Compared to previous months, February 2021 Patch Tuesday saw relatively few patches released by Microsoft to correct flaws across its range of products, although several of the vulnerabilities have already been publicly disclosed and one patch has been released to fix an actively exploited zero-day flaw that affects Windows 10 and Windows Server 2019.
In total, 56 vulnerabilities have been fixed this month, 11 of which are critical. The fixes correct flaws in Windows components, .NET Framework, Azure IoT, Azure Kubernetes Service, Microsoft Edge for Android, Exchange Server, Office, Office Services and Web Apps, Skype for Business and Lync, and Windows Defender.
The zero-day flaw is a Windows Win32k elevation of privilege vulnerability tracked as CVE-2021-1732. This vulnerability has only been rated as important as a user would have to be logged in to exploit the flaw but since it is being actively exploited in real world attacks it should certainly be prioritized. If exploited, a logged in user could gain the privileges to execute code in the context of the kernel and gain SYSTEM level privileges.
6 vulnerabilities have been publicly disclosed before a patch was released:
- Windows Installer Elevation of Privilege Vulnerability – CVE-2021-1727
- Sysinternals PsExec Elevation of Privilege Vulnerability – CVE-2021-1733
- Windows Console Driver Denial of Service Vulnerability – CVE-2021-24098
- Windows DirectX Information Disclosure Vulnerability – CVE-2021-24106
- NET Core and Visual Studio Denial of Service Vulnerability – CVE-2021-1721
- NET Core Remote Code Execution Vulnerability – CVE-2021-26701
Microsoft has also patched a vulnerability in Azure Artifactory – CVE-2021-24105 – that security researchers used in a PoC attack on Microsoft systems, which also affects Apple, Netflix, PayPal, Yelp, Tesla, PayPal, and other companies.
Microsoft has urged companies to patch two critical vulnerabilities and one high-severity flaw in Windows TCP/IP which affect Windows server and client versions starting with Windows 7. These flaws can all be exploited remotely by unauthenticated attackers.
Two of the flaws allow remote code execution and the other can be used in a denial-of-service attack. The RCE flaws (CVE-2021-24074, CVE-2021-24094) are difficult to exploit, so attacks exploiting these flaws may take time, but Microsoft believes the DoS flaw (CVE-2021-24086) will be exploited soon after the patch has been released. Microsoft has supplied workarounds in case it is not possible to immediately patch these three flaws.
The remaining critical vulnerabilities that should be prioritized are RCE flaws in Windows Print Spooler Components (CVE-2021-24088), Windows Fax Service (CVE-2021-1722 CVE-2021-27077), DNS Server (CVE-2021-24078), Microsoft Windows Codecs Library (CVE-2021-24081, CVE-2021-24091), and Microsoft Graphics Component (CVE-2021-24093).