Microsoft has released its January 2021 Patch Tuesday security updates that fix a total of 83 vulnerabilities affecting a wide range of the company’s products, including a zero day issue that has been actively exploited in the real-world attacks.
The flaw, tracked as CVE-2021-1647, is described as a remote code execution (RCE) vulnerability that allows malicious actors to execute code on vulnerable devices by tricking a user into opening a malicious document on a system where Windows Defender is installed. The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can pass specially crafted input to the application and execute arbitrary code on the system.
CVE-2021-1647 affects the following software versions:
Microsoft Security Essentials: All versions
Windows Defender: for Windows 8.1, for Windows 10, Windows 10 1511, Windows 10 1607, Windows Server 2016, Windows 10 1703, for Windows RT 8.1, for Windows Server 2019, on Windows 7 for 32-bit Systems Service Pack 1, on Windows Server 2008, on Windows Server 2012
Microsoft System Center Endpoint Protection: 2012, 2012 R2
The vulnerability was fixed in Microsoft Malware Protection Engine v1.1.17700.4.
Besides CVE-2021-1647, the company has also fixed a security flaw (CVE-2021-1648) in the Windows splwow64 service that could be exploited to elevate the privileges and bypass security restrictions.
In addition to the above flaws, January Patch Tuesday addresses a number of high risk issues across multiple products, including Microsoft Word, Excel, Office, Microsoft Windows Media Foundation, Microsoft DTV-DVD Video Decoder, and Microsoft HEVC Video Extensions.