Microsoft has released fixes for 83 vulnerabilities, with ten updates classified as Critical and 73 as Important.
Windows 10 Updates for January 2021:
- KB4598242 (OS Builds 19041.746 and 19042.746) for Windows 10 version 20H2/2004
- KB4598229 (OS Build 18363.1316) for Windows 10, version 1909
- KB4598230 (OS Build 17763.1697) for Windows 10 version 1809
- KB4598245 (OS Build 17134.1967) for Windows 10 version 1803
- KB4599208 (OS Build 15063.2614) for Windows 10 version 1703
- KB4598243 (OS Build 14393.4169) for Windows 10 version 1607
- KB4598231 (OS Build 10240.18818) for Windows 10, initial release
Additional January 2021 Patching Resources:
- MSRC – January 2021 Security Updates
- MSRC Japan
- Advisory ADV990001 for the latest service stack update (SSU)
- Advisory ADV200002 for Chromium Security Update for Microsoft Edge
- Windows PsExec zero-day vulnerability patch
- Adobe Security patches
- Cisco Security patches
- Apple Security patches
- Scan Changes and certificates add security for Windows devices using WSUS for updates
- CISA Remote Vulnerability and Patch Management guide
- Printer RPC binding changes for CVE-2021-1678
- Netlogon Domain Controller Enforcement Mode enabled by default on February 9, 2021
- Security Update for Secure Boot DBX
- Zero Day Initiative blog
- Oracle Critical Patch Update for January 2021
On January 12, 2021 (Pacific Time), Microsoft released security updates affecting the following Microsoft products:
| Product Family | Maximum Severity | Maximum Impact | Associated KB Articles and/or Support Webpages |
| Windows 10 v20H2, v2004, v1909, v1809, and v1803 | Critical | Remote Code Execution | Windows 10 v2004 and Windows 10 v20H2: 4598242 Windows 10 v1909: 4598229 Windows 10 v1809: 4598230 Windows 10 v1803: 4598245 |
| Windows Server 2019, Windows Server 2016, and Server Core installations (2019, 2016, v20H2, v2004, v1909) | Critical | Remote Code Execution | Windows Server 2019: 4598230 Windows Server 2016: 4598243 Windows Server v2004 and Windows Server v20H2: 4598242 Windows Server v1909: 4598229 |
| Windows 8.1, Windows Server 2012 R2, and Windows Server 2012 | Critical | Remote Code Execution | Windows 8.1 and Windows Server 2012 R2 Monthly Rollup: 4598285 Windows 8.1 and Windows Server 2012 R2 Security Only: 4598275 Windows Server 2012 Monthly Rollup: 4598278 Windows Server 2012 Security Only: 4598297 |
| Microsoft Office-related software | Important | Remote Code Execution | KB Articles associated with Microsoft Office-related software: 4493156, 4486736, 4486755, 4486759, 4486762, 4486764, 4493142, 4493143, 4493145, 4493160, 4493165, 4493168, 4493171, 4493176, 4493181, 4493183, and 4493186 |
| Microsoft SharePoint-related software | Important | Remote Code Execution | KB Articles associated with Microsoft SharePoint-related software: 4486683, 4486724, 4493161, 4493162, 4493163, 4493167, 4493175, 4493178, and 4493187 |
| Microsoft .NET-related software | Important | Denial of Service | Find details on security updates for .NET Framework-related software in the Security Update Guide: https://msrc.microsoft.com/update-guide |
| Microsoft SQL Server-related software | Important | Elevation of Privilege | KB Articles associated with Microsoft SQL Server-related software: 4583456, 4583457, 4583458, 4583459, 4583460, 4583461, 4583462, 4583463, and 4583465 |
| Microsoft Visual Studio-related software | Important | Remote Code Execution | KB Articles associated with Microsoft Visual Studio-related software: 4584787 |
| Microsoft Malware Protection Engine | Critical | Remote Code Execution | Find details for security updates for the Microsoft Malware Protection Engine in the Security Update Guide: https://msrc.microsoft.com/update-guide |
Notes:
- The summary above is an overview of updates for the most recent versions of commonly used software.
