Welcome to 2021, a new year and a new series of monthly update reviews. To kick off the new year we have a few bits of general information to catch up on before we get into the main detail, so with no further ado, let’s get started.
Solarwinds
It would be remiss of us not to mention the biggest story of last year, which landed right at the end of December. Without going into too much detail here, which would fill the entire blog, Solarwinds’ Orion monitoring product was the target of a nation state hack resulting in a backdoor being installed as part of its product updates. The discovery of this attack has affected the wider ecosystem of operating systems and other products, as we’ll see later.
Variously referred to as Sunburst, Solarigate and Supernova (the latter a distinct part of the attack itself), and affecting some 18,000 customers, Solarwinds released several updates over the following days culminating in version 2020.2.1 HF2 of the software. Customers are advised to assess and upgrade to this version as a matter of urgency
Adobe
The day has finally come! The king is dead, good riddance to the king! Adobe Flash has officially gone end of life and will no longer be receiving support or updates from Adobe. We’re sure it will kick around for a while yet but in case anyone is still running this long-obsolete tool, now is the time to kick that migration project up a couple of notches.
Aside from the death of Flash, Adobe has released updates for Photoshop and Illustrator, as well as a number of other minor products, but no security updates for the Reader suite this month
Microsoft
On to the usual stuff, and Microsoft released updates for 83 vulnerabilities this month, 10 of which are rated Critical, covering the usual base of Windows desktop and server OSes, Office, and numerous underlying subsystems. In addition, 13 updates were made to Edge last week, marking a big start to the year for Microsoft.
Most notable is CVE-2021-1647, a remote code execution flaw in Windows Defender’s Malware Protection Engine. This bug has been identified as the target of zero-day attacks and may be linked to the Solarwinds incident, making it all the more important to patch promptly.
Adding to the many recent bugs found in Windows RDP, CVE-2021-1674 is a security feature bypass bug that allows an attacker with a low-privileged account to gain greater levels of access to the network than would be permitted.
Lastly from this month, a pair of bugs in SQL and SharePoint (CVE-2021-1636 and CVE-2021-1707) can both be triggered remotely and score low on the complexity rating. Other details are currently scant however the SharePoint bug permits arbitrary code execution in the System context. Plan your updates to these two platforms accordingly.
Microsoft has also been busy removing Adobe Flash from machines as part of the update cycle, so you may find your users being prompted to uninstall it if it’s present. KB4577586 has been available since October 2020 and can be managed through your regular patch management tooling, with several blogs providing information on how to deploy it