Patch Analysis for February 2021

Welcome to this February Patch Monday Bulletin. This month there are patches from Adobe, Apple, Google, and Mozilla. Adobe Acrobat/Reader and Google Chrome both updated actively exploited vulnerabilities and should be top priority this month. CVE-2021-21017 is an arbitrary code execution vulnerability that has been observed exploiting Adobe Acrobat/Reader. This is the first Critical Priority 1 vulnerability in recent months and should be the top priority this month. CVE-2021-21148 is a heap buffer overflow in google chrome that has exploits reported in the wild. Adobe rated the Magento update as a Critical Priority 2 update and should be the next priority due to Magento being a popular target for attackers. Follow up with updates to Mozilla Firefox since it has been a popular target in the past. Review the environment for the presence of iCloud, Thunderbird, and the remaining Adobe products and assess whether patches should be applied.

Over the years we've had millions of visitors to UltimateWindowsSecurity.com. Every month we have thousands and thousands of visitors to our Security Log Encyclopedia which documents all of the Security Log event ID’s for Windows Server OS’s. Back in 2007 when SharePoint added auditing capability, I realized that my audience not only needed the event information from SharePoint but I also found a similar need in SQL Server and Exchange. So not only did I document the data but I also started to develop the means to extract that event data from these applications so that it’s accessible and useable to the end user. Some 8 years later and LOGbinder is continuing to grow as companies realize LOGbinder bridges the gap between these applications and their infosec team. Visit LOGbinder.com to download a free 30-day fully functional trial and see the security event data that you have literally been missing.

So, without further ado, here’s the chart of non-MS patches this month.

Patch data provided by:
Identifier	Vendor/Product	Product Version Affected	Date Released by Vendor	Vulnerability Info	Vendor Severity / Our Recommendation
CVE-2021-21055	Adobe Dreamweaver	20.2, 21.0	2/9/2021	Information Disclosure	Important Priority 3: Update at admin’s discretion
Multiple CVE’s	Adobe Illustrator	25.1 and earlier	2/9/2021	Arbitrary Code Execution	Critical Priority 3: Update at admin’s discretion
CVE-2021-21052	Adobe Animate	21.0.2 and earlier	2/9/2021	Arbitrary Code Execution	Critical Priority 3: Update at admin’s discretion
Multiple CVE’s	Adobe Photoshop	21.2.4 and earlier 22.1.1 and earlier	2/9/2021	Arbitrary Code Execution	Critical Priority 3: Update at admin’s discretion
Multiple CVE’s	Magento	Commerce/ Open Source 2.4.1 and earlier 2.4.0 and earlier 2.3.6 and earlier	2/9/2021	Arbitrary Code Execution, Unauthorized Access	Critical Priority 2: Update within 30 days
Multiple CVE’s	Adobe Acrobat/Reader	Continuous 2020.013.20074 and earlier Classic 2020 2020.001.30018 and earlier Classic 2017 2017.011.30188 and earlier	2/9/2021	Denial of Service, Arbitrary Code Execution, Privilege Escalation, Information Disclosure	Critical Priority 1: Update within 72 hours
Multiple CVE’s	Apple iCloud for Windows	Before 12.0	1/26/2021	Arbitrary Code Execution	Update after testing
Multiple CVE’s	Google Chrome	Windows before 88.0.4324.190 Mac before 88.0.4324.192 Linux before 88.0.4324.182	1/22/2021	Use After Free, Heap Overflow, Stack Overflow	Update after testing
Multiple CVE’s	Mozilla Firefox	Before 85.0.1/ESR 78.7.1	2/5/2021	Information Disclosure, Denial of Service	Update after testing
Multiple CVE’s	Mozilla Thunderbird	Before 78.7	1/26/2021	Information Disclosure, Denial of Service	Update after testing

Receive Randy's same-day, independent analysis each Patch Tuesday

"Thank you. I am very glad I subscribed to this newsletter. Relevant content clearly and concisely. Finally!!!"

- John K.

"I really like the Fast Facts on this Month's Microsoft Security Bulletins. Do you keep old copies? If yes, please let me know how I can access them?"

-Susan D.

"Thanks, Randy. Your regular updates have streamlined my monthly patching. Much appreciated,"

- Steve T.

"Really appreciate your patch observor. In the corporate IT world, anything we can get our hands on that speeds the process of analyzing threats and how they may or may not apply to our environments is a God-send. Thanks so much for your efforts."

- Tess G.

"Many thanks for this Randy"

- Roger G.

"The chart is a REAAALLY good idea :)"

- Phil J.

"I like the table. Your insight is very valuable. "

Tom C.

"I liked your high level overview of patches in the table. There are so many sources of patch information which can be very specific or surrounded by other stuff that it’s refreshing to get everything summarised like this. The "Randy’s Recommendation" comment is useful starting point too. Please keep up the good work."

- David A.

"Your Patch Observer is a very good tool in making the decision whether to patch or not to patch. And also to patch asap or to wait a while before patching. Also I do think the use of the table is realy improving the readability of the provided information."

- Gerard T.

Upcoming Webinars

Hacking the Endpoint From Zero to Full Domain Administrator Using a Crylock Ransomware and Exfiltration Attack Walkthrough

Additional Resources

User name:
Password:
	/ Forgot?
	Register

March 2021 Patch Monday	"Patch Monday: Two Chrome Zero-Days Updated " - sponsored by LOGbinder

Follow @randyfsmith

Home

Follow @randyfsmith

About | Newsletter | Contact

Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2021 Monterey Technology Group, Inc. All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk. For complaints, please contact abuse@ultimatewindowssecurity.com.