February 2021 Patch Tuesday: Microsoft and Adobe fix exploited zero-days
On this February 2021 Patch Tuesday:
- Adobe has fixed a Reader flaw used in limited attacks, as well as delivered security updates for a variety of products, including Acrobat and Reader, Dreamweaver, and Magento
- Microsoft has plugged 56 security holes, including one actively exploited privilege escalation flaw
- SAP has released 7 new security notes and updated 6 previously released ones
- Mozilla has fixed a critical vulnerability affecting Firefox and Firefox ESR on Windows
Adobe updates
Adobe has released security updates for Acrobat and Reader, Dreamweaver, Photoshop, Illustrator, Animate, and the Magento CMS.
Out of all of those, the Acrobat and Reader updates should be tested and deployed as soon as possible, as they fix a bucketload of critical and important issues in widely used solutions, including one bug (CVE-2021-21017) that is being exploited in “limited” attacks on Reader for Windows.
A little less urgent is the Magento update, not because it doesn’t fix critical flaws (it does, seven of them), but because there are currently no known exploits and because based on previous experience, Adobe does not anticipate them being imminent. Nevertheless, regularly updating Magento installations should be a requirement for website admins, as cybercriminal groups like Magecart often exploit known vulnerabilities to push payment card skimmers onto the sites.
The rest of the updates fix vulnerabilities in products that have historically not been a target for attackers, so you can delay updating until you get all the more critical updates out of the way.
Microsoft updates
Microsoft has plugged 56 security holes, 11 of which are critical, 43 important, and two of moderate severity.
One “important” flaw (CVE-2021-1732) is being actively exploited in the wild: a local privilege escalation flaw that affects various versions of Windows 10 and Windows Server. This one is exploitable by attackers who have local physical access to the target machine, can access it remotely (e.g., via SSH), or can simply trick the legitimate user into opening a malicious document.
“Bugs of this nature are typically paired with another bug that allows code execution at the logged-on user level. For example, this could be paired with an Adobe Reader exploit,” noted Dustin Childs of Trend Micro’s Zero Day Initiative. “An attacker would entice a user to open a specially crafted PDF, which would result in code execution through the Reader bug then escalation through this bug.”
There has been no mention whether this flaw is being exploited along with the actively exploited and now plugged hole in Adobe Reader (CVE-2021-21017 – see above).
CVE-2021-24074, CVE-2021-24094, and CVE-2021-24086 are two RCEs and one DoS vulnerability in Windows’ TCP/IP implementation that have been singled out by Microsoft for a quick patch (or mitigation implementation).
“The two RCE vulnerabilities are complex which make it difficult to create functional exploits, so they are not likely in the short term. We believe attackers will be able to create DoS exploits much more quickly and expect all three issues might be exploited with a DoS attack shortly after release. Thus, we recommend customers move quickly to apply Windows security updates this month,” the MSRC team explained.
“The DoS exploits for these CVEs would allow a remote attacker to cause a stop error. Customers might receive a blue screen on any Windows system that is directly exposed to the internet with minimal network traffic.”
Childs has also advised those depending on Microsoft DNS servers to quickly patch CVE-2021-24078, a critical and potentially wormable RCE flaw, and those rely on the .NET Framework or .NET Core to prioritize fixing CVE-2021-26701, an RCE bug that is publicly known.
Kevin Breen, Director of Cyber Threat Research at Immersive Labs, also notes that CVE-2021-24093, an RCE in Windows Graphics Component, should be quickly patched by consumer Windows users. The bug allows code execution when viewing a specially crafted image and is “the kind of vulnerability built into exploit kits and triggered by low-level phishing campaigns targeting users en masse.”
Satnam Narang, Staff Research Engineer at Tenable, made sure to note that today, Microsoft completed its two-phased approach for addressing CVE-2020-1472 (aka Zerologon).
“Zerologon provides attackers a reliable way to move laterally once inside a network, giving them the ability to impersonate systems, alter passwords, and gain control over the proverbial keys to the kingdom via the domain controller itself. For these reasons, Zerologon has been rolled into attacker playbooks, becoming a feather in the cap for post-compromise activity. We’ve also seen reports of it being favored by ransomware groups like Ryuk during their campaigns,” he shared.
“With this second phase being completed today, organizations that have yet to patch Zerologon need to do so immediately.”
SAP updates
For February 2021 Patch Tuesday, SAP has released 7 new security notes and updates to 6 previously released ones.
The most crucial updates in this batch are for SAP Business Client (fixing a flaw in the browser control Google Chromium delivered with it), SAP Commerce (fixing a RCE), and SAP Business Warehouse.
Mozilla updates
If you or your employees are using Firefox or Firefox ESR on Windows, upgrade to Firefox 85.0.1 or Firefox ESR 78.7.1 to plug a critical buffer overflow bug that has yet to receive a CVE.
Mozilla has fixed on Monday Thunderbird 78.6.1 on Monday and fixed the same bug in its email client.
UPDATE (February 10, 2021, 01:10 a.m. PT):
Apple has released updates for macOS Big Sur, macOS Catalina and macOS Mojave that fix the recently discovered sudo flaw (by updating to sudo version 1.9.5p2) and two vulnerabilities in Intel Graphics Driver that may allow a malicious application to execute arbitrary code with kernel privileges.