- Updates for older versions, apps, and open source software may not be listed.
- Updates may have been added or removed from the release after this content was finalized.
- Find details for all updates in the monthly release in the Security Update Guide: https://msrc.microsoft.com/update-guide
- For additional details, see the release notes at: https://msrc.microsoft.com/update-guide/releaseNote/2021-Jan
Security vulnerability overview:
Below is a summary showing the number of vulnerabilities addressed in this release, broken down by product/component and by impact.
| Vulnerability Details | RCE | EOP | ID | SFB | DOS | SPF | TMP | Publicly Disclosed | Known Exploit | Max CVSS |
| Windows 10 v20H2 & Windows Server v20H2 | 13 | 31 | 10 | 6 | 2 | 0 | 0 | 1 | 0 | 8.8 |
| Windows 10 v2004 & Windows Server v2004 | 13 | 31 | 10 | 6 | 2 | 0 | 0 | 1 | 0 | 8.8 |
| Windows 10 v1909 & Windows Server v1909 | 13 | 30 | 8 | 6 | 2 | 0 | 0 | 1 | 0 | 8.8 |
| Windows 10 v1809 & Windows Server 2019 | 13 | 30 | 8 | 6 | 1 | 0 | 0 | 1 | 0 | 8.8 |
| Windows 10 v1803 | 13 | 30 | 7 | 6 | 1 | 0 | 0 | 1 | 0 | 8.8 |
| Windows Server 2016 | 13 | 27 | 7 | 5 | 2 | 0 | 0 | 1 | 0 | 8.8 |
| Windows 8.1 & Server 2012 R2 | 13 | 17 | 6 | 4 | 2 | 0 | 0 | 1 | 0 | 8.8 |
| Windows Server 2012 | 13 | 17 | 5 | 2 | 1 | 0 | 0 | 1 | 0 | 8.8 |
| Microsoft Office-related software | 5 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 7.8 |
| Microsoft SharePoint-related software | 4 | 2 | 0 | 0 | 0 | 2 | 1 | 0 | 0 | 8.8 |
| Microsoft SQL Server-related software | 0 | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 8.8 |
| Microsoft Visual Studio-related software | 1 | 2 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 7.8 |
| Microsoft .NET-related software | 0 | 0 | 0 | 0 | 1 | 0 | 0 | 0 | 0 | 7.5 |
| Microsoft Malware Protection Engine | 1 | 0 | 0 | 0 | 0 | 0 | 0 | 0 | 1 | 7.8 |
| RCE = Remote Code Execution | EOP = Elevation of Privilege | ID = Information Disclosure | SFB = Security Feature Bypass | DOS = Denial of Service | SPF = Spoofing | TMP = Tampering |
Notes:
- Vulnerabilities that overlap components may be represented more than once in the table.
- The summary above is an overview of updates for commonly used software. Updates for older versions, apps, and open source software may not be listed.
- Updates may have been added or removed from the release after this content was finalized.
- Find details for all updates in the monthly release in the Security Update Guide: https://msrc.microsoft.com/update-guide
- For additional details, see the release notes at: https://msrc.microsoft.com/update-guide/releaseNote/2021-Jan
Resources for deploying updates to remote devices:
With so many people working remotely, it is a good time to review guidance on deploying security updates to remote devices, such as desktops, laptops, and tablets. Here are some resources to answer questions pertaining to deploying updates to remote devices.
Part 1: Helping businesses rapidly set up to work securely from personal PCs and mobiles
Part 2: Helping IT send and provision business PCs at home to work securely during COVID-19
Part 3: Manage work devices at home during Covid-19 using Configuration Manager
Part 4: Managing remote machines with cloud management gateway (CMG)
Part 5: Managing Patch Tuesday with Configuration Manager in a remote work world
See also:
Mastering Configuration Manager Bandwidth limitations for VPN connected Clients
Vulnerability details for the current month:
Below are summaries for some of the security vulnerabilities in this release. These specific vulnerabilities were selected from the larger set of vulnerabilities in the release for one or more of the following reasons: 1) We received inquiries regarding the vulnerability; 2) the vulnerability may have received attention in the trade press; or 3) the vulnerability is potentially more impactful than others in the release. Because we do not provide summaries for every vulnerability in the release, you should review the content in the Security Update Guide for information not provided in these summaries.
