This month’s Microsoft Patch Tuesday addresses 83 vulnerabilities. The 10 Critical vulnerabilities cover Windows codecs, Office, HEVC video extensions, RPC runtime, and several other workstation vulnerabilities. Adobe released patches today for Photoshop, Campaign Classic, InCopy, Illustrator, Captivate, Bridge and Animate.
Office and Edge vulnerabilities should be prioritized for workstation-type devices, meaning any system that is used to access email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.
Microsoft Defender RCE Zero Day
Microsoft patches Defender Remote Code Execution vulnerability (CVE-2021-1647) in today’s patch release for Microsoft Malware Protection Engine. Microsoft stated that this vulnerability was exploited before the patches were made available. This patch should be prioritized.
splwow64 Elevation of Privilege
While Microsoft labeled this issue (CVE-2021-1648) as an elevation-of-privilege vulnerability, it can also be exploited to disclose information, specifically uninitialized memory. Microsoft stated the vulnerability has not been exploited in the wild, although details are available publicly.
Windows Kernel Local Elevation of Privilege
Microsoft updated CVE-2020-17087 for Windows Server 2012 in today’s Patch Tuesday, and users are recommended to apply today’s patches for Windows Server 2012.
We appreciate Microsoft’s acknowledgement of our co-ordinated disclosure of the underlying regression in the Windows Server 2012 version of this security update.
Adobe issued patches today covering multiple vulnerabilities in Adobe Photoshop, Illustrator, Animate, Campaign, InCopy, Captivate and Bridge. The patches for Adobe Campaign are labeled as Priority 2, while the remaining patches are set to Priority 3.
While none of the vulnerabilities disclosed in Adobe’s release are known to be actively attacked today, all patches should be prioritized on systems with these products installed.