Microsoft rolled into 2021 with a fairly benign update cycle for Windows and Microsoft Office systems, delivering 83 updates for January.
Yes, there is an update to Windows defender (CVE-2021-1647) that has been reported as exploited. Yes, there has been a publicly disclosed issue (CVE-2021-1648) in the Windows printing subsystem. But there are no Zero-days and no “Patch Now” recommendations for this month. There are, however, a large number of feature and functionality groups “touched” by these updates; we recommend a comprehensive test of printing and key graphics areas before general Windows update deployment.
Meanwhile, for Office we recommend sticking with a modest-paced rollout with a focus on Word and Excel testing.
Key testing scenarios
Working with Microsoft, we have developed a system that interrogates Microsoft updates and matches any file changes (deltas) released each month against our testing library. The result is a “hot-spot” testing matrix that helps drive our portfolio testing process. This month, our analysis of this Patch Tuesday release generated the following testing scenarios:
- The Microsoft SPLWOW64 sub-system has been updated in how it communicates with the GDI system. Testing scenarios are identical to the November Microsoft update release cycle. We recommend that you run test print jobs from all of your browsers, Office, and your core line of business applications. Hint: print different sizes of documents — go for the larger ones, and try printing to a file (PDF).
After a thorough testing of your printing resources (remember to include remote printing through RDP), you should also test the following areas:
- Bluetooth: connecting/disconnecting network connections. Don’t worry about audio.
- Remote desktop connections: you can’t test these enough (over a VPN)
- Virtualization folders: run through a “CRUD” test (Create, Read, Update, Delete)
- Windows Installer: try a (large) package repair, then reinstall and then check the log files (verbose mode)
- AppX: take all of your AppX packages, and uninstall them (just kidding). OK, maybe just a few.
Each month, Microsoft includes a list of known issues that relate to Windows and platforms that are included in the latest update cycle. I have referenced a few key issues that relate to the latest builds, including:
- Windows 10 1809: System and user certificates might be lost when updating a device from Windows 10, version 1809, or later to a newer version of Windows 10. You can recover from this install/update scenario by following Microsoft’s recommended recovery options for Windows 10found here. Note: Microsoft is actively working on this issue, and we expect a refreshed media set in the coming weeks.
- After installing KB4493509, devices with some Asian language packs installed may receive the error, “0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND.” We recommend a complete reinstall of the language pack and then resetting all configuration details. Microsoftoffers some guidance here.
- Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5).” Microsoft has been looking into this issue for a while; I don’t expect a resolution in the short term.
You can also find Microsoft’s summary of known Issues for this release in a single page
This month, we have several major revisions including:
- CVE-2018-8455: This is the second attempt by Microsoft to resolve a Windows kernel issue (the first was in September 2018). No further action required other than applying this month’s update.
- CVE-2020-10689: This is the second (documentation only) update to this patch. No further action required.
- CVE-2020-17087: A documentation/information update only — no further action required.
Mitigations and workarounds
For this January release, Microsoft has not published any potential workarounds or mitigation strategies that apply to this month’s addressed vulnerabilities.
Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:
- Browsers (Microsoft IE and Edge)
- Microsoft Windows (both desktop and server)
- Microsoft Office (Including Web Apps and Exchange)
- Microsoft Development platforms (ASP.NET Core, .NET Core and Chakra Core)
- Adobe Flash Playe
We usually have a long list of browser-based functional areas to highlight, but this month (again) we just have the following update rated as critical for Microsoft Edge (CVE-2021-1705). The single security issue addressed in this update is relatively difficult to exploit, requires local interaction and has not been publicly reported. Coming on the heels of many memory corruption clean-up efforts for both Microsoft browsers over the years, this update will require a complete update of all related files for Edge’s local install. Add this update to your standard browser update schedule.
Microsoft has worked to address eight critical and 57 important updates for this update cycle. A vulnerability in Windows Defender (CVE-2021-1647) has been reported as exploited, and a vulnerability in a core subsystem in the Windows printing system (CVE-2021-1648) has been publicly reported. I think that the printing issue and the GDI (CVE-2021-1665) vulnerability may cause testing issues due to their complex interdependencies with other Windows subsystems and applications.
Here are how the patches are dispersed across to the following features (or functional groupings)
- Windows Remote Procedure Call Runtime (CVE-2021-1658, CVE-2021-1660, CVE-2021-1666, CVE-2021-1667, CVE-2021-1673);
- Windows Graphics (CVE-2021-1665);
- Windows Codecs (CVE-2021-1668, CVE-2021-1643).
Important Updates (grouped by Windows feature or function)
- Windows Defender (CVE-2021-1647 – publicly exploited);
- Microsoft Bluetooth Driver;
- Windows CSC Service;
- Microsoft Graphics and Codecs;
- Windows AppX Deployment Extensions and Windows Hyper-V;
- Windows CryptoAPI;
- Windows Diagnostic Hub, Event Tracing and Windows Event Logging Service;
- Windows Installer and Windows Update Stack;
- Windows Kernel;
- Windows Print Spooler Components (CVE-2021-1648 – publicly reported).
Following the testing recommendations (listed above) I would make this update a priority, noting that the testing cycle may require in-depth analysis, require some hardware (printing) and involve remote users (testing across a VPN). Add these Windows updates to your “Test before Deploy” update release sched
Microsoft has released 11 updates — all rated important — to the Microsoft Office and SharePoint platforms covering the following application or feature groupings:
- Microsoft Office (CVE-2021-1711, CVE-2021-1713 – CVE-2021-1716);
- Microsoft Office SharePoint (CVE-2021-1641, CVE-2021-1707, CVE-2021-1712, CVE-2021-1718 – CVE-2021-1719);
- Microsoft SQL Server (CVE-2021-1636).
This month’s Office-related security issues are benign. No critical issues, and highly complex and difficult-to-exploit vulnerabilities (requiring local access) that are tough to abuse at scale reduce the risk of exposure. The one issue we were worried about was whether the Excel (CVE-2021-1713) and Word (CVE-2021-1716) vulnerabilities could be exploited through a preview pane weakness (often the case with these types of RCE vulnerabilities). Not this month.
Add these updates to your regular Office update schedule.
Microsoft Development Platforms
Microsoft has released three updates to its development platforms, all rated important; they affect the these platforms or applications:
- .NET Repository (CVE-2021-1725);
- ASP.NET core & .NET core (CVE-2021-1723);
- Visual Studio (CVE-2020-26870).
The first two updates to .NET Core and the Microsoft AI bot framework repository are difficult to exploit, non worm-able vulnerabilities, while the third affects an open-source component used by Visual Studio (Cure53 DOM Purify). Given that these are updates to platform SDK, the impact on production code should be minimal.
Add these updates to your standard development update schedule.
Adobe Flash Player
In life there are millstones (yes, there are 1078 individual reported vulnerabilities for Flash, and for Flash alone), milestones — and now we even have software death notices. This month, we finally see the end of Adobe Flash.
If you are an enterprise “consumer” of Flash, your efforts to disable it on your managed systems may raise a number of prompts to uninstall the “swiss cheese” of security (after MSXML) that may cause some concern to users. You can suppress these prompts with some help from the Flash Player administrator’s guide. And, please do us all a favor, no matter how bad it gets, do not add your company to the domain level allow list. Even Adobe feels strongly about this with this quote from the Adobe Flash Player Enterprise Enablement section: “Any use of the domain-level allow list after the EOL Date is strongly discouraged, will not be supported by Adobe, and is entirely at the user’s own risk.”