Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

3/9/2021
05:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Microsoft Patch Tuesday Fixes 82 CVEs, Internet Explorer Zero-Day

The monthly rollout follows last week's emergency Microsoft Exchange Server patch covering seven CVEs, four of which are under attack.

Microsoft today released 82 security fixes as part of its monthly Patch Tuesday rollout, which this month addresses 10 critical vulnerabilities and one Internet Explorer zero-day. This brings its March patch count to 89 after the release of emergency patches for seven CVEs last week. 

Related Content:

Microsoft Fixes Exchange Server Zero-Days Exploited in Active Attacks

Special Report: How IT Security Organizations Are Attacking the Cybersecurity Problem

New From The Edge: Realistic Patch Management Tips, Post-SolarWinds

The out-of-band Exchange patch released March 2 covers seven unique CVEs, four of which are under active attack. Organizations running on-premises Exchange Servers are advised to address the vulnerabilities as soon as possible, as attackers are continuing to scan for and exploit them.

Microsoft today pushed additional patches for older, unsupported versions of Exchange Server.

Today's Patch Tuesday release addresses vulnerabilities in Microsoft Windows, Azure and Azure DevOps, Azure Sphere, Internet Explorer, the Edge browser, Office and Office Services and Web Apps, SharePoint Server, Visual Studio, and Windows Hyper-V. One is both publicly known and under active attack.

That is CVE-2021-26411, a memory corruption vulnerability in Internet Explorer that could let a successful attacker run code on a target system if a victim views a specially designed HTML file. This affects older versions such as Internet Explorer 11, and newer EdgeHTML-based versions.

"This kind of exploit would give the attacker the same operating system permissions as the user visiting the website," says Kevin Breen, director of cyber-threat research at Immersive Labs. "So, if you're browsing the Internet as a standard user, the attacker will get user level access to your file system and limited access to the operating system." 

It's a reminder that employees should never browse the Web while logged in with admin privileges, he adds. If a victim is browsing the Internet as an admin, attackers could get "full unrestricted access" to the file system and operating system, Breen adds. Microsoft notes the attack to exploit this critical flaw is low in complexity and requires no privileges.

Worth noting is CVE-2021-26897, a critical remote code execution (RCE) vulnerability in Windows DNS Server. It's worth noting Microsoft patched five RCE flaws in DNS server this month; this is the only one rated Critical. This flaw is also rated as "exploitation more likely" by Microsoft, and requires no privileges and low attack complexity.

"These attacks are not limited to external attackers — they also become a target for attackers who may already be inside your network," Breen says. "An attacker gaining access to manipulate a DNS server within your organization can have a significant impact on your overall security." 

Another CVE that draws attention to privileges is CVE-2021-27076, an RCE vulnerability in SharePoint Server. This is also categorized as "exploitation more likely" and indicates an attacker could exploit the server to gain code execution over the network. A successful attacker would need privileges to create or modify Sites in SharePoint, which authenticated users can do by default. It's a reminder that users who don't need specific privileges shouldn't have them. 

Today's Critical patches also address two RCE flaws in Azure Sphere, both of which are unsigned code execution vulnerabilities. However, users likely won't need to take action because devices running Azure Sphere connected to the Internet get automatic updates, as Dustin Childs, with Trend Micro's Zero-Day Initiative, points out. These flaws are listed as CVE-2021-27074 and CVE-2021-27080.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Commentary
Cyberattacks Are Tailored to Employees ... Why Isn't Security Training?
Tim Sadler, CEO and co-founder of Tessian,  6/17/2021
Edge-DRsplash-10-edge-articles
7 Powerful Cybersecurity Skills the Energy Sector Needs Most
Pam Baker, Contributing Writer,  6/22/2021
News
Microsoft Disrupts Large-Scale BEC Campaign Across Web Services
Kelly Sheridan, Staff Editor, Dark Reading,  6/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-34390
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel function where a lack of checks allows the exploitation of an integer overflow on the size parameter of the tz_map_shared_mem function.
CVE-2021-34391
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel�s tz_handle_trusted_app_smc function where a lack of integer overflow checks on the req_off and param_ofs variables leads to memory corruption of critical kernel structures.
CVE-2021-34392
PUBLISHED: 2021-06-22
Trusty TLK contains a vulnerability in the NVIDIA TLK kernel where an integer overflow in the tz_map_shared_mem function can bypass boundary checks, which might lead to denial of service.
CVE-2021-34393
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in TSEC TA which deserializes the incoming messages even though the TSEC TA does not expose any command. This vulnerability might allow an attacker to exploit the deserializer to impact code execution, causing information disclosure.
CVE-2021-34394
PUBLISHED: 2021-06-22
Trusty contains a vulnerability in all TAs whose deserializer does not reject messages with multiple occurrences of the same parameter. The deserialization of untrusted data might allow an attacker to exploit the deserializer to impact code execution.