromium desktop libraries, and from our analysis we discover it tough to think about they’d have an effect on different functions or trigger compatibility points. Add these updates to your normal launch schedule.Microsoft WindowsThis February replace cycle for the Windows ecosystem brings 9 updates rated vital, 18 reasonable, and the remaining rated as low by Microsoft. Unusually, 4 Windows updates this month have been publicly disclosed, although all are rated as necessary: CVE-2021-1733, CVE2021-1727, CVE-2021-24098, and CVE-2021-24106. Quoting from Microsoft MSRC: “We believe attackers will be able to create DoS exploits much more quickly and expect all three issues might be exploited with a DoS attack shortly after release. Thus, we recommend customers move quickly to apply Windows security updates this month.”In addition to those already regarding disclosures, the next two vulnerabilities have been reported as exploited within the wild:CVE-2021-1732: Windows Win32okay Elevation of Privilege Vulnerability.
CVE-2021-1647: Microsoft Defender Remote Code Execution Vulnerability.
Though we solely have 9 updates rated as vital by Microsoft, they have an effect on core areas inside the Windows desktop, together with:The remaining function groupings are affected by Microsoft’s necessary updatesWindows Crypto Libraries and PFX Encryption.
Windows Fax Service.
Windows Installer.
Windows Backup Engine.
Windows PowerShell.
Windows Event Tracing.
Following the testing suggestions listed above, I’d make this replace a precedence, noting that the testing cycle for these updates might require in-depth evaluation, some {hardware} (printing) and distant customers (testing throughout a VPN). Add these Windows updates to your “Test before Deploy” replace launch schedule.Microsoft OfficeMicrosoft has launched 11 updates, all rated as necessary, to the Microsoft Office and SharePoint platforms overlaying the next software or function groupings:SharePoint Known Issues: in case your custom-made SharePoint pages use the SPWorkflowDataSource or FabricWorkflowInstanceProvider person management, some features on these pages might not work. To resolve this problem, see KB 5000640. Add these updates to your common Office replace schedule.Microsoft growth platformsMicrosoft launched eight updates to the Microsoft growth platforms, two rated as vital and the remaining six rated as necessary. They have an effect on the next platforms or functions:Unfortunately, there have been quite a few experiences that the most recent safety roll-up replace to .NET (for all supported variations) causes WP functions to crash with the next error:”Exception Info: System.NullReferenceException at System.Windows.Interop.HwndMouseInputProvider.HasCustomChrome(System.Windows.Interop.HwndSource, RECT ByRef)”Microsoft has revealed a workaround that avoids the crash, however this workaround re-introduces the vulnerability fastened by the replace. Not good. The two vital Development device updates (CVE-2021-24112 and CVE-2021-26701) each require native entry, whereas the latter has already been reported as exploited within the wild. Though a number of the Visual Studio (graphics libraries) vulnerabilities might end in comparatively simple distant code execution (RCE) assaults, Microsoft has stated these vulnerabilities don’t apply to current Windows libraries. These updates are to stop future safety points in developed code.Despite these future proofing efforts, there’s sufficient concern in these publicly exploited vulnerabilities for a “Patch Now” suggestion.Adobe Flash PlayerThis month Adobe launched updates for Acrobat and Reader, Dreamweaver, Photoshop, Illustrator, Animate, and the CMS system Magento. I feel that the main focus for many enterprises needs to be on the safety fixes for Adobe Reader with 23 updates, seven of that are rated as vital by Adobe.Adobe has reported that one vital rated vulnerability (CVE-2021-21017) has been reported as exploited within the wild (on Windows desktops). This is a giant replace for Adobe Reader and will require some testing earlier than deployment, which can trigger complications this launch cycle as Adobe has really useful that this replace be deployed inside 72 hours of launch.Add the Adobe Reader updates to your “Patch Now” launch schedule.
Copyright © 2021 IDG Communications, Inc.