Despite the relatively small number of vulnerabilities, administrators have their work cut out for them due to the wide range of products addressed on February Patch Tuesday.
Microsoft resolved 56 vulnerabilities, including one zero-day and six publicly disclosed bugs. The company also distributed the second part of a fix for August’s Zerologon bug for domain controllers that could cause outages if administrators did not plan properly.
Microsoft released February Patch Tuesday security updates for the following products, features and roles: .NET Core, .NET Framework, Azure IoT, developer tools, Microsoft Azure Kubernetes Service, Microsoft Dynamics, Microsoft Edge for Android, Microsoft Exchange Server, Microsoft Graphics Component, Microsoft Office Excel, Microsoft Office SharePoint, Microsoft Windows Codecs Library, DNS Server, Hyper-V, Windows Fax Service, Skype for Business, Sysinternals, System Center, Visual Studio, Windows Address Book, Windows Backup Engine, Windows Console Driver, Windows Defender, Windows DirectX, Event Tracing for Windows, Windows Installer, Windows Kernel, Windows Mobile Device Management, Windows Network File System, Windows PFX Encryption, Windows PKU2U, Windows PowerShell, Windows Print Spooler Components, Windows Remote Procedure Call, Windows TCP/IP and Windows Trust Verification API.
Windows zero-day resolved by February Patch Tuesday security updates
Administrators will want to prioritize an elevation-of-privilege bug in the Windows kernel (CVE-2021-1732) for Windows 10 and corresponding Windows Server platforms that researchers discovered in exploits in the wild. An attacker could already have access to the system and then use the zero-day exploit to gain higher privileges to overtake a system.
Microsoft only rates this flaw as important, which might delay the patch deployment to affected Windows systems, according to Chris Goettl, senior director of product management for security products at Ivanti.
“The Windows OS has other critical vulnerabilities this month, so administrators wouldn’t have missed this, but they might not put the same urgency on it. Companies need to recognize examples like this and adapt their prioritization methods to make sure that they don’t miss important vulnerabilities,” he said.
Microsoft switched the Windows servicing model in 2016 from individual security patches to rollups that include security updates for the month and for previous Patch Tuesdays. This model gives administrators an all-or-nothing choice for patch deployment, which makes it less likely to overlook a patch for zero-days with a rating lower than critical.
Multiple publicly disclosed bugs corrected
Microsoft also corrected publicly disclosed vulnerabilities in six Common Vulnerabilities and Exposures (CVEs).
Two of the vulnerabilities relate to developer technologies. CVE-2021-1721 is a denial-of-service vulnerability rated important that affects the .NET Core development platform and also affects the Visual Studio integrated development environment. CVE-2021-26701 is a critical remote-code execution vulnerability in .NET Core versions 2.1, 3.1 and 5.0.
CVE-2021-1727 is an elevation-of-privilege vulnerability rated important in the Windows installer for supported Windows desktop and server systems.
CVE-2021-24098 is a Windows console driver denial-of-service vulnerability rated important for Windows 10 and corresponding Windows Server versions. Microsoft noted the exploit requires an authenticated user to open a specially crafted file to work.
CVE-2021-24106 is an information disclosure vulnerability rated important in Windows DirectX that could give the attacker access to uninitialized memory.
CVE-2021-1733 refers to an elevation-of-privilege vulnerability rated important in PsExec, which is part of Microsoft’s Sysinternals suite of administrator tools. PsExec is a command-line tool used to run processes on remote systems. Administrators will need to update to version 2.32 before threat actors learn how to weaponize the Windows utility, according to Goettl.
“We can’t live without tools like PsExec, but putting them on systems puts us at significantly more risk,” Goettl said.
Administrators get second dose for Zerologon vulnerability
The second phase of Microsoft’s two-part plan to correct a critical Netlogon elevation-of-privilege bug (CVE-2020-1472) from August will take effect when administrators install the February Patch Tuesday security updates. The fix released this month will turn on domain controller enforcement mode by default, according to a Microsoft Security Response Center blog.
“This will block vulnerable connections from non-compliant devices. [Domain controller] enforcement mode requires that all Windows and non-Windows devices use secure [Remote Procedure Call] with Netlogon secure channel unless customers have explicitly allowed the account to be vulnerable by adding an exception for the non-compliant device,” the company wrote.
The vulnerability, also known as Zerologon, affects all supported versions of Windows Server, including Windows Server 2008 R2 for customers with the Extended Security Update license. An attacker with access to a vulnerable domain controller could exploit the flaw to get administrator access without system credentials. The August security update shielded Windows-based machine accounts, trust accounts and domain controller accounts from Zerologon.
In August, Microsoft announced a delay until Q1 2021 for a full fix that would turn on enforcement mode for Active Directory machine accounts for domain-joined third-party devices to give vendors and administrators time to correct any potential issues. This effort involved evaluating event logs to check for incorrect authentication methods for machines using third-party software to get a fix before installing the February Patch Tuesday rollup, Goettl said.
“By September, Zerologon was actively being exploited, so many organizations already went and turned on enforcement,” he said.
Organizations that switched from legacy authentication with on-premises Active Directory to modern authentication in Azure Active Directory would not be affected by the Zerologon issue, Goettl said.
Check for systems affected by Adobe Reader zero-day
Outside of the Microsoft ecosystem, Adobe issued a fix for a critical zero-day (CVE-2021-21017) in Acrobat Reader affecting Windows systems. Goettl said he often finds organizations only want to deal with patching the Windows OS and tend to ignore third-party utilities, which can be a dangerous practice.
“It doesn’t surprise me to find instances of Acrobat Reader in the server environments, because some application, some tool, some admin needed to install it to read a PDF document,” he said.