Notes on details in the vulnerability summaries:
| Attack Vector | This metric reflects the context by which vulnerability exploitation is possible. The Base Score increases the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable component. |
| Attack Complexity | This metric describes the conditions beyond the attacker’s control that must exist in order to exploit the vulnerability. Such conditions may require the collection of more information about the target or computational exceptions. The assessment of this metric excludes any requirements for user interaction in order to exploit the vulnerability. If a specific configuration is required for an attack to succeed, the Base metrics should be scored assuming the vulnerable component is in that configuration. |
| Privileges Required | This metric describes the level of privileges an attacker must possess before successfully exploiting the vulnerability. |
| User Interaction | This metric captures the requirement for a user, other than the attacker, to participate in the successful compromise the vulnerable component. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner. |
| CVE-2021-1674 | Windows Remote Desktop Protocol Core Security Feature Bypass Vulnerability |
| Impact | Security Feature Bypass |
| Severity | Important |
| Publicly Disclosed? | No |
| Known Exploits? | No |
| Exploitability | Exploitation less likely |
| CVSS Base Score | 8.8 |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity | High |
| Availability | High |
| Affected Software | All supported versions of Windows |
| More Information | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1674 |
| CVE-2021-1673 | Remote Procedure Call Runtime Remote Code Execution Vulnerability |
| Impact | Remote Code Execution |
| Severity | Critical |
| Publicly Disclosed? | No |
| Known Exploits? | No |
| Exploitability | Exploitation less likely |
| CVSS Base Score | 8.8 |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity | High |
| Availability | High |
| Affected Software | All supported versions of Windows |
| More Information | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1673 |
| CVE-2021-1643 | HEVC Video Extensions Remote Code Execution Vulnerability |
| Impact | Remote Code Execution |
| Severity | Critical |
| Publicly Disclosed? | No |
| Known Exploits? | No |
| Exploitability | Exploitation less likely |
| CVSS Base Score | 7.8 |
| Attack Vector | Local |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity | High |
| Availability | High |
| Affected Software | HEVC Video Extensions |
| More Information | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1643 |
| CVE-2021-1648 | Microsoft splwow64 Elevation of Privilege Vulnerability |
| Impact | Elevation of Privilege |
| Severity | Important |
| Publicly Disclosed? | Yes |
| Known Exploits? | No |
| Exploitability | Exploitation less likely |
| CVSS Base Score | 7.8 |
| Attack Vector | Local |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity | High |
| Availability | High |
| Affected Software | All supported versions of Windows |
| More Information | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1648 |
| CVE-2021-1665 | GDI+ Remote Code Execution Vulnerability |
| Impact | Remote Code Execution |
| Severity | Critical |
| Publicly Disclosed? | No |
| Known Exploits? | No |
| Exploitability | Exploitation less likely |
| CVSS Base Score | 7.8 |
| Attack Vector | Local |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity | High |
| Availability | High |
| Affected Software | All supported versions of Windows |
| More Information | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1665 |
| CVE-2021-1705 | Microsoft Edge (HTML-based) Memory Corruption Vulnerability |
| Impact | Remote Code Execution |
| Severity | Critical |
| Publicly Disclosed? | No |
| Known Exploits? | No |
| Exploitability | Exploitation less likely |
| CVSS Base Score | 4.2 |
| Attack Vector | Network |
| Attack Complexity | High |
| Privileges Required | None |
| User Interaction | Required |
| Scope | Unchanged |
| Confidentiality | Low |
| Integrity | Low |
| Availability | None |
| Affected Software | Microsoft Edge (EdgeHTML-based) |
| More Information | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1705 |
| CVE-2021-1707 | Microsoft SharePoint Server Remote Code Execution Vulnerability |
| Impact | Remote Code Execution |
| Severity | Important |
| Publicly Disclosed? | No |
| Known Exploits? | No |
| Exploitability | Exploitation more likely |
| CVSS Base Score | 8.8 |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity | High |
| Availability | High |
