For the first patch Tuesday of 2021, Microsoft released security updates addressing a total of 83 flaws spanning as many as 11 products and services, including an actively exploited zero-day vulnerability.
The latest security patches cover Microsoft Windows, Edge browser, ChakraCore, Office and Microsoft Office Services, and Web Apps, Visual Studio, Microsoft Malware Protection Engine, .NET Core, ASP .NET, and Azure. Of these 83 bugs, 10 are listed as Critical, and 73 are listed as Important in severity.
The most severe of the issues is a remote code execution (RCE) flaw in Microsoft Defender (CVE-2021-1647) that could allow attackers to infect targeted systems with arbitrary code.
Microsoft Malware Protection Engine (mpengine.dll) provides the scanning, detection, and cleaning capabilities for Microsoft Defender antivirus and antispyware software. The last version of the software affected by the flaw is 1.1.17600.5, before it was addressed in version 1.1.17700.4.
The bug is also known to have been actively exploited in the wild, although details are scarce on how widespread the attacks are or how this is being exploited. It’s also a zero-click flaw in that the vulnerable system can be exploited without any interaction from the user.
Tuesday’s patch also rectifies a privilege escalation flaw (CVE-2021-1648) introduced by a previous patch in the GDI Print / Print Spooler API (“splwow64.exe”) that was disclosed by Google Project Zero last month after Microsoft failed to rectify it within 90 days of responsible disclosure on September 24.
Other vulnerabilities fixed by Microsoft include a memory corruption flaws in Microsoft Edge browser (CVE-2021-1705), a Windows Remote Desktop Protocol Core Security feature bypass flaw (CVE-2021-1674, CVSS score 8.8), and five critical RCE flaws in Remote Procedure Call Runtime.
To install the latest security updates, Windows users can head to Start > Settings > Update & Security > Windows Update, or by selecting Check for Windows updates.