It’s the second Tuesday in February, and that means Microsoft and other software makers are releasing dozens of updates to fix security vulnerabilities. Topping this month’s list are two zero-days under active exploitation and critical network failures that allow attackers to remotely execute malicious code or shut down computers.
The major patch fixes a code execution flaw in Adobe Reader, which, despite its long-standing status, is still widely used for viewing and working with PDF documents. CVE-2021-21017, as the critical vulnerability is tracked, stems from a heap-based buffer overflow. After being tipped off by an anonymous source, Adobe warned that the flaw has been actively exploited in limited attacks targeting Reader users with Windows.
Adobe has not provided additional details about the vulnerability or the in-the-wild attacks that exploit it. Typically, hackers use specially crafted documents sent by email or published online to activate the vulnerability and run code that installs malware on the device running the application. Adobe’s use of the word “limited” probably means that the hackers are concentrating their attacks on a small number of high-value targets.
Microsoft has meanwhile released a fix for a vulnerability in Windows 10 and Windows Server 2019 that is also being actively attacked. The flaw, indexed as CVE-2021-1732, allows attackers to run their malicious code with elevated system privileges.
Chain of exploits?
Hackers usually use this so-called elevation of privilege in addition to attack code that targets an individual vulnerability. The former allows code execution, while the latter ensures that the code is executed with privileges high enough to access sensitive parts of the operating system. Microsoft has acquired JinQuan, MaDongZe, TuXiaoYi and LiHao from DBAPPSecurity Co. Ltd. credited with discovering and reporting the vulnerability.
In a blog published after the vulnerability was patched, the DBAPPSecurity researchers said a sophisticated hacker group called Bitter exploited the vulnerability in “a very limited number of attacks” against targets in China. The attackers were able to use it to escape the security sandbox when targets were using Internet Explorer or Adobe Reader.
“The quality of this vulnerability [is] high and the exploit is advanced,” the researchers wrote. “The use of this in-the-wild zero-day reflects the organization’s strong reserve capacity. The threat organization may have recruited members of a certain strength or purchased them from vulnerability brokers.”
The simultaneous patching of CVE-2021-21017 and CVE-2021-1732, their nexus with Windows, and the ability for CVE-2021-1732 to defeat a major Reader defense raises the clear possibility that in-the- wild attacks are combined exploits for the two vulnerabilities. However, neither Microsoft nor Adobe has provided details confirming this speculation.
Microsoft released a security bulletin on Tuesday urging users to patch three vulnerabilities in the Windows TCP/IP component, which is responsible for sending and receiving Internet traffic. CVE-2021-24074 and CVE-2021-24094 are both rated critical and allow attackers to send maliciously manipulated network packets that execute code. Both flaws also allow hackers to perform denial-of-service attacks, as does a third TCP/IP vulnerability tracked as CVE-2021-24086.
The bulletin said that developing reliable code execution exploits will be difficult, but that DoS attacks are much easier and therefore likely to be exploited in the wild.
“The two RCE vulnerabilities are complex making it difficult to create functional exploits, so they are unlikely to occur anytime soon,” the bulletin said on Tuesday. “We believe that attackers can create DoS exploits much faster and expect that all three issues can be exploited with a DoS attack shortly after release. That’s why we encourage customers to quickly apply Windows security updates this month.”
The three vulnerabilities stem from a flaw in Microsoft’s implementation of TCP/IP and affect all supported versions of Windows. Non-Microsoft deployments are not affected. Microsoft said it had identified the vulnerabilities internally.
In total, Microsoft has patched 56 vulnerabilities across multiple products, including Windows, Office and SharePoint. Microsoft rated 11 of the vulnerabilities as critical. As usual, affected users should install patches as soon as possible. Those who cannot patch immediately should refer to the workarounds mentioned in the advices.
One more word about Adobe Reader. Adobe has devoted significant resources to improving product security in recent years. That said, Reader includes a slew of advanced features that regular users rarely, if ever, need. These advanced features create the kind of attack surface that hackers love. The vast majority of computer users should consider a basic reader that has fewer bells and whistles. Edge, Chrome or Firefox are all suitable replacements.
Updated post to add details from the DBAPPSecurity blog post.