| Affected Software | Microsoft SharePoint Foundation 2013, SharePoint Foundation 2010, SharePoint Server 2019, and SharePoint Enterprise Server 2016 |
| More Information | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1707 |
| CVE-2021-1714 | Microsoft Excel Remote Code Execution Vulnerability |
| Impact | Remote Code Execution |
| Severity | Important |
| Publicly Disclosed? | No |
| Known Exploits? | No |
| Exploitability | Exploitation less likely |
| CVSS Base Score | 7.8 |
| Attack Vector | Local |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity | High |
| Availability | High |
| Affected Software | Microsoft Excel 365 Apps for Enterprise, Excel Services, Excel 2010, Excel 2013, Excel 2016, Office 2010, Office 2013, Office 2016, Office 2019, Office 2019 for Mac, Office Online Server, Office Web Apps Server 2013, and Office SharePoint Enterprise Server 2013. |
| More Information | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1714 |
| CVE-2021-1715 | Microsoft Word Remote Code Execution Vulnerability |
| Impact | Remote Code Execution |
| Severity | Important |
| Publicly Disclosed? | No |
| Known Exploits? | No |
| Exploitability | Exploitation less likely |
| CVSS Base Score | 7.8 |
| Attack Vector | Local |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity | High |
| Availability | High |
| Affected Software | Microsoft Excel 365 Apps for Enterprise, Word 2010, Word 2013, Word 2016, Office 2010, Office 2019, Office 2019 for Mac, Office Online Server, Office Web Apps 2010, Office Web Apps Server 2013, Office SharePoint Enterprise Server 2013, SharePoint Enterprise Server 2016, SharePoint Server 2010, and SharePoint Server 2019 |
| More Information | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1715 |
| CVE-2021-1636 | Microsoft SQL Elevation of Privilege Vulnerability |
| Impact | Elevation of Privilege |
| Severity | Important |
| Publicly Disclosed? | No |
| Known Exploits? | No |
| Exploitability | Exploitation less likely |
| CVSS Base Score | 8.8 |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity | High |
| Availability | High |
| Affected Software | Microsoft SQL Server 2012, SQL Server 2014, SQL Server 2016, SQL Server 2017, and SQL Server 2019 |
| More Information | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1636 |
| CVE-2021-1647 | Microsoft Defender Remote Code Execution Vulnerability |
| Impact | Remote Code Execution |
| Severity | Critical |
| Publicly Disclosed? | No |
| Known Exploits? | Yes |
| Exploitability | Exploitation detected |
| CVSS Base Score | 7.8 |
| Attack Vector | Local |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity | High |
| Availability | High |
| Affected Software | Microsoft Security Essentials, System Center 2012 R2, System Center Endpoint Protection, Windows Defender |
| More Information | https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-1647 |
Disclosure: Source for the info below:
List of patched Office security vulnerabilities
Office security updates published as part of the January 2021 Patch Tuesday address bugs exposing Windows systems running vulnerable Click to Run and Microsoft Installer (.msi)-based editions of Microsoft Office products to remote code execution (RCE) attacks.
Microsoft rated the six RCE bugs patched this month as Important severity issues since they could enable attackers to execute arbitrary code in the context of the currently logged-in user.
| Tag | CVE ID | CVE Title | Severity |
| Microsoft Office | CVE-2021-1713 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2021-1714 | Microsoft Excel Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2021-1711 | Microsoft Office Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2021-1715 | Microsoft Word Remote Code Execution Vulnerability | Important |
| Microsoft Office | CVE-2021-1716 | Microsoft Word Remote Code Execution Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2021-1712 | Microsoft SharePoint Elevation of Privilege Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2021-1707 | Microsoft SharePoint Server Remote Code Execution Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2021-1718 | Microsoft SharePoint Server Tampering Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2021-1717 | Microsoft SharePoint Spoofing Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2021-1719 | Microsoft SharePoint Elevation of Privilege Vulnerability | Important |
| Microsoft Office SharePoint | CVE-2021-1641 | Microsoft SharePoint Spoofing Vulnerability | Important |
January 2021 Microsoft Office security updates
Microsoft Office security updates are delivered through the Microsoft Update platform and via the Download Center.
