With only 53 updates in the February Patch Tuesday collection released this week — and no updates for Microsoft browsers — you’d be forgiven for thinking we had another easy month (after a light December and January). Despite lower-than-average numbers for updates and patches, four vulnerabilities have been publicly disclosed and we are seeing a growing number of reports of exploits in the wild.
In short: this is a big, important update that will require immediate attention and a rapid response to testing and deployment.
For example, Microsoft has just released an out-of-band update to fix a Wi-Fi issue that is leading to Blue Screens of Death (BSODs). Somebody is going to run into trouble unless this gets fixed fast. We have included a helpful infographic that this month looks a little lopsided (again), as all of the attention should be on the Windows components
Key testing scenarios
Working with Microsoft, we developed a system that interrogates Microsoft updates and matches any file changes (deltas) released each month against our testing library. The result is a “hot-spot” matrix that helps drive our portfolio testing process. This month, our analysis of this Patch Tuesday release generated the following testing scenarios:
There are no high-risk functional changes expected this month, though we recommend the following testing regimes:
Each month, Microsoft includes a list of known issues that relate to the operating system and platforms that are included in this update cycle. I have referenced a few key issues that relate to the latest builds from Microsoft, including:
- Microsoft .NET (4.x ): If you are still on Windows 7 (or Server 2008) Microsoft has published a note on WPF apps crashing for all currently supported versions of .NET.
- Windows 10 1809, 1909, and 2004: System and user certificates might get lost when updating a device from Windows 10, version 1809 or later, to a newer version of Windows 10. This may be a result of mixing media and installations with different update/patching methods. The results could mean that certain drivers and devices may not start or function as expected after the update.
You can also find Microsoft’s summary of Known Issues for this release in a single page.
This month, we have several major revisions to previous updates that may require your attention:
- CVE-2020-1472: This server update dates back to last Aug. 11, when the first of a two-part update was released. This is a super complex update that will require some research (read: MS-NRPC) and will require a number of changes to your site configuration (see: How to manage the changes in Netlogon secure channel connections associated with CVE-2020-1472). I believe that this week is the enforcement phase of a restricted security model for all affected servers, so some planning and deployment efforts are required.
- CVE-2020-17162: Microsoft addressed this security vulnerability in September, but forgot to include the documentation in the update cycle. This is an informational update only. No further action required.
- CVE-2021-1692: This Microsoft CVE entry has been updated to include coverage for Windows 10 1803 (omitted previously). If you are running later versions of Windows 10, no further action required.
Mitigations and workarounds
This month, Microsoft has published a number of complex and important mitigations and workarounds, especially for enterprise IT admins:
- CVE-2021-24094 and CVE-2021-24086: Microsoft has offered a fairly technical workaround for mitigating this vulnerability, including running the following command, “Netsh int ipv6 set global reassemblylimit=0” on your servers. A related MSRC blog states: “The IPv4 workaround simply requires further hardening against the use of Source Routing, which is disallowed in Windows default state.” This workaround is also documented in CVE-2021-24074 and can be applied through Group Policy or by running a NETSH command that does not require a reboot. There is a lot of reading to do when dealing with this issue, with more information available here.
- CVE-2021-24077: This update relates to the Microsoft FAX Service and related drivers. The workaround offered here is to stop the FAX service. (Hey, who uses a FAX anymore?) I think this is a good idea, as this whole Windows subsystem is ripe for abuse. In addition to security concerns, some legacy FAX-related drivers are no longer supported on later versions of Windows 10 due to XDDM driver deprecations and compatibility issues. Run a Service dependency scan on your application portfolio and see what applications are affected. (Hint: Castelle Faxpress).
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge);
- Microsoft Windows (both desktop and server);
- Microsoft Office (Including Web Apps and Exchange);
- Microsoft Development platforms (NET Core, .NET Core and Chakra Core);
- Adobe Flash Player.
This month, Microsoft has not released any updates (yet again) to its in-house browsers. Instead we have benefitted from the Open Source Chromium team’s “early and often” release cycle with the following (multiple) updates since our last Patch Tuesday release:
- Feb. 5: Microsoft released the latest Microsoft Edge Stable Channel (Version 88.0.705.63). This update includes the latest Chromium Security Updates, of which CVE-2021-21148 has been reported as having been exploited in the wild.
