Microsoft выпустил январские обновления безопасности
Microsoft выпустил январские обновления безопасности
Microsoft выпустила первые в новом году обновления безопасности, закрывающие 83 уязвимости, 10 из которых классифицированы как Критические.
На следующие уязвимости и обновления безопасности следует обратить особое внимание:
Windows
| CVE-2021-1674 | Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability |
| Impact | Security Feature Bypass |
| Severity | Important |
| Publicly Disclosed? | No |
| Known Exploits? | No |
| Exploitability | Exploitation less likely |
| CVSS Base Score | 8.8 |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity | High |
| Availability | High |
| Affected Software | All supported versions of Windows |
| More Information | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1674 |
| CVE-2021-1673 | Remote Procedure Call Runtime Remote Code Execution Vulnerability |
| Impact | Remote Code Execution |
| Severity | Critical |
| Publicly Disclosed? | No |
| Known Exploits? | No |
| Exploitability | Exploitation less likely |
| CVSS Base Score | 8.8 |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity | High |
| Availability | High |
| Affected Software | All supported versions of Windows |
| More Information | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1673 |
| CVE-2021-1643 | HEVC Video Extensions Remote Code Execution Vulnerability |
| Impact | Remote Code Execution |
| Severity | Critical |
| Publicly Disclosed? | No |
| Known Exploits? | No |
| Exploitability | Exploitation less likely |
| CVSS Base Score | 7.8 |
| Attack Vector | Local |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity | High |
| Availability | High |
| Affected Software | HEVC Video Extensions |
| More Information | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1643 |
| CVE-2021-1648 | Microsoft splwow64 Elevation of Privilege Vulnerability |
| Impact | Elevation of Privilege |
| Severity | Important |
| Publicly Disclosed? | Yes |
| Known Exploits? | No |
| Exploitability | Exploitation less likely |
| CVSS Base Score | 7.8 |
| Attack Vector | Local |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity | High |
| Availability | High |
| Affected Software | All supported versions of Windows |
| More Information | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1648 |
| CVE-2021-1665 | GDI+ Remote Code Execution Vulnerability |
| Impact | Remote Code Execution |
| Severity | Critical |
| Publicly Disclosed? | No |
| Known Exploits? | No |
| Exploitability | Exploitation less likely |
| CVSS Base Score | 7.8 |
| Attack Vector | Local |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity | High |
| Availability | High |
| Affected Software | All supported versions of Windows |
| More Information | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1665 |
Microsoft Browsers
| CVE-2021-1705 | Microsoft Edge (HTML-based) Memory Corruption Vulnerability |
| Impact | Remote Code Execution |
| Severity | Critical |
| Publicly Disclosed? | No |
| Known Exploits? | No |
| Exploitability | Exploitation less likely |
| CVSS Base Score | 4.2 |
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | None |
| User Interaction | Required |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity | Low |
| Availability | None |
| Affected Software | Microsoft Edge (EdgeHTML-based) |
| More Information | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1705 |
Microsoft Office
| CVE-2021-1715 | Microsoft Word Remote Code Execution Vulnerability |
| Impact | Remote Code Execution |
| Severity | Important |
| Publicly Disclosed? | No |
| Known Exploits? | No |
| Exploitability | Exploitation less likely |
| CVSS Base Score | 7.8 |
| Attack Vector | Local |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity | High |
| Availability | High |
| Affected Software | Microsoft Excel 365 Apps for Enterprise, Word 2010, Word 2013, Word 2016, Office 2010, Office 2019, Office 2019 for Mac, Office Online Server, Office Web Apps 2010, Office Web Apps Server 2013, Office SharePoint Enterprise Server 2013, SharePoint Enterprise Server 2016, SharePoint Server 2010, and SharePoint Server 2019 |
| More Information | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1715 |
| CVE-2021-1714 | Microsoft Excel Remote Code Execution Vulnerability |
| Impact | Remote Code Execution |
| Severity | Important |
| Publicly Disclosed? | No |
| Known Exploits? | No |
| Exploitability | Exploitation less likely |
| CVSS Base Score | 7.8 |
| Attack Vector | Local |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity | High |
| Availability | High |
| Affected Software | Microsoft Excel 365 Apps for Enterprise, Excel Services, Excel 2010, Excel 2013, Excel 2016, Office 2010, Office 2013, Office 2016, Office 2019, Office 2019 for Mac, Office Online Server, Office Web Apps Server 2013, and Office SharePoint Enterprise Server 2013. |
| More Information | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1714 |
Microsoft SharePoint Server
| CVE-2021-1707 | Microsoft SharePoint Server Remote Code Execution Vulnerability |
| Impact | Remote Code Execution |
| Severity | Important |
| Publicly Disclosed? | No |
| Known Exploits? | No |
| Exploitability | Exploitation more likely |
| CVSS Base Score | 8.8 |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity | High |
| Availability | High |
| Affected Software | Microsoft SharePoint Foundation 2013, SharePoint Foundation 2010, SharePoint Server 2019, and SharePoint Enterprise Server 2016 |
| More Information | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1707 |
Microsoft SQL Server
| CVE-2021-1636 | Microsoft SQL Elevation of Privilege Vulnerability |
| Impact | Elevation of Privilege |
| Severity | Important |
| Publicly Disclosed? | No |
| Known Exploits? | No |
| Exploitability | Exploitation less likely |
| CVSS Base Score | 8.8 |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity | High |
| Availability | High |
| Affected Software | Microsoft SQL Server 2012, SQL Server 2014, SQL Server 2016, SQL Server 2017, and SQL Server 2019 |
| More Information | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1636 |
Microsoft Defender
| CVE-2021-1647 | Microsoft Defender Remote Code Execution Vulnerability |
| Impact | Remote Code Execution |
| Severity | Critical |
| Publicly Disclosed? | No |
| Known Exploits? | Yes |
| Exploitability | Exploitation detected |
| CVSS Base Score | 7.8 |
| Attack Vector | Local |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity | High |
| Availability | High |
| Affected Software | Microsoft Security Essentials, System Center 2012 R2, System Center Endpoint Protection, Windows Defender |
| More Information | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1647 |
Рекомендации по безопасности
ADV990001 – Latest Servicing Stack Updates (SSU)
Обновления SSU были выпущены для следующих версий Windows:
- Windows 10 1809/Server 2019
- Windows 10 1909/Windows Server, version 1909
- Windows 10 2004/Windows Server, version 2004
- Windows 10 20H2/Windows Server, version 20H2
