ALERT: Apply critical patches for Microsoft products

Wednesday, February 10, 2021

This information was sent to U-M IT staff groups via email February 10, 2021. It is intended for U-M IT employees who are responsible for university devices or servers running Microsoft products. It is also intended for individuals who use Microsoft products and services on their own computers or devices.

Summary

Multiple vulnerabilities have been discovered in Microsoft products and services, the most severe of which could allow for remote code execution. Exploits have been seen in the wild for CVE-2021-1732. Apply appropriate updates provided by Microsoft to vulnerable software and systems as soon as possible after appropriate testing.

Problem

Successful exploitation of the most severe of the vulnerabilities could result in an attacker gaining the same privileges as the logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Affected Systems

A significant number of Microsoft products and services are impacted by the vulnerabilities, including Windows Defender, Edge for Android, Exchange Server, Office Excel, Skype for Business, Windows Address Book, Windows 10, Windows Server 2016 and later, and many more. See Microsoft’s February 2021 Security Updates for the full list.

Action Items

  • Apply updates provided by Microsoft as soon as possible after appropriate testing. Microsoft’s updates released on February 9 include fixes for one zero-day vulnerability and 56 other vulnerabilities (with 11 classified as critical).
  • For the list of affected products, FAQs, mitigations, and workarounds, see Microsoft’s February 2021 Security Updates.
  • The need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).

Threats

  • The Windows Elevation of Privilege Vulnerability (CVE-2021-1732) in Win32k, a core component of the Windows operating system, is being exploited in the wild and allows an attacker or malicious program to elevate their privileges to administrative privileges.
  • There is a publicly available proof of concept for exploitation of the Package Managers Configurations Remote Code Execution Vulnerability (CVE-2021-24105).
  • Several vulnerabilities in the Windows TCP/IP stack could allow attackers to take over Windows systems remotely or could be used to crash Windows devices (CVE-2021-24074, CVE-2021-24094, and CVE-2021-24086).

Technical Details

Links to CVEs with technical detail are included in Microsoft's February 2021 Security Updates.

How We Protect U-M

  • ITS IA works closely with others in Information Technology Services (ITS) and U-M units to ensure timely patching of systems. MiWorkspace, MiServer, and other ITS-managed systems and devices are updated as soon as possible after appropriate testing.
  • ITS IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation.
  • ITS IA provides vulnerability management guidance to the university.

Information for Users

If you have any Microsoft products installed on your own devices or computers that are not managed by the university, apply the updates as soon as possible. It is best to set Windows to update automatically.

In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Phishing & Suspicious Email, Secure Your Devices, and Secure Your Internet Connection on the U-M Safe Computing website.

Questions, Concerns, Reports

Please contact info-assurance@umich.edu.