Microsoft has released the February 2021 Security updates that includes patches for 57 vulnerabilities, 11 of those rated Critical. Moreover, the tech giant warned of a Win32k Privilege Escalation vulnerability CVE-2021-1732 exploited in wild.
A remote attacker could exploit some of these vulnerabilities to take control of unpatched systems.
In all, the Microsoft security updates address vulnerabilities in the following products:
- .NET Core
- .NET Framework
- Azure IoT
- Developer Tools
- Microsoft Azure Kubernetes Service
- Microsoft Dynamics
- Microsoft Edge for Android
- Microsoft Exchange Server
- Microsoft Graphics Component
- Microsoft Office Excel
- Microsoft Office SharePoint
- Microsoft Windows Codecs Library
- Role: DNS Server
- Role: Hyper-V
- Role: Windows Fax Service
- Skype for Business
- System Center
- Visual Studio
- Windows Address Book
- Windows Backup Engine
- Windows Console Driver
- Windows Defender
- Windows DirectX
- Windows Event Tracing
- Windows Installer
- Windows Kernel
- Windows Mobile Device Management
- Windows Network File System
- Windows PFX Encryption
- Windows PKU2U
- Windows PowerShell
- Windows Print Spooler Components
- Windows Remote Procedure Call
- Windows TCP/IP
- Windows Trust Verification API.
Readers can review the February 2021 Security Updates Release Notes and also download more vulnerability and patch details via Microsoft’s Security Update Guide.
Win32k Privilege Escalation vulnerability
Microsoft patched a High severity Win32k Privilege Escalation vulnerability CVE-2021-1732 that affects multiple versions of Windows 10 and Windows Server versions.
Microsoft warned there was “exploitation detected” on this vulnerability.
To safeguard against future attacks, Microsoft included the patch as part of the monthly patch update.
Critical RCE vulnerabilities
Microsoft addressed 11 Critical remote code execution (RCE) vulnerabilities. The patches cover Windows, Windows Defender, as well as Extended Security Updates (ESU) for end of life software.
A breakdown of the RCE vulnerabilities and impacted products include:
- CVE-2021-1722 (Windows Fax Service)
- CVE-2021-24074 (Windows TCP/IP)*
- CVE-2021-24077 (Windows Fax Service)
- CVE-2021-24078 (Windows DNS Server)*
- CVE-2021-24081 (Microsoft Windows Codecs Library)
- CVE-2021-24088 (Windows Camera Codec Pack)
- CVE-2021-24091 (Windows Camera Codec Pack)
- CVE-2021-24093 (Windows Graphics Component)
- CVE-2021-24094 (Windows TCP/IP)*
- CVE-2021-24112 (.NET Core)
- CVE-2021-26701 (.NET Core).
*Update February 12, 2021: Microsoft confirmed that “exploitation is more likely” for three of the listed vulnerabilities (in bold).
Of special note, one of these RCE vulnerabilities affects Windows DNS Server (CVE-2021-24078). This vulnerability should be prioritized for patching, along with TCP/IP vulnerabilities CVE-2021-24074 and CVE-2021-24094. All three sport a CVSSv3 base score of 9.8.
Other security updates
In addition to the Critical RCEs, Microsoft also patched 46 other vulnerabilities across multiple products to include Azure, Browser, Developer Tools, Exchange Server, Microsoft Office, Microsoft Dynamics, System Center and Windows.
Of these patches, 44 are rated Important and 2 are rated Moderate.
Finally, Adobe issued patches that address multiple vulnerabilities in Adobe Reader, Acrobat, Magento, Photoshop, Animate, Illustrator and Dreamweaver.
Adobe also warned that they have received reports of exploits in the wild of CVE-2021-21017 targeting Adobe Reader on Windows systems.
- FireEye publishes Microsoft 365 tools and hardening strategies to defend against SolarWinds attackers
- Microsoft January 2021 Security Updates (to include zero-day RCE patch)
- Microsoft: Widespread Adrozek malware campaign hijacks browsers on thousands of systems
- Microsoft warns of ongoing exploits against Zerologon vulnerability (CVE-2020-1472)
- Microsoft releases security update for Edge, zero-day exploited in the wild