- Feb. 4: Microsoft released the latest Microsoft Edge Stable Channel (Version 88.0.705.62), which incorporates the latest Security Updates of Chromium.
- Jan. 21: Microsoft released the latest Microsoft Edge Stable Channel (Version 88.0.705.50),
All of these updates are well contained within the Chromium desktop libraries, and from our research we find it difficult to imagine they would affect other applications or cause compatibility issues. Add these updates to your standard release schedule.
This February update cycle for the Windows ecosystem brings nine updates rated critical, 18 moderate, and the rest rated as low by Microsoft. Unusually, four Windows updates this month have been publicly disclosed, though all are rated as important: CVE-2021-1733, CVE2021-1727, CVE-2021-24098, and CVE-2021-24106. Quoting from Microsoft MSRC: “We believe attackers will be able to create DoS exploits much more quickly and expect all three issues might be exploited with a DoS attack shortly after release. Thus, we recommend customers move quickly to apply Windows security updates this month.”
In addition to these already concerning disclosures, the following two vulnerabilities have been reported as exploited in the wild:
- CVE-2021-1732: Windows Win32k Elevation of Privilege Vulnerability.
- CVE-2021-1647: Microsoft Defender Remote Code Execution Vulnerability.
Though we only have nine updates rated as critical by Microsoft, they affect core areas within the Windows desktop, including:
The remaining feature groupings are affected by Microsoft’s important updates
- Windows Crypto Libraries and PFX Encryption.
- Windows Fax Service.
- Windows Installer.
- Windows Backup Engine.
- Windows PowerShell.
- Windows Event Tracing.
Following the testing recommendations listed above, I would make this update a priority, noting that the testing cycle for these updates may require in-depth analysis, some hardware (printing) and remote users (testing across a VPN). Add these Windows updates to your “Test before Deploy” update release schedule.
Microsoft has released 11 updates, all rated as important, to the Microsoft Office and SharePoint platforms covering the following application or feature groupings:
SharePoint Known Issues: if your customized SharePoint pages use the SPWorkflowDataSource or FabricWorkflowInstanceProvider user control, some functions on those pages may not work. To resolve this issue, see KB 5000640. Add these updates to your regular Office update schedule.
Microsoft development platforms
Microsoft released eight updates to the Microsoft development platforms, two rated as critical and the remaining six rated as important. They affect the following platforms or applications:
Unfortunately, there have been a number of reports that the latest security roll-up update to .NET (for all supported versions) causes WP applications to crash with the following error:
"Exception Info: System.NullReferenceException at System.Windows.Interop.HwndMouseInputProvider.HasCustomChrome(System.Windows.Interop.HwndSource, RECT ByRef)"
Microsoft has published a workaround that avoids the crash, but this workaround re-introduces the vulnerability fixed by the update. Not good. The two critical Development tool updates (CVE-2021-24112 and CVE-2021-26701) both require local access, while the latter has already been reported as exploited in the wild. Though some of the Visual Studio (graphics libraries) vulnerabilities could result in relatively easy remote code execution (RCE) attacks, Microsoft has said these vulnerabilities do not apply to existing Windows libraries. These updates are to prevent future security issues in developed code.
Despite these future proofing efforts, there is enough concern in these publicly exploited vulnerabilities for a “Patch Now” recommendation.
Adobe Flash Player
This month Adobe released updates for Acrobat and Reader, Dreamweaver, Photoshop, Illustrator, Animate, and the CMS system Magento. I think that the focus for most enterprises should be on the security fixes for Adobe Reader with 23 updates, seven of which are rated as critical by Adobe.
Adobe has reported that one critical rated vulnerability (CVE-2021-21017) has been reported as exploited in the wild (on Windows desktops). This is a big update for Adobe Reader and may require some testing before deployment, which may cause headaches this release cycle as Adobe has recommended that this update be deployed within 72 hours of release.
Add the Adobe Reader updates to your “Patch Now” release schedule.