Microsoft today released 82 security fixes as part of its monthly Patch Tuesday rollout, which this month addresses 10 critical vulnerabilities and one Internet Explorer zero-day. This brings its March patch count to 89 after the release of emergency patches for seven CVEs last week.
The out-of-band Exchange patch released March 2 covers seven unique CVEs, four of which are under active attack. Organizations running on-premises Exchange Servers are advised to address the vulnerabilities as soon as possible, as attackers are continuing to scan for and exploit them.
Microsoft today pushed additional patches for older, unsupported versions of Exchange Server.
Today's Patch Tuesday release addresses vulnerabilities in Microsoft Windows, Azure and Azure DevOps, Azure Sphere, Internet Explorer, the Edge browser, Office and Office Services and Web Apps, SharePoint Server, Visual Studio, and Windows Hyper-V. One is both publicly known and under active attack.
That is CVE-2021-26411, a memory corruption vulnerability in Internet Explorer that could let a successful attacker run code on a target system if a victim views a specially designed HTML file. This affects older versions such as Internet Explorer 11, and newer EdgeHTML-based versions.
"This kind of exploit would give the attacker the same operating system permissions as the user visiting the website," says Kevin Breen, director of cyber-threat research at Immersive Labs. "So, if you're browsing the Internet as a standard user, the attacker will get user level access to your file system and limited access to the operating system."
It's a reminder that employees should never browse the Web while logged in with admin privileges, he adds. If a victim is browsing the Internet as an admin, attackers could get "full unrestricted access" to the file system and operating system, Breen adds. Microsoft notes the attack to exploit this critical flaw is low in complexity and requires no privileges.
Worth noting is CVE-2021-26897, a critical remote code execution (RCE) vulnerability in Windows DNS Server. It's worth noting Microsoft patched five RCE flaws in DNS server this month; this is the only one rated Critical. This flaw is also rated as "exploitation more likely" by Microsoft, and requires no privileges and low attack complexity.
"These attacks are not limited to external attackers — they also become a target for attackers who may already be inside your network," Breen says. "An attacker gaining access to manipulate a DNS server within your organization can have a significant impact on your overall security."
Another CVE that draws attention to privileges is CVE-2021-27076, an RCE vulnerability in SharePoint Server. This is also categorized as "exploitation more likely" and indicates an attacker could exploit the server to gain code execution over the network. A successful attacker would need privileges to create or modify Sites in SharePoint, which authenticated users can do by default. It's a reminder that users who don't need specific privileges shouldn't have them.
Today's Critical patches also address two RCE flaws in Azure Sphere, both of which are unsigned code execution vulnerabilities. However, users likely won't need to take action because devices running Azure Sphere connected to the Internet get automatic updates, as Dustin Childs, with Trend Micro's Zero-Day Initiative, points out. These flaws are listed as CVE-2021-27074 and CVE-2021-27080.