Microsoft published updates for 83 vulnerabilities for Windows OS, Browsers and Office this January. 10 out of 83 are categorized as critical.

The most critical patched vulnerability is CVE-2021-1647. Exploitation of this vulnerability allows an attacker to execute malicious code and Microsoft warns that this vulnerability has already been exploited. CVE-2021-1647 is rated 7.8 on CVSS scoring.

There is also a long list of critical vulnerabilities with CVSS score of 8.8, but there is no reported exploitations of any of these: VE-2021-1660, CVE-2021-1666, CVE-2021-1667, CVE-2021-1658 and CVE-2021-1673

CVE-2021-1648 was publicly disclosed on December and it was previously known as CVE-2020-17008. Microsoft was planning on patching CVE-2021-1648 already on late 2020, but due to issues in testing the release was postponed to January. CVE-2021-1648 is rated 7.8.

The impact and scoring of these and other vulnerabilities can be explored with Common Vulnerability Scoring System Calculator. Microsoft posts CVSS-calculator (maintained by National Vulnerability Database) links for all the vulnerabilities in their vulnerability articles. More thorough information of the vulnerabilities can be found from Microsoft’s MSRC-portal.

Operating system Known issues (last month)
Windows 10, version 20H2 and Windows Server, version 20H2 2 (2)
Windows 10, version 2004 and Windows Server, version 2004 2 (2)
Windows 10, version 1909 ja 1903* and Windows Server, version 1903 1 (1)
Windows 10, version 1809 and Windows Server 2019 0 (1)
Windows 10, version 1803** 0 (0)
Windows 10, version 1709** and Windows Server, version 1709 1 (1)
Windows 10, version 1703*** Reached end of service
Windows 10, version 1607 LTSC*** and Windows Server 20162 1 (1)
Windows 8.1**** and Windows Server 2012 R2 1 (1)
Windows Server 2012 1 (1)
Windows 7**** and Windows Server 2008 R2 SP1 2 (2)

* 1909 shares the same core and system files with the predecessor 1903.

** The support for the specific feature update for version Home and Pro has ended.

*** The support for the specific feature update for all the version has ended.

**** Mainstream support for the operating system has ended: Windows 8.1 1/10/2023 and Windows 7 1/14/2020.

We recommend to prioritize the Defender vulnerability, even though it should be automatically updated. The vulnerability is fixed on Microsoft Protection Engine version 1.1.17700.4.

Do notice that Adobe Flash Player won’t be updated anymore after 31.12.2020 and you should remove all Flash Player installation from your environment. If there is a known vulnerability in Adobe Flash Player after EoL date, it’s not going to be patched (necessarily). You can reade more from our blog.

Microsoft maintains a list of Windows updates and their known issues on the following pages.

With Centero Software Manager Cloud and CSM Cloud for Servers it’s possible to deploy these updates into your environment and even on remote computers by the configuration you have defined.

Read more on this topic:

Comparing Patch Management solutions – Part 6/12 – Solarwinds Patch Manager

This blog series is based on our Patch Management Tools’ Comparison, conducted in 2019. In the sixth post of the series we’ll look at the features and function of Solarwinds Patch Manager solution.

March’s Patch Tuesday

Patch Tuesday on March 10th 2021 saw the release of altogether 122 vulnerabilities. The collection includes several zero-day vulnerabilities and vulnerabilities that very public knowledge. This month’s number is well above hundred, but that’s partially explained by Edge Chromium that has its own update schedule. Out of the 122 vulnerabilities, 33 were Edge Chromium -specific. We recommend to always update the Edge Chromium according to its […]