Microsoft January 2021 Security Updates (to include zero-day RCE patch)

Microsoft January 2021 Security Updates (to include zero-day RCE patch)

Microsoft has released the January 2021 Security updates that includes patches for 83 vulnerabilities, 10 of those rated Critical and 1 zero-day RCE vulnerability CVE-2021-1647 in Microsoft Defender.

A remote attacker could exploit some of these vulnerabilities to take control of unpatched systems.

In all, the Microsoft security updates address vulnerabilities in the following products:

  • .NET Core
  • .NET Repository
  • ASP .NET
  • Azure
  • Microsoft Edge (EdgeHTML-based)
  • Microsoft Malware Protection Engine
  • Microsoft Office and Microsoft Office Services and Web Apps
  • Microsoft Windows
  • Microsoft Windows Codecs Library
  • SQL Server
  • Visual Studio.

Readers can review the January 2021 Security Updates Release Notes and also download more vulnerability and patch details via Microsoft’s Security Update Guide.

Microsoft Defender RCE zero-day

Microsoft patched a Critical Defender remote code execution (RCE) vulnerability (CVE-2021-1647) as part of the recent patch release for Microsoft Malware Protection Engine.

Microsoft warned there was “exploitation detected” on this RCE vulnerability.

To safeguard against future attacks, Microsoft included the patch as part of the Microsoft Malware Protection Engine and should install automatically.

Critical vulnerabilities

Microsoft addressed 10 Critical vulnerabilities, to include the previously mentioned Defender zero-day and 9 other RCE vulnerabilities. The patches cover Windows, Windows Defender and Browser products, as well as Extended Security Updates (ESU) for end of life software.

Critical Windows RCE patches

Microsoft patched the following Critical Windows RCE vulnerabilities:

To add, the tech giant also published extended security updates (ESUs) for certain paying customers that address most of the above Critical vulnerabilities in end of life products (such as Windows 7 and Windows Server 2008). The exception being no ESUs are offered for CVE-2021-1643 (HEVC Video) and CVE-2021-1647 (Defender).

Microsoft confirmed there were no known exploits against any of these Critical vulnerabilities at the time of the advisories.

Critical Edge browser RCE patch

Moreover, Microsoft also patched a Microsoft Edge (HTML-based) Memory Corruption Vulnerability CVE-2021-1705.

A bad actor also does not require any privileges to pull off an attack against this vulnerability.

Other updates

In addition to the Critical RCEs, Microsoft also patched 73 other vulnerabilities across multiple products to include Azure, Developer Tools, Office, SQL Server and Windows. Of these patches, 72 are rated Important and 1 is rated Moderate.

Microsoft also added a MITRE Corporation CVE update CVE-2020-26870 to help document a vulnerability in Cure53 DOMPurify, open source software used by Visual Studio. Microsoft confirmed the Visual Studio updates incorporate the Cure53 DOMPurify updates to address the vulnerability.

Related Articles