Jan 2021 Patch Tuesday Vulnerabilities Exploited in the Wild

Background

On Tuesday, January 12, 2021, Microsoft released patches for 83 vulnerabilities across several Microsoft products which included 10 critical severity vulnerabilities. What’s notable about this Patch Tuesday release is that Microsoft has indicated that one of the Remote Code Execution (RCE) vulnerabilities (CVE-2021-1647) has been exploited in the wild by threat actors, and a separate privilege escalation vulnerability (CVE-2021-1648) has publicly disclosed PoC exploit code available for the related and incorrectly patched vulnerability CVE-2020-0986.

Based on previous Microsoft Patch Tuesday releases where vulnerabilities have public PoC exploit code or known in the wild exploitation activity, Arctic Wolf assesses with high confidence that threat actors will look to incorporate exploits for CVE-2021-1647 and CVE-2021-1648 into their attack activity.

Analysis

CVE-2021-1647 | Microsoft Defender Remote Code Execution Vulnerability

CVE-2021-1647 is and Remote code execution vulnerability in Microsoft Defender, Microsoft’s antivirus and antispyware solution. The vulnerability exists within the Microsoft Malware Protection Engine, a core component of Microsoft Defender that addresses malicious software. According to Microsoft, CVE-2021-1647 was exploited in the wild as a zero-day.

CVE-2021-1648 | Microsoft splwow64 Elevation of privilege Vulnerability

CVE-2021-1648 is an out-of-bounds (OOB) read vulnerability in Microsoft’s printer driver host, splwow64.exe. The flaw exists due to improper validation of user-supplied data.

Being originally discovered in September 2020 by security researchers at Google, Maddie Stone, and being incompletely patched by Microsoft, this vulnerability has public POC exploit code available for its original CVE-2020-0986 vulnerability here making it likely that new exploit code can be created for CVE-2021-1648.

Successful exploitation would allow an attacker to read data outside of an allocated buffer, access that could be leveraged to elevate privileges and, if chained with other vulnerabilities, could result in arbitrary code execution on the vulnerable system in the context of the current user. This could result in a complete takeover of the system if the current user has administrative permissions.

Solutions and Recommendations

Microsoft has released patches to address both CVE-2021-1647 and CVE-2021-1648 for all the affected software versions and editions. Download the CVE-2021-1647 patch from and the CVE-2021-1648 patch.

References

• Microsoft’s January 2021 Security Updates

Learn more about Arctic Wolf’s Managed Risk solution or request a demo today.