Microsoft published updates for 83 vulnerabilities for Windows OS, Browsers and Office this January. 10 out of 83 are categorized as critical.

The most critical patched vulnerability is CVE-2021-1647. Exploitation of this vulnerability allows an attacker to execute malicious code and Microsoft warns that this vulnerability has already been exploited. CVE-2021-1647 is rated 7.8 on CVSS scoring.

There is also a long list of critical vulnerabilities with CVSS score of 8.8, but there is no reported exploitations of any of these: VE-2021-1660, CVE-2021-1666, CVE-2021-1667, CVE-2021-1658 and CVE-2021-1673

CVE-2021-1648 was publicly disclosed on December and it was previously known as CVE-2020-17008. Microsoft was planning on patching CVE-2021-1648 already on late 2020, but due to issues in testing the release was postponed to January. CVE-2021-1648 is rated 7.8.

The impact and scoring of these and other vulnerabilities can be explored with Common Vulnerability Scoring System Calculator. Microsoft posts CVSS-calculator (maintained by National Vulnerability Database) links for all the vulnerabilities in their vulnerability articles. More thorough information of the vulnerabilities can be found from Microsoft’s MSRC-portal.

Operating system Known issues (last month)
Windows 10, version 20H2 and Windows Server, version 20H2 2 (2)
Windows 10, version 2004 and Windows Server, version 2004 2 (2)
Windows 10, version 1909 ja 1903* and Windows Server, version 1903 1 (1)
Windows 10, version 1809 and Windows Server 2019 0 (1)
Windows 10, version 1803** 0 (0)
Windows 10, version 1709** and Windows Server, version 1709 1 (1)
Windows 10, version 1703*** Reached end of service
Windows 10, version 1607 LTSC*** and Windows Server 20162 1 (1)
Windows 8.1**** and Windows Server 2012 R2 1 (1)
Windows Server 2012 1 (1)
Windows 7**** and Windows Server 2008 R2 SP1 2 (2)

* 1909 shares the same core and system files with the predecessor 1903.

** The support for the specific feature update for version Home and Pro has ended.

*** The support for the specific feature update for all the version has ended.

**** Mainstream support for the operating system has ended: Windows 8.1 1/10/2023 and Windows 7 1/14/2020.

We recommend to prioritize the Defender vulnerability, even though it should be automatically updated. The vulnerability is fixed on Microsoft Protection Engine version 1.1.17700.4.

Do notice that Adobe Flash Player won’t be updated anymore after 31.12.2020 and you should remove all Flash Player installation from your environment. If there is a known vulnerability in Adobe Flash Player after EoL date, it’s not going to be patched (necessarily). You can reade more from our blog.

Microsoft maintains a list of Windows updates and their known issues on the following pages.

With Centero Software Manager Cloud and CSM Cloud for Servers it’s possible to deploy these updates into your environment and even on remote computers by the configuration you have defined.

Read more on this topic:

September’s Patch Tuesday

The recent trend with zero-day vulnerabilities continued in September: the information on zero-day vulnerability was publicly disclosed about a week before the Patch Tuesday. Apparently the zero-day vulnerability was not considered too big a threat, as no out-of-band patch was released. September’s total vulnerability count was a pretty standard 84. This month’s zero-day vulnerability is […]

The future of patch management webinar recording now available

Centero introduced CSM for SCCM in a webinar on Thursday, April 2nd. The webinar recording is now available!