With only 53 updates in the February Patch Tuesday collection released this week — and no updates for Microsoft browsers — you'd be forgiven for thinking we had another easy month (after a light December and January). Despite lower-than-average numbers for updates and patches, four vulnerabilities have been publicly disclosed and we are seeing a growing number of reports of exploits in the wild.

In short: this is a big, important update that will require immediate attention and a rapid response to testing and deployment.

For example, Microsoft has just released an out-of-band update to fix a Wi-Fi issue that is leading to Blue Screens of Death (BSODs). Somebody is going to run into trouble unless this gets fixed fast. We have included a helpful infographic that this month looks a little lopsided (again), as all of the attention should be on the Windows components

Working with Microsoft, we developed a system that interrogates Microsoft updates and matches any file changes (deltas) released each month against our testing library. The result is a “hot-spot” matrix that helps drive our portfolio testing process. This month, our analysis of this Patch Tuesday release generated the following testing scenarios:

There are no high-risk functional changes expected this month, though we recommend the following testing regimes:

Each month, Microsoft includes a list of known issues that relate to the operating system and platforms that are included in this update cycle. I have referenced a few key issues that relate to the latest builds from Microsoft, including:

You can also find Microsoft’s summary of Known Issues for this release in a single page.

This month, we have several major revisions to previous updates that may require your attention:

This month, Microsoft has published a number of complex and important mitigations and workarounds, especially for enterprise IT admins:

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

This month, Microsoft has not released any updates (yet again) to its in-house browsers. Instead we have benefitted from the Open Source Chromium team’s "early and often" release cycle with the following (multiple) updates since our last Patch Tuesday release:

All of these updates are well contained within the Chromium desktop libraries, and from our research we find it difficult to imagine they would affect other applications or cause compatibility issues. Add these updates to your standard release schedule.

This February update cycle for the Windows ecosystem brings nine updates rated critical, 18 moderate, and the rest rated as low by Microsoft. Unusually, four Windows updates this month have been publicly disclosed, though all are rated as important: CVE-2021-1733, CVE2021-1727, CVE-2021-24098, and CVE-2021-24106. Quoting from Microsoft MSRC: "We believe attackers will be able to create DoS exploits much more quickly and expect all three issues might be exploited with a DoS attack shortly after release. Thus, we recommend customers move quickly to apply Windows security updates this month."

In addition to these already concerning disclosures, the following two vulnerabilities have been reported as exploited in the wild:

Though we only have nine updates rated as critical by Microsoft, they affect core areas within the Windows desktop, including:

The remaining feature groupings are affected by Microsoft's important updates

Following the testing recommendations listed above, I would make this update a priority, noting that the testing cycle for these updates may require in-depth analysis, some hardware (printing) and remote users (testing across a VPN). Add these Windows updates to your "Test before Deploy" update release schedule.

Microsoft has released 11 updates, all rated as important, to the Microsoft Office and SharePoint platforms covering the following application or feature groupings:

SharePoint Known Issues: if your customized SharePoint pages use the SPWorkflowDataSource or FabricWorkflowInstanceProvider user control, some functions on those pages may not work. To resolve this issue, see KB 5000640. Add these updates to your regular Office update schedule.

Microsoft released eight updates to the Microsoft development platforms, two rated as critical and the remaining six rated as important.  They affect the following platforms or applications:

Unfortunately, there have been a number of reports that the latest security roll-up update to .NET (for all supported versions) causes WP applications to crash with the following error:

"Exception Info: System.NullReferenceException at System.Windows.Interop.HwndMouseInputProvider.HasCustomChrome(System.Windows.Interop.HwndSource, RECT ByRef)"

Microsoft has published a workaround that avoids the crash, but this workaround re-introduces the vulnerability fixed by the update. Not good. The two critical Development tool updates (CVE-2021-24112 and CVE-2021-26701) both require local access, while the latter has already been reported as exploited in the wild. Though some of the Visual Studio (graphics libraries) vulnerabilities could result in relatively easy remote code execution (RCE) attacks, Microsoft has said these vulnerabilities do not apply to existing Windows libraries. These updates are to prevent future security issues in developed code.

Despite these future proofing efforts, there is enough concern in these publicly exploited vulnerabilities for a "Patch Now" recommendation.

This month Adobe released updates for Acrobat and Reader, Dreamweaver, Photoshop, Illustrator, Animate, and the CMS system Magento. I think that the focus for most enterprises should be on the security fixes for Adobe Reader with 23 updates, seven of which are rated as critical by Adobe.

Adobe has reported that one critical rated vulnerability (CVE-2021-21017) has been reported as exploited in the wild (on Windows desktops). This is a big update for Adobe Reader and may require some testing before deployment, which may cause headaches this release cycle as Adobe has recommended that this update be deployed within 72 hours of release.

Add the Adobe Reader updates to your "Patch Now" release schedule.