February 2021's Patch Tuesday has come and gone. As ever, Microsoft pushed out numerous important security fixes to patch Windows 10 vulnerabilities.
This month, Microsoft's patches fixed 11 critical vulnerabilities, one of which was a zero-day exploit that was being actively exploited in the wild before Tuesday's patches.
Microsoft Patches Critical Vulnerabilities
In terms of sheer numbers, February 2021's Patch Tuesday wasn't the heaviest of hitters. Microsoft issued patches for a total of 64 vulnerabilities across its numerous product lines.
The biggest vulnerability of note was CVE-2021-1732, a zero-day exploit allowing an escalation of privilege in Windows Win32k—the Windows operating system kernel. If exploited, the attacker could execute code with elevated privilege, which could allow complete control of the target system.
According to some security reports, this escalation of privilege bug was being actively exploited before the security patch. Microsoft's patch notes thank the security team at DBAPPSecurity, whose report details how the zero-day was exploited. The Chinese security firm believes the exploit was the work of a sophisticated attacker, potentially an APT.
Elsewhere, three critical vulnerabilities each score 9.8 on the CVSS scale (which ranks vulnerabilities). 9.8 lands at the very top of the vulnerabilities scale, so they're very much worth patching immediately.
CVE-2021-24078 is a remote code execution bug that affects the Windows DNS server component. If exploited, an attacker could hijack domain name traffic inside corporate environments, leading to traffic being redirected to dangerous websites, content, or malware.
CVE-2021-24074 and CVE-2021-24094 both concern TCP/IP vulnerabilities. These two vulnerabilities carry such importance that Microsoft published a separate blog detailing the issues. In short, the vulnerabilities "are complex which makes it difficult to create functional exploits, so they're not likely [to be exploited] in the short term."
6 Vulnerabilities Already Public
One point of interest for this month's Patch Tuesday is the number of vulnerabilities already made public. Before Microsoft revealed its full list of bug patches, six vulnerabilities were already disclosed:
- CVE-2021-1721: .NET Core and Visual Studio Denial of Service Vulnerability
- CVE-2021-1733: Sysinternals PsExec Elevation of Privilege Vulnerability
- CVE-2021-26701: .NET Core Remote Code Execution Vulnerability
- CVE-2021-1727: Windows Installer Elevation of Privilege Vulnerability
- CVE-2021-24098: Windows Console Driver Denial of Service Vulnerability
- CVE-2021-24106: Windows DirectX Information Disclosure Vulnerability
While this is unusual, Microsoft also notes that none of these vulnerabilities were being exploited before the release of the patches.
As ever, you should update your Windows 10 system and other Microsoft products as soon as you can. The patches are already available on Windows 10 if you head to Settings > Windows Update and select Download or Install Now.