January 2021 Patch Tuesday – 83 Vulnerabilities, 10 Critical, One Zero Day, Adobe

This month’s Microsoft Patch Tuesday addresses 50 vulnerabilities. The 10 Critical vulnerabilities cover Windows codecs, Office, HEVC video extensions, RPC runtime, and several other workstation vulnerabilities. Adobe released patches today for Photoshop, Campaign Classic, InCopy, Illustrator, Captivate, Bridge and Animate.

Workstation Patches

Office and Edge vulnerabilities should be prioritized for workstation-type devices, meaning any system that is used to access email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.

Microsoft Defender RCE Zero Day

Microsoft patches Defender Remote Code Execution vulnerability (CVE-2021-1647) in today’s patch release for Microsoft Malware Protection Engine. Microsoft stated that this vulnerability was exploited before the patches were made available. This patch should be prioritized.

splwow64 Elevation of Privilege

While Microsoft labeled this issue (CVE-2021-1648) as an elevation-of-privilege vulnerability, it can also be exploited to disclose information, specifically uninitialized memory. Microsoft stated the vulnerability has not been exploited in the wild, although details are available publicly.

Windows Kernel Local Elevation of Privilege

Microsoft updated CVE-2020-17087 for Windows Server 2012 in today’s Patch Tuesday, and users are recommended to apply today’s patches for Windows Server 2012.

We appreciate Microsoft’s acknowledgement of our co-ordinated disclosure of the underlying regression in the Windows Server 2012 version of this security update.

Adobe

Adobe issued patches today covering multiple vulnerabilities in Adobe PhotoshopIllustratorAnimate, Campaign, InCopy, Captivate and Bridge. The patches for Adobe Campaign are labeled as Priority 2, while the remaining patches are set to Priority 3.

While none of the vulnerabilities disclosed in Adobe’s release are known to be actively attacked today, all patches should be prioritized on systems with these products installed.

About Patch Tuesday

Patch Tuesday QIDs are published at Security Alerts, typically late in the evening of Patch Tuesday.