Further information about each of them is available within the knowledge base articles linked below.
To download the January 2021 Microsoft Office security updates, you have to click on the corresponding knowledge base article below and then scroll down to the ‘How to download and install the update‘ section.
Microsoft Office 2016
| Product | Knowledge Base article title and number |
| Excel 2016 | Security update for Excel 2016 (KB4493165) |
| Office 2016 | Security update for Office 2016 (KB4493168) |
| Office 2016 | Security update for Office 2016 (KB4486755) |
| Word 2016 | Security update for Word 2016 (KB4493156) |
Microsoft Office 2013
| Product | Knowledge Base article title and number |
| Excel 2013 | Security update for Excel 2013 (KB4493176) |
| Office 2013 | Security update for Office 2013 (KB4486762) |
| Office 2013 | Security update for Office 2013 (KB4486759) |
| Word 2013 | Security update for Word 2013 (KB4486764) |
Microsoft Office 2010
| Product | Knowledge Base article title and number |
| Excel 2010 | Security update for Excel 2010 (KB4493186) |
| Office 2010 | Security update for Office 2010 (KB4493143) |
| Office 2010 | Security update for Office 2010 (KB4493142) |
| Office 2010 | Security update for Office 2010 (KB4493181) |
| Word 2010 | Security update for Word 2010 (KB4493145) |
Microsoft SharePoint Server 2019
| Product | Knowledge Base article title and number |
| Office Online Server | Security update for Office Online Server (KB4493160) |
| SharePoint Server 2019 | Security update for SharePoint Server 2019 (KB4493162) |
| SharePoint Server 2019 Language Pack | Security update for SharePoint Server 2019 Language Pack (KB4493161) |
Microsoft SharePoint Server 2016
| Product | Knowledge Base article title and number |
| SharePoint Enterprise Server 2016 | Security update for SharePoint Enterprise Server 2016 (KB4493163) |
| SharePoint Enterprise Server 2016 | Security update for SharePoint Enterprise Server 2016 (KB4493167) |
Microsoft SharePoint Server 2013
| Product | Knowledge Base article title and number |
| Office Web Apps Server 2013 | Security update for Office Web Apps Server 2013 (KB4493171) |
| Project Server 2013 | Cumulative update for Project Server 2013 (KB4493173) |
| SharePoint Enterprise Server 2013 | Security update for SharePoint Enterprise Server 2013 (KB4486724) |
| SharePoint Enterprise Server 2013 | Security update for SharePoint Enterprise Server 2013 (KB4486683) |
| SharePoint Enterprise Server 2013 | Cumulative update for SharePoint Enterprise Server 2013 (KB4493150) |
| SharePoint Foundation 2013 | Security update for SharePoint Foundation 2013 (KB4493175) |
| SharePoint Foundation 2013 | Cumulative update for SharePoint Foundation 2013 (KB4493172) |
Microsoft SharePoint Server 2010
| Product | Knowledge Base article title and number |
| Project Server 2010 | Cumulative update for Project Server 2010 (KB4493182) |
| SharePoint Foundation 2010 | Security update for SharePoint Foundation 2010 (KB4493187) |
| SharePoint Server 2010 | Security update for SharePoint Server 2010 (KB4493178) |
| SharePoint Server 2010 | Security update for SharePoint Server 2010 (KB4486736) |
| SharePoint Server 2010 | Cumulative update for SharePoint Server 2010 (KB4493184) |
| SharePoint Server 2010 Office Web Apps | Security update for SharePoint Server 2010 Office Web Apps (KB4493183) |
