February, 2021: Patch Monday: 2 CVE's Exploited in the Wild

Welcome to this February Patch Monday Bulletin. This month there are patches from Adobe, Apple, Google, and Mozilla. Adobe Acrobat/Reader and Google Chrome both updated actively exploited vulnerabilities and should be top priority this month. CVE-2021-21017 is an arbitrary code execution vulnerability that has been observed exploiting Adobe Acrobat/Reader. This is the first Critical Priority 1 vulnerability in recent months and should be the top priority this month. CVE-2021-21148 is a heap buffer overflow in google chrome that has exploits reported in the wild. Adobe rated the Magento update as a Critical Priority 2 update and should be the next priority due to Magento being a popular target for attackers. Follow up with updates to Mozilla Firefox since it has been a popular target in the past. Review the environment for the presence of iCloud, Thunderbird, and the remaining Adobe products and assess whether patches should be applied.

Over the years we've had millions of visitors to UltimateWindowsSecurity.com. Every month we have thousands and thousands of visitors to our Security Log Encyclopedia which documents all of the Security Log event ID’s for Windows Server OS’s. Back in 2007 when SharePoint added auditing capability, I realized that my audience not only needed the event information from SharePoint but I also found a similar need in SQL Server and Exchange. So not only did I document the data but I also started to develop the means to extract that event data from these applications so that it’s accessible and useable to the end user. Some 8 years later and LOGbinder is continuing to grow as companies realize LOGbinder bridges the gap between these applications and their infosec team. Visit LOGbinder.com to download a free 30-day fully functional trial and see the security event data that you have literally been missing.

So, without further ado, here’s the chart of non-MS patches this month.

Patch data provided by:

Identifier

Vendor/Product

Product Version Affected

Date Released by Vendor

Vulnerability Info

Vendor
Severity / Our Recommendation

CVE-2021-21055

Adobe Dreamweaver

20.2, 21.0

2/9/2021

Information Disclosure

Important Priority 3: Update at admin’s discretion

Multiple CVE’s

Adobe Illustrator

25.1 and earlier

2/9/2021

Arbitrary Code Execution

Critical Priority 3: Update at admin’s discretion

CVE-2021-21052

Adobe Animate

21.0.2 and earlier

2/9/2021

Arbitrary Code Execution

Critical Priority 3: Update at admin’s discretion

Multiple CVE’s

Adobe Photoshop

21.2.4 and earlier

22.1.1 and earlier

2/9/2021

Arbitrary Code Execution

Critical Priority 3: Update at admin’s discretion

Multiple CVE’s

Magento

Commerce/ Open Source

2.4.1 and earlier

2.4.0 and earlier

2.3.6 and earlier

2/9/2021

Arbitrary Code Execution, Unauthorized Access

Critical Priority 2: Update within 30 days

Multiple CVE’s

Adobe Acrobat/Reader

Continuous 2020.013.20074 and earlier

Classic 2020 2020.001.30018 and earlier

Classic 2017 2017.011.30188 and earlier

2/9/2021

Denial of Service, Arbitrary Code Execution, Privilege Escalation, Information Disclosure

Critical Priority 1: Update within 72 hours

Multiple CVE’s

Apple iCloud for Windows

Before 12.0

1/26/2021

Arbitrary Code Execution

Update after testing

Multiple CVE’s

Google Chrome

Windows before 88.0.4324.190

Mac before 88.0.4324.192

Linux before 88.0.4324.182

1/22/2021

Use After Free, Heap Overflow, Stack Overflow

Update after testing

Multiple CVE’s

Mozilla Firefox

Before 85.0.1/ESR 78.7.1

2/5/2021

Information Disclosure, Denial of Service

Update after testing

Multiple CVE’s

Mozilla Thunderbird

Before 78.7

1/26/2021

Information Disclosure, Denial of Service

Update after testing