The January 2021 edition of Microsoft Patch Tuesday is here, with patches for over 80 cybersecurity vulnerabilities that affect Microsoft Windows and other software.
Ten of these have received the rating of ‘critical’, signaling they can be exploited by malware to take over unpatched systems without any extra aid or interaction from the user.
Kevin Breen, director of research at Immersive Labs, warns that an infection could take place by someone simply sending an infected file, with the attacker being granted unauthorised access as soon as the said file is placed on the system.
With that being said, an updated Windows Defender is likely to already shield from this attack.
As for the vulnerabilities, first off, we have CVE-2020-1660, a remote code execution flaw that earned a CVSS score of 8.8 out of 10.
Breen believes this attack is easy to reproduce due to the vulnerability being low in complexity.
The very same vulnerability is part of a cluster consisting of five bugs in Remote Procedure Call, a core Microsoft service.
In the last decade, certain worms have exploited RPC vulnerabilities to spread automatically.
The good news is that, as Allan Liska, senior security architect at Recorded Future, points out, previous vulnerabilities such as CVE-2019-1409 and CVE-2018-8514 were not widely exploited.
As for the 70 flaws that remain, there is CVE-2021-1709, an elevation of privilege flaw in Windows 8 through Windows 10.
Another flaw to take note of is the CVE-2021-1648, an elevation of privilege flaw affecting Windows 8, 10, and certain versions of Windows Server 2012 and 2019.
Meanwhile, updates were released for Adobe Photoshop and Illustrator to address at least eight vulnerabilities.
Since Flash Player has been retired, no updates have been released for it as part of January’s Microsoft Patch Tuesday.