For Microsoft and Windows users, 2021 starts off with a heavy Patch Tuesday, addressing a total of 83 security vulnerabilities.
Microsoft fixed bugs in the Windows operating system and some issues in cloud-based products, enterprise servers, and developer tools. However, the most dangerous vulnerability resides in Windows Defender, a zero-day tracked as CVE-2021-1647.
Windows Defender Zero-Day exploited in the wild
CVE-2021-1647 is a remote code execution flaw that could be trivial to exploit. According to reports, the vulnerability has been exploited in the wild. Windows users and system administrators should patch their Microsoft Malware Protection Engine to the latest version, 1.1.17700.4, to mitigate the risks.
How can CVE-2021-1647 zero-day be exploited?
The technical details surrounding the exploit are scarce. What is known is that the bug can be exploited by tricking the user into opening a malicious document on a vulnerable system that has Windows Defender installed. The Microsoft Malware Protection Engine patch is being deployed automatically, except when system admins have blocked it.
CVE-2020-1660 in Remote Procedure Call
CVE-2020-1660 is also critical, a remote code execution flaw residing in almost every Windows version. Its CVSS score is 8.8, as the attack can be easy to reproduce. The good news is that the bug is “less likely to be exploited,” as noted by Kevin Breen, director of research at Immersive Labs. It is noteworthy that CVE-2020-1660 is one of five flaws in Remote Procedure Call, a core Microsoft Windows service.
“Some of the more memorable computer worms of the last decade spread automatically by exploiting RPC vulnerabilities,” notes respected security expert Brian Krebs.
CVE-2021-1648 Elevation of Privilege Bug
Another vulnerability addressed in January 2021 Patch Tuesday that is worth mentioning is CVE-2021-1648, known as “Microsoft splwow64 Elevation of Privilege Vulnerability,” and rated as important. This flaw was reported by Trend Micro’s Zero-Day Initiative, residing in Windows 8, 10, and Windows Server 2012 and 2019. According to Dustin Child from the Zero-Day Initiative, the vulnerability “was also discovered by Google likely because this patch corrects a bug introduced by a previous patch.”
“The previous CVE was being exploited in the wild, so it’s within reason to think this CVE will be actively exploited as well,” the researcher added.
Did you know that last year’s June Patch Tuesday was the biggest set of updates Microsoft has released so far? It contained fixes for the staggerening number of 129 vulnerabilities. On the positive side, despite being the largest Patch Tuesday in the history of the company, it didn’t include fixes for zero-day bugs, meaning that none of the vulnerabilities were exploited in the wild.