Microsoft patched 83 vulnerabilities, including a 0-day bug in Defender
On the first “Update Tuesday” in 2021, Microsoft patched the 0-day vulnerability in Defender, one among 83 vulnerabilities in the company’s products, 10 of which were classified as critical.
Various patches have been released for Windows, Edge Browser, Microsoft Office and Microsoft Office Services and Web Apps, Microsoft Windows Codecs Library, Visual Studio, SQL Server, Microsoft Malware Protection Engine, .NET Core, .NET Repository, ASP .NET, and Azure.
The biggest issue this month is undoubtedly a zero-day vulnerability in Microsoft Defender antivirus that hackers have already exploited. This bug was identified as CVE-2021-1647 and is described as an RCE vulnerability in the Malware Protection Engine (mpengine.dll), with which attackers could execute arbitrary code on a vulnerable system by simply forcing the victim to open a malicious document.
“January’s patch release represents an increase over last month’s batch and features this year’s first zero-day exploit for operations teams to tackle – a critical remote code execution [RCE] vulnerability within Microsoft Defender”, — said automox senior product marketing manager Justin Knapp said.
Microsoft says that 0-day was exploitable only under certain conditions, and despite the discovery of actual attacks using it, such attacks can be considered theoretical, and the hacker exploit was experimental. However, all this does not exclude the emergence of more reliable exploits in the future.
Although there are no details about the detected attacks so far, experts at the Trend Micro Zero-Day Initiative believe that this vulnerability may have played some role during the sensational hack of SolarWinds.
Microsoft has released fixes for the Malware Protection Engine in version 1.1.17700.4, and the update will not require user interaction: the patches will be installed automatically.
“Whether it’s patching zero-day vulnerabilities within a 24-hour window or implementing strong password protocols, the need for security diligence has never been more evident. The critical Windows Defender RCE, assigned CVE-2021-1647, exists in Windows 7 through 10, and Server 2008 through 2019, but as Recorded Future’s Allan Liska explained, should not be problematic to overcome”, — added Justin Knapp.
Other issues this month include a vulnerability in the splwow64 Windows service that could be abused for privilege escalation (CVE-2021-1648). Although a detailed description of this bug published Trend Micro Zero-Day Initiative published last month, the vulnerability was not used for attacks.