Patch Tuesday – March 2021

Microsoft released patches to fix 82 security bugs in Windows and other software this month. There are critical bugs in IE, Exchange Server, and Windows Server DNS.

Windows and Windows Server

Windows gets two patches for critical remote code execution (RCE) flaws. CVE-2021-26876 is a vulnerability in OpenType font parsing and CVE-2021-26867 is a flaw in the Hyper-V client which could be used to run code on a Hyper-V server.

A patch is issued for CVE-2021-26411, which is a memory corruption vulnerability in Edge-HTML and Internet Explorer. It is being actively exploited and lets hackers run arbitrary code when users view a malicious website. It’s likely that proof-of-concept code will be published for the exploit soon, so Microsoft is advising customers that rely on IE and Edge-HTML to patch their systems as soon as possible. There are also three critical RCE flaws for the HVEC video extensions in this month’s updates.

Microsoft released 5 patches for Windows Server DNS. The bugs affect Windows Server 2008 through to Windows Server 2019. CVE-2021-26897 is the only one rated critical. Microsoft says that all the DNS bugs are less likely to be exploited when Secure Zone Update are used, but that this is still not a full mitigation. Additionally, the bugs can affect any DNS server, not just those integrated with Active Directory.

Exchange, SQL, and SharePoint Server

Microsoft released 7 out-of-band patches for Exchange Server earlier this month; 4 of them zero-days. Microsoft said that the flaws were used in limited targeted attacks and urged customers to apply the updates as quickly as possible. The vulnerabilities affect Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019.

A blog post dated March 2nd, warned that a state-sponsored threat actor, which Microsoft calls Hafnium, comes from China and is highly skilled and sophisticated. The blog was the first time Microsoft has discussed the threat actor, but it has been operating for some time against targets in the US including infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks and NGOs.

Microsoft has identified recent attacks where Hafnium uses zero-day exploits to target Exchange Server. The four zero-days flaws are a server-side request forgery (SSRF) vulnerability, an insecure deserialization vulnerability in the Unified Messaging service, and two post-authentication arbitrary file write vulnerabilities.

The flaws are used to gain initial access to Exchange, from where web shells are deployed to steal data and further compromise infected servers. For more information on the technical nature of these flaws, attack details, indicators of compromise (IOCs), and more, check out Microsoft’s website here. Microsoft has also updated Microsoft Defender Antivirus, Microsoft Defender for Endpoint, and Azure Sentinel detections to protect against these latest attacks.

Microsoft released a patch for SharePoint Server that fixes a RCE vulnerability (CVE-2021-27076). It can be exploited across the network, allowing an attacker to create a site and execute code remotely in the Windows kernel. The bug was identified with the help of Trend Micro’s Zero Day Initiative.

Microsoft Office

Microsoft Office Apps for Enterprise get 7 patches this month. All of them are rated important and they are RCEs, apart from one which is a patch for a security feature bypass vulnerability.

Adobe software

Adobe released three fixes for 8 CVEs in Adobe Connect, Creative Cloud Desktop, and Framemaker.

And that is it for another month!