Welcome to the new year, and welcome to the first Patch Tuesday of 2021. Take a break from your regularly scheduled activities and join us as we review the details for the latest security offerings from Microsoft and Adobe. 

Adobe Patches for January 2021

This month, Adobe released seven updates addressing eight CVEs in Adobe Campaign Classic, Photoshop, Illustrator, Animate, InCopy, Captivate, and Bridge. Two of these bugs came through the ZDI program. The patch for Campaign Classic fixes a single Server-side request forgery (SSRF) vulnerability. The Photoshop patch fixes a single heap-based buffer overflow. The update for Illustrator corrects a Critical-rated uncontrolled search path element vulnerability. That’s the same story for the Animate and InCopy patches. The update for Captivate also fixes an uncontrolled search path element bug, but this one is only rated Important. The final Adobe patch for January fixes two Out-Of-Bounds (OOB) write bugs in Bridge. None of the bugs fixed by Adobe this month are listed as publicly known or under active attack at the time of release.

Microsoft Patches for January 2021

For January, Microsoft released patches for 83 CVEs covering Microsoft Windows, Edge (EdgeHTML-based), ChakraCore, Office and Microsoft Office Services and Web Apps, Visual Studio, Microsoft Malware Protection Engine, .NET Core, ASP .NET, and Azure. Seven of these CVEs were submitted through the ZDI program. Of these 83 CVEs, 10 are listed as Critical and 73 are listed as Important in severity. According to Microsoft, one bug is publicly known, and one other bug is known to be actively exploited at the time of release.

Let’s take a closer look at some of the more interesting updates for this month, starting with the bug listed as being under active attack:

 -       CVE-2021-1647 - Microsoft Defender Remote Code Execution Vulnerability
This bug in the Microsoft Malware Protection Engine may already be patched on your system as the engine auto-updates as needed. However, if your systems are not connected to the Internet, you’ll need to manually apply the patch. Microsoft does not state how wide-spread the active attacks are.

 -       CVE-2021-1648 - Microsoft splwow64 Elevation of Privilege Vulnerability
This bug was publicly disclosed by ZDI after it exceeded our disclosure timeline. It was also discovered by Google, likely because this patch corrects a bug introduced by a previous patch. The previous patch introduced a function to check an input string pointer, but in doing so, it introduced an Out-of-Bounds (OOB) Read condition. Additional bugs are also covered by this patch, including an untrusted pointer deref. The previous CVE was being exploited in the wild, so it’s within reason to think this CVE will be actively exploited as well.

 -       CVE-2021-1677 - Azure Active Directory Pod Identity Spoofing Vulnerability
This vulnerability exists in the way that the Azure Active Directory (AAD) pod identity allows users to assign identities to pods in Kubernetes clusters. When an identity is assigned to a pod, the pod can access to the Azure Instance Metadata Service (IMDS) endpoint and get a token of that identity. This could allow an attacker to laterally steal the identities that are associated with different pods. This is also requires more than just a patch to fix. Anyone with an existing installation will need to re-deploy their cluster and use Azure CNI instead of the default Kubernetes.

 -       CVE-2021-1674 – Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability
This patch is a bit of a mystery. It carries a relatively high CVSS score (8.8), but without an executive summary, we can only guess what security feature in RDP Core is being bypassed. Short of reversing the patches, we don’t even know how this is different than CVE-2021-1669 - Windows Remote Desktop Security Feature Bypass Vulnerability. What we do know is that RDP has been a popular target in recent memory, and these bugs should be taken seriously. Without any solid information to act on, defenders should assume the worst-case scenario and restrict access to RDP wherever possible.  

Here’s the full list of CVEs released by Microsoft for January 2021. 

Of the remaining Critical-rated patches, five involve remote code execution (RCE) bugs in the Remote Procedure Call (RPC) runtime. What’s really curious is that there are four Important-rated patches for RPC as well. However, the CVSS and other descriptors are all identical. There’s no indication why some are listed as Critical and others are listed as Important. Similarly, there’s a Critical-rated patch for HEVC Video Extensions that is documented the same as the Important-rated patch for HEVC Video Extensions. Either way, you’ll get the update for both through the Microsoft Store. Those who use either the Microsoft Store for Business or the Microsoft Store for Education will be able to get this update through their organizations. Rounding out the Critical-rated patches is an update for Edge and patch for GDI+. 

Moving on to the other patches, the update for the Active Template Library (ATL) stand out. Back in 2009, multiple bulletins and advisories were required to correct a typo. It’s not clear if the situation is that dire with this update, but if you created anything using ATL, you will likely need to apply the patch then recompile your program. That’s also like true for the patch to fix an EoP in the Windows Runtime C++ Template Library.

In looking at the Important-rated bugs that could allow RCE, the SharePoint bug should not be ignored. It does require authentication, but it could allow an authenticated user to take complete control of the system. The patch for Visual Studio also stands out. This update fixes a bug in Cure53 DOMPurify, which is an open-source library used by Visual Studio. The fix for this has been available since September, so you should treat this as though it was publicly disclosed. The remaining code execution bugs cover “Open-and-Own” bugs in Office components. An attacker would need to send a specially crafted file and convince a user to open it with an affected component. That would allow the attacker to execute code of their choice at the level of the logged-on user.

Similar to last month, there are multiple security feature bypasses being fixed this month. In addition to the two already mentioned, there are three impacting the Bluetooth component and one impacting NTLM. CVE-2021-1638 is definitely intriguing as it requires no authentication and no user interaction. The other Bluetooth bugs do require some level of user interaction. The bypass for NTLM requires some level of user interaction but no authentication. Again, without executive summaries, we can only speculate the true severity of these bypasses.

There are a total of 34 EoP bugs getting patches this month. For almost all of these, an attacker would need to log on to a system then execute specially crafted code to elevate their permissions. Most of these are in various Windows, but the ones in Hyper-V and SharePoint stand out. Speaking of SharePoint, this month’s release also includes patches to fix a tampering bug and two spoofing bugs in SharePoint.   

This month includes four patches to correct Denial-of-Service (DoS) bugs. Two of these bugs are in Hyper-V, and one is in .NET Core and Visual Studio. The last of these bugs resides in the Windows CryptoAPI and can be reached remotely. According to the CVSS rating, there is some level of user interaction involved, but no authentication is needed. 

Rounding out this release are 11 patches fixing information disclosure bugs. As expected, most of these cases only lead to leaks consisting of unspecified memory contents. However, the info leak in Windows Docker is a bit more severe. This vulnerability could allow an attacker to decrypt data that was encrypted by the data protection API (DPAPI). It’s not clear if you need to re-encrypt data after applying this patch, but this has been required for similar bugs in the past. Without specifics on the bug, it’s tough to offer specific guidance. The other info disclosure bug that piques curiosity is the bug impacting the Bot Framework SDK. For this component, we’re just told the information leaked is “sensitive information.” Still, if you use the SDK, make sure you get an unaffected version.

Finally, the servicing stack advisory (ADV990001) was revised for multiple versions of Windows. No additional advisories were released this month.

Looking Ahead

The next Patch Tuesday falls on February 9, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!