Easing into the new year with a modest January Patch Tuesday

Credit to Author: Greg Lambert| Date: Fri, 15 Jan 2021 12:47:00 -0800

Microsoft rolled into 2021 with a fairly benign update cycle for Windows and Microsoft Office systems, delivering 83 updates for January.

Yes, there is an update to Windows defender (CVE-2021-1647) that has been reported as exploited. Yes, there has been a publicly disclosed issue (CVE-2021-1648) in the Windows printing subsystem. But there are no Zero-days and no “Patch Now” recommendations for this month. There are, however, a large number of feature and functionality groups “touched” by these updates; we recommend a comprehensive test of printing and key graphics areas before general Windows update deployment.

Meanwhile, for Office we recommend sticking with a modest-paced rollout with a focus on Word and Excel testing.

We have included an infographic that this month looks a little lopsided since all of the attention should be on Windows components

Working with Microsoft, we have developed a system that interrogates Microsoft updates and matches any file changes (deltas) released each month against our testing library. The result is a “hot-spot” testing matrix that helps drive our portfolio testing process. This month, our analysis of this Patch Tuesday release generated the following testing scenarios:

After a thorough testing of your printing resources (remember to include remote printing through RDP), you should also test the following areas:

Each month, Microsoft includes a list of known issues that relate to Windows and platforms that are included in the latest update cycle. I have referenced a few key issues that relate to the latest builds, including:

You can also find Microsoft’s summary of known Issues for this release in a single page.

This month, we have several major revisions including:

For this January release, Microsoft has not published any potential workarounds or mitigation strategies that apply to this month’s addressed vulnerabilities.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

We usually have a long list of browser-based functional areas to highlight, but this month (again) we just have the following update rated as critical for Microsoft Edge (CVE-2021-1705). The single security issue addressed in this update is relatively difficult to exploit, requires local interaction and has not been publicly reported. Coming on the heels of many memory corruption clean-up efforts for both Microsoft browsers over the years, this update will require a complete update of all related files for Edge’s local install. Add this update to your standard browser update schedule.

Microsoft has worked to address eight critical and 57 important updates for this update cycle. A vulnerability in Windows Defender (CVE-2021-1647) has been reported as exploited, and a vulnerability in a core subsystem in the Windows printing system (CVE-2021-1648) has been publicly reported. I think that the printing issue and the GDI (CVE-2021-1665) vulnerability may cause testing issues due to their complex interdependencies with other Windows subsystems and applications.

Here are how the patches are dispersed across to the following features (or functional groupings)

Critical Updates

Important Updates (grouped by Windows feature or function)

Following the testing recommendations (listed above) I would make this update a priority, noting that the testing cycle may require in-depth analysis, require some hardware (printing) and involve remote users (testing across a VPN). Add these Windows updates to your “Test before Deploy” update release schedule.

Microsoft has released 11 updates — all rated important — to the Microsoft Office and SharePoint platforms covering the following application or feature groupings:

This month’s Office-related security issues are benign. No critical issues, and highly complex and difficult-to-exploit vulnerabilities (requiring local access) that are tough to abuse at scale reduce the risk of exposure. The one issue we were worried about was whether the Excel (CVE-2021-1713) and Word (CVE-2021-1716) vulnerabilities could be exploited through a preview pane weakness (often the case with these types of RCE vulnerabilities). Not this month.

Add these updates to your regular Office update schedule.

Microsoft has released three updates to its development platforms, all rated important; they affect the these platforms or applications:

The first two updates to .NET Core and the Microsoft AI bot framework repository are difficult to exploit, non worm-able vulnerabilities, while the third affects an open-source component used by Visual Studio (Cure53 DOM Purify). Given that these are updates to platform SDK, the impact on production code should be minimal.

Add these updates to your standard development update schedule.

In life there are millstones (yes, there are 1078 individual reported vulnerabilities for Flash, and for Flash alone), milestones — and now we even have software death notices. This month, we finally see the end of Adobe Flash.

If you are an enterprise “consumer” of Flash, your efforts to disable it on your managed systems may raise a number of prompts to uninstall the “swiss cheese” of security (after MSXML) that may cause some concern to users. You can suppress these prompts with some help from the Flash Player administrator’s guide. And, please do us all a favor, no matter how bad it gets, do not add your company to the domain level allow list. Even Adobe feels strongly about this with this quote from the Adobe Flash Player Enterprise Enablement section: “Any use of the domain-level allow list after the EOL Date is strongly discouraged, will not be supported by Adobe, and is entirely at the user’s own risk.”