informa
4 min read
article

Microsoft Fixes Exchange Server Zero-Day

November security update contains patches for 55 bugs — including six zero-days across various products.

Microsoft's November security updates, released today, contained fixes for 55 vulnerabilities, including six zero-day flaws — two of which are being currently exploited.

But according to at least one security researcher, the flaw that organizations should be most concerned about is CVE-2021-42298, a critical bug in Microsoft Defender that attackers can exploit to remotely execute malicious code on vulnerable systems.

"I think this CVE should be top of mind for all enterprises," said Danny Kim, principal architect at Virsec, in a statement. Microsoft itself has assessed the flaw as severe and likely to be exploited. Also, Windows Defender runs on all supported versions of Windows, so the vulnerability therefore significantly increases the potential attack surface for organizations.

"This CVE does require some user interaction; however, we have seen in the past how attackers can use social engineering/phishing emails to achieve such interaction fairly easily," Kim said.

Kim described CVE-2021-26443 as another vulnerability that organizations should consider prioritizing. The remote code execution flaw is present in Microsoft Virtual Machine Bus (VMBus), a communication component of the company's Hyper-V virtualization technology. The flaw gives attackers a way to escape a virtual machine's built-in protections and run malicious code on the underlying physical host system.

"This means the attacker can inflict damage not only on the VM, but all VMs running on that physical host," Kim said. The ability to run arbitrary code on a physical host is one of the deepest levels of infiltration an attacker can achieve, he noted.

Meanwhile, the two vulnerabilities for which exploit code is currently available are present in Microsoft Exchange Server (CVE-2021-42321) and Microsoft Excel (CVE-2021-42292).

The Exchange Server flaw results from improper validation of cmdlet — a command that is often used in PowerShell environments. The flaw can be exploited over the network, is not very complex, and requires low privileges and no user interaction. Microsoft described the vulnerability as having a high impact on data confidentiality, integrity, and availability, and said it had detected exploitation activity of the flaw in the wild.

"As with all Exchange bugs in the wild, we urge Exchange admins to test and deploy the patches as soon as possible,” said Dustin Childs, with Trend Micro's Zero-Day Initiative, in a statement.

The Microsoft Excel flaw (CVE-2021-42292) — the other vulnerability in the company's November update actively exploited — is a security feature bypass flaw that results in malicious code being executed when certain maliciously crafted files are opened.

"It’s unclear if it’s a malicious macro or some other form of code loading within a spreadsheet," Childs said. But users should be cautious about opening unexpected attachments for a while, especially users of Office for Mac because Microsoft has not yet released a patch for it, Childs noted.

“It’s also interesting to note Microsoft lists this as under active attack, but the CVSS rating lists the exploit code maturity as ‘proof of concept,'" he said.

Four other flaws in Microsoft's latest security update have been publicly disclosed, though no exploit activity has been associated with any of them yet. Two of the flaws — CVE-2021-38631 and CVE-2021-41371 — involve Microsoft's frequently targeted Remote Desktop Protocol technology. Both are information disