The last few days have been busy for IT admins who have to deal with an avalanche of security updates rolled out by multiple vendors as part of their monthly patch process. Specifically, Microsoft patched a total of 56 vulnerabilities affecting its various products as part of its February 2021 Patch Tuesday release, including a Windows zero-day vulnerability.
Tracked as CVE-2021-1732, the zero-day flaw is an elevation of privilege bug in Win32k, a component of the Windows operating system. The vulnerability exists due to a boundary error when the Win32k.sys driver in Windows kernel. A local user can run a specially crafted program to trigger memory corruption and execute arbitrary code on the system with elevated privileges.
According to the Chinese security firm DBAPPSecurity, the zero-day was used in campaigns orchestrated by an advanced threat actor known as Bitter, focused on targeting Pakistani and Chinese organizations and users.
In addition to CVE-2021-1732, Microsoft fixed numerous publicly disclosed vulnerabilities, including a Windows Installer Elevation of Privilege Vulnerability (CVE-2021-1727) and a Sysinternals PsExec Elevation of Privilege Vulnerability (CVE-2021-1733). None of these bugs were observed being exploited in the wild.
Microsoft's February 2021 Patch Tuesday also addresses multiple high risk flaws impacting Microsoft Windows DNS Server, Microsoft Excel, Windows TCP/IP, Microsoft Package Managers Configurations and other products.
Adobe issued a batch of security updates resolving multiple dangerous vulnerabilities affecting its various software platforms, including Adobe Acrobat and Reader, Photoshop, Illustrator, Animate, Dreamweaver and Magento e-commerce platform. It is worth noting that the updates for Adobe Acrobat and Reader include a fix for a zero-day vulnerability that has been exploited in real-world attacks.
Tracked as CVE-2021-21017, the zero-day is described as a heap-based buffer overflow that stems from a boundary error when processing PDF files. A hacker could use this flaw to achieve remote code execution by tricking a victim into opening a malicious PDF document.
Mozilla released an update for Firefox that patches a buffer overflow vulnerability that can be chained with other security flaws to achieve arbitrary code execution. The vulnerability exists due to a boundary error within the Angle graphics library when calculating depth pitch for compressed textures. A remote attacker can create a specially crafted web page, trick the victim into opening it, trigger memory corruption and execute arbitrary code on the target system.
SAP released several security advisories on February 2021 Security Patch Day, including one that addresses a high risk input validation error flaw (CVE-2021-21477) in SAP Commerce. This issue exists due to unspecified vulnerability in SAP Commerce. A remote authenticated user can send a specially crafted request to the application and execute arbitrary code on the system. CVE-2021-21477 impacts SAP Commerce versions 1808, 1811, 1905, 2005, 2011.
Siemens fixed over 20 security vulnerabilities affecting JT2Go, a 3D viewing tool for JT data and Teamcenter Visualization, a solution that enables enterprise users to access documents, 2D drawings and 3D models. More than half of these flaws could lead to remote code execution. The affected software includes Drawings SDK versions before 2021.11, JT2Go versions before 18.104.22.168, Teamcenter Visualization versions before 22.214.171.124.
Nine new vulnerabilities have been discovered across several TCP/IP stacks embedded in millions of OT, IoT and IT devices. All of the vulnerabilities are linked to a weakness in the TCP/IP protocol’s generation of the Initial Sequence Number (ISN), a 32-bit randomly generated number that is used when establishing a new session. The exploitation of these flaws could result in a denial of service, authentication bypass or malicious code injection.
The affected TCP/IP stacks are: MPLAB Net (CVE-2020-27636), PicoTCP and PicoTCP-NG (CVE-2020-27635), FNET (CVE-2020-27633), uIP and Contiki-OS (CVE-2020-27634), NDKTCPIP (CVE-2020-27632), CycloneTCP (CVE-2020-27631), uC/TCP-IP (CVE-2020-27630, unpatched), Nut/Net (CVE-2020-27213, unpatched), Nucleus NET and Nucleus ReadyStart (CVE-2020-28388).