With the January 2021 Patch Tuesday security updates release, Microsoft has released fixes for 83 vulnerabilities, with ten classified as Critical and 73 as Important.

There is also one zero-day and one previously disclosed vulnerabilities fixed as part of the January 2021 updates.

For information about the non-security Windows updates, you can read about today’s Windows 10 KB4598229 & KB4598242 cumulative updates.

Zero-day and publicly disclosed vulnerabilities fixed

Microsoft fixed both a zero-day and a publicly disclosed vulnerability as part of the January 2021 security updates.

Microsoft states that they have fixed a zero-day Microsoft Defender remote code execution vulnerability with a CVE of CVE-2021-1647.

This zero-day vulnerability is fixed in Microsoft Malware Protection Engine version 1.1.17700.4 or later, as shown below.

https://csirt.cy/wp-content/uploads/2021/01/microsoft-defender-version-300x212.jpg 300w, https://csirt.cy/wp-content/uploads/2021/01/microsoft-defender-version-768x542.jpg 768w" alt="" width="757" height="534" class="wp-image-7492 aligncenter" style="box-sizing: border-box; border: 0px; vertical-align: middle; clear: both; display: block; margin: 0px auto; height: auto; max-width: 100%; color: rgb(51, 51, 51); font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 14px; font-style: normal; font-variant-ligatures: normal; font-variant-caps: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: 2; word-spacing: 0px; -webkit-text-stroke-width: 0px; background-color: rgb(255, 255, 255); text-decoration-thickness: initial; text-decoration-style: initial; text-decoration-color: initial;" loading="lazy" />

Patched version of the Microsoft Defender Protection Engine

Microsoft also patched a publicly disclosed Microsoft splwow64 Elevation of Privilege vulnerability tracked as CVE-2021-1648. Google Project Zero previously disclosed this vulnerability in September 2020 under CVE-2020-0986.

Micropatch released for PsExec

This month, a free patch for privilege escalation vulnerability in Sysinternals PSExec utility was released by the 0patch service.

PsExec is a free Microsoft Sysinternals tool that allows system administrators to execute programs on remote systems. While it is not bundled with Windows, it is commonly utilized by admins and enterprise software to launch programs remotely, start updates, or perform other administrative tasks.

As it is a common program to found in enterprise environments, this vulnerability could allow attackers to elevate privileges.

Microsoft has not released an official patch for this vulnerability.

Recent updates from other companies

Other vendors who released updates in January include:

• Adobe released numerous fixes today for Photoshop, Illustrator, Animate, and more.
• Android’s January security updates were released last week.
• Apple released iOS 12.5.1 on January 11th.
• Cisco released security updates for the  Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software.
• SAP released its January 2021 security updates.

The January 2021 Patch Tuesday Security Updates

Below is the full list of resolved vulnerabilities and released advisories in the January 2021 Patch Tuesday updates.

The information contained in this website is for general information purposes only. The information is gathered from BLEEPING COMPUTER, while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.  Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them. Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.