For many, the new year brings refocused energy and determination to tackle fresh opportunities in our life. I wish each of you a happy New Year and success in all that you hope to accomplish this year…unless, of course, you are a threat actor looking for opportunities provided by software vulnerabilities!

With that thought in mind, the first Patch Tuesday of 2021 saw Microsoft resolve 83 vulnerabilities, with 10 of those vulnerabilities rated as Critical. Here’s our callout of security updates and issues we think you’ll want to be aware of.

Newsworthy Events

• 2021 is Year 2 of Microsoft’s Extended Security Updates (ESU) program for Windows 7 /Windows Server 2008. If you have purchased the Year 2 program from Microsoft, you can manually download the monthly updates from the Microsoft Update Catalog and use the Custom Patch feature in ZENworks Patch Management to distribute the updates to devices. Or, if you want to receive the updates through the ZENworks Patch Management patch feed, contact your Sales Account Representative or email zen@microfocus.com for details about the add-on subscription.
• As a reminder, Adobe Flash Player general end-of-life was December 31, 2020. Last October, Microsoft released an update (KB4577586) that removes Adobe Flash Player versions installed through Windows, Internet Explorer, and Edge. ZENworks Patch Management includes this update as “Update for Removal of Adobe Flash Player for <Windows Version>” released on October 27, 2020. If you have Adobe Flash Player versions installed by other means, Adobe provides both Windows and Mac removal instructions.

Quick Take

• Microsoft released fixes for 83 vulnerabilities, including one zero-day vulnerability and one publicly disclosed vulnerability.
• CVE-2021-1647 is a zero-day exposure in the Microsoft Malware Protection Engine (i.e. Microsoft Windows Defender). If you are using auto-updates this should already be taken care of by the product. There’s a good article here.
• CVE02021-1648 is a publicly disclosed vulnerability described as “Microsoft splwow64 Elevation of Privilege Vulnerability”. It is present in all Windows operating systems from Windows 8.1 onward.
• Servicing Stack Updates this month: Windows 10 1809/Server 2019, Windows 10 1909/Windows Server 1909, Windows 10 2004/Windows Server 2004, and Windows 10 20H2/Windows Server 20H2.

Windows Server 2019 Updates

• There is a new Servicing Stack Update (KB4598480). It is not a prerequisite for January updates.
• CRITICAL Severity: The cumulative update (KB4598230) resolves 59 new CVEs, including one publicly disclosed vulnerability (CVE-2021-1648).

Windows Server 2016 Updates

• CRITICAL Severity: The cumulative update (KB4598243) resolves 55 new CVEs, including one publicly disclosed vulnerability (CVE-2021-1648).

Windows 10 Updates

• There is a new Servicing Stack Update for versions 1809 (KB4598480), 1909 (KB4598479), 2004 (KB4598481), and 20H2 (KB4598481). It is not a prerequisite for January updates.
• CRITICAL Severity: The cumulative update (KB number varies by version) resolves up to 64 new CVEs, including one publicly disclosed vulnerability (CVE-2021-1648).

Windows 8.1 / Windows Server 2012 R2 Updates

• CRITICAL Severity: The Security Monthly Quality Rollup (KB4598285) resolves 42 new CVEs, including one publicly disclosed vulnerability (CVE-2021-1648).
• CRITICAL Severity: The Security Only Quality Update (KB4598275) resolves 42 new CVEs, including one publicly disclosed vulnerability (CVE-2021-1648).

Windows Server 2012 Updates

• CRITICAL Severity: The Security Monthly Quality Rollup (KB4598278) resolves 38 new CVEs, including one publicly disclosed vulnerability (CVE-2021-1648).
• CRITICAL Severity: The Security Only Quality Update (KB4598297) resolves 38 new CVEs, including one publicly disclosed vulnerability (CVE-2021-1648).

Windows 7 / Windows Server 2008 R2 Extended Security Updates

• These updates can only be installed on devices that have an active ESU MAK license.
• In ZENworks Patch Management, these updates only show up in the feed if you have purchased the ZENworks Patch Management Add-On Subscription for Windows 7 / Windows Server 2008 Extended Security Updates. Otherwise, you must download them from the Microsoft Update Catalog and use the Custom Patch feature to create the patch. For more details, see Installing Windows 7 / Windows Server 2008 Extended Security Updates with ZENworks Patch Management.
• CRITICAL Severity: The Security Monthly Quality Rollup (KB4598279) resolves 35 new CVEs. None have public disclosures or known exploits.
• CRITICAL Severity: The Security Only Quality Update (KB4598289) resolves 35 new CVEs. None have public disclosures or known exploits.

Windows Server 2008 Extended Security Updates

• These updates can only be installed on devices that have an active ESU MAK license.
• In ZENworks Patch Management, these updates only show up in the feed if you have purchased the ZENworks Patch Management Add-On Subscription for Windows 7 / Windows Server 2008 Extended Security Updates. Otherwise, you must download them from the Microsoft Update Catalog and use the Custom Patch feature to create the patch. For more details, see Installing Windows 7 / Windows Server 2008 Extended Security Updates with ZENworks Patch Management.
• CRITICAL Severity: The Security Monthly Quality Rollup (KB4598288) resolves 32 new CVEs. None have public disclosures or known exploits.
• CRITICAL Severity: The Security Only Quality Update (KB4598287) resolves 32 new CVEs. None have public disclosures or known exploits.

Microsoft SharePoint Server

• IMPORTANT Severity: The monthly Security Update resolves 9 CVEs (CVE-2021-1641, CVE-2021-1707, CVE-2021-1712, CVE-2021-1714, CVE-2021-1715, CVE-2021-1716, CVE-2021-1717, CVE-2021-1718, CVE-2021-1719) across Enterprise Server 2013 & 2016, Foundation Server 2013, and SharePoint Server 2010. None have public disclosures or known exploits.

Microsoft Office 2010–2016 (Windows) and 2016-2019 (Mac)

• IMPORTANT Severity: The Security Update resolves up to 5 CVEs (CVE-2021-1711, CVE-2021-1713, CVE-2021-1714, CVE-2021-1715, CVE-2021-1716) depending on the version. None have public disclosures or known exploits.

Microsoft 365 Apps (formerly Office 365 ProPlus) and Office 2019

• IMPORTANT Severity: Each channel update resolves up to 5 CVEs (CVE-2021-1711, CVE-2021-1713, CVE-2021-1714, CVE-2021-1715, CVE-2021-1716) depending on the version. None have public disclosures or known exploits.

Microsoft SQL Server 2012 – 2019

• IMPORTANT Severity: The Security Update resolves 1 CVE (CVE-2021-1636) depending on the version. None have public disclosures or known exploits.

Third-Party Security Updates

• Adobe Acrobat and Reader (resolves 1 CVE)
• Google Chrome 87.0.4280.141 (resolves 23 CVEs)
• Firefox 84.0.2 and Firefox 78.6.1 (resolves 1 CVE)
• Foxit Reader and Foxit Enterprise Reader 10.1.1 (resolves 6 CVEs)
• Thunderbird 78.6.1 (resolves 1 CVE)
• Wireshark 3.2.9 (resolves 3 CVEs)
• Wireshark 3.4.2 (resolves 5 CVEs)