Tuesday, January 12, 2021

Microsoft Patch Tuesday for Jan. 2021 — Snort rules and prominent vulnerabilities



By Jon Munshaw, with contributions from Asheer Malhotra. 

Microsoft released its monthly security update Tuesday, disclosing 83 vulnerabilities across its suite of products to kick-off 2021. 

There are only 10 critical vulnerabilities as part of this release, while there are two moderate-severity exploits, and the remainder is considered “important.” Users of all Microsoft and Windows products are urged to update their software as soon as possible to avoid possible exploitation of all these bugs.  

The security updates cover several different products and services, including the Microsoft Defender antivirus software, the Microsoft Remote Procedure Call tools and Bluetooth communication with Windows devices.

Talos also released a new set of SNORTⓇ rules that provide coverage for some of these vulnerabilities. For complete details, check out the latest Snort advisory here

One of the most serious vulnerabilities exists in Microsoft Defender. CVE-2021-1647 affects some versions of Windows dating back to Windows 2008. An attacker could exploit this vulnerability to execute arbitrary code on the victim machine. No action is required to install this update and protect against this vulnerability, according to Microsoft, as the fix is part of Microsoft’s regular updates to its anti-malware products.  

The SharePoint service contains several “important” vulnerabilities. The most notable is CVE-2021-1707, which an attacker could exploit to gain access to create a SharePoint site and then execute code remotely within the kernel if the logged-in user has the appropriate privileges.  

Another important vulnerability (CVE-2021-1709) exists in the Win32k system process that requires no user interaction. An attacker could exploit a local machine to elevate their privileges and potentially use these privileges to carry out additional attacks. 

Talos would also like to specifically highlight four other vulnerabilities we believe users must be aware of: 

  • CVE-2021-1677 — Identity spoofing vulnerability in Azure Active Directory Pod  
  • CVE-2021-1705 — Memory corruption vulnerability in the HTML-based version of Microsoft Edge  
  • CVE-2021-1648 — Elevation of privilege vulnerability in splwow64  
  • CVE-2021-1643 — Code execution vulnerability in HEVC video files 

For a complete list of all the vulnerabilities Microsoft disclosed this month, check out its update page

In response to these vulnerability disclosures, Talos is releasing a new SNORTⓇ rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org. 

The rules included in this release that protect against the exploitation of many of these vulnerabilities are 56849 - 56860 and 56865. 

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.