Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET! Learn What IT Pros Need to Know About Windows 11 - August 26th at 1 PM ET!

Patch Tuesday – January 2021

It’s a quiet start for Microsoft in 2021 as it issues patches for only 80 vulnerabilities, which is considerably lower than most months. Among them are a fix for a zero-day bug in Microsoft’s Defender software and a fix for a flaw publicly disclosed at the tail of end last year by Trend Micro ZDI.

Windows and Windows Server

This month Microsoft fixed a critical zero-day flaw (CVE-2021-1647) in its Defender product, the built-in malware protection software in Windows. The vulnerability is being actively exploited and while Microsoft hasn’t published details, it’s believed that the flaw can be easily exploited by hackers.

KerbsOnSecurity quotes Kevin Breen, director of research at Immersive Labs, as saying “It could be as simple as sending a file. The user doesn’t need to interact with anything, as Defender will access it as soon as it is placed on the system.” The patches for Microsoft Defender are automatically installed by Windows Update unless explicitly blocked by system administrators.

A critical remote code execution (RCE) bug (CVE-2020-1660) in the Remote Procedure Call (RPC) runtime gets patched. RPC is often used to manage communications between Windows devices and it has in the past been a popular mechanism for viruses known as worms. Worms can spread easily between computers without any user interaction. CVE-2020-1660 is one of 5 RPC bugs patched this month.

Sponsored Content

Read the Best Personal and Business Tech without Ads

Staying updated on what is happening in the technology sector is important to your career and your personal life but ads can make reading news, distracting. With Thurrott Premium, you can enjoy the best coverage in tech without the annoying ads.

An elevation of privilege (EoP) bug in the splwow64 service, made public last month by Trend Micro’s Zero-Day Initiative (ZDI) project, has also been patched. Microsoft says that while details about CVE-2021-1648 were publicly available, it wasn’t exploited in the wild.

Exchange, SQL, and SharePoint Server

Microsoft released a patch for an EoP bug in Microsoft SQL Server 2012, 2014, 2016, 2017, and 2019. It is rated important and Microsoft says that an authenticated attacker could send data over a network to an affected SQL Server when configured to run an Extended Event session.

There are 9 patches for SharePoint Server. All are rated important and include EoP, spoofing, and RCE flaws. There are no patches for Exchange Server this month.

Microsoft Office

Microsoft 365 Apps for Enterprise (Click-to-Run) get patches for five important RCE vulnerabilities. Microsoft Office 2010 through 2019 also gets a series of patches for RCE bugs, all rated important.

Adobe Software

Flash Player is now officially dead but that doesn’t mean there won’t be important patches from Adobe. This month sees Adobe patch flaws in Photoshop, Illustrator, Animate, Campaign Classic, InCopy, Captivate, and Bridge. You can find more information about the patches on Adobe’s website here.

And that’s it for another month. Happy patching!


Related Topics:


Don't have a login but want to join the conversation? Sign up for a Petri Account

Comments (0)

Leave a Reply

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.

Register for Advanced Microsoft 365 Day!

GET-IT: Advanced Microsoft 365 1-Day Virtual Conference - Live August 24th!

Join us on Tuesday, August 24th and hear from Microsoft MVPs and industry experts about how to take advantage of Microsoft 365 at a technical level and dive deep into the features and functionality that will make your environment more secure and compliant.


Sponsored By