This week arrived the Microsoft Patch Tuesday update bundle for February 2021. This one is the second Patch Tuesday of the year. And, like the January update, this one also addresses a serious zero-day alongside some other publicly known bugs. Yet, the overall update bundle isn’t as huge as the previous one, addressing 56 vulnerabilities only.
Zero-Day And Publicly Known Vulnerabilities
The first notable vulnerability that Microsoft addressed with February Patch Tuesday is a zero-day affecting the Win32k component.
Identified as CVE-2021-1732, it was an important severity bug that achieved a CVSS score of 7.8. Exploiting this vulnerability could allow a logged-in adversary with local access to run codes at elevated privileges, including admin privileges.
While the bug remained veiled from the public, it still went under exploit in the wild as Microsoft admitted. Thus, US CISA has also issued an alert for all Windows admins to apply the patch immediately.
Also, Microsoft has released fixes for 1 critical-severity vulnerability (CVE-2021-26701) and 5 important-severity bugs in different components that became public before the tech giant could release a fix. However, Microsoft has confirmed no active exploitation of these flaws.
Other Microsoft Patch Tuesday February Updates
Apart from the above, Microsoft addressed 49 other vulnerabilities across different components. These include 10 critical severity flaws that could lead to remote code execution upon exploitation.
From these 10, Microsoft has specifically warned of the two critical bugs (CVE-2021-24074 and CVE-2021-24094) alongside an important severity flaw (CVE-2021-24086) leading to a denial of service affecting Windows TCP/IP implementation. As stated in Microsoft’s blog post,
The two RCE vulnerabilities are complex which make it difficult to create functional exploits, so they are not likely in the short term. We believe attackers will be able to create DoS exploits much more quickly and expect all three issues might be exploited with a DoS attack shortly after release. Thus, we recommend customers move quickly to apply Windows security updates this month.
Another important vulnerability worth mentioning here is CVE-2021-24105.
Discovered by security researcher Alex Birsan, the vulnerability allows a novel supply chain attack that potentially posed a threat to 35+ major firms including PayPal, Apple, Microsoft, Shopify, Tesla, Netflix, Uber, and Yelp. The researcher has explained the details of his findings in a post.
Besides, all of the remaining important severity vulnerabilities affecting different components, this month’s update bundle also addressed 2 moderate severity issues. These include a privilege escalation vulnerability (CVE-2021-24109) affecting the Microsoft Azure Kubernetes Service, and a DoS issue (CVE-2021-24080) in the Windows Trust Verification API.
Microsoft has already rolled out the updates for all Windows users. Now, it’s up to the users to update their devices at the earliest to remain safe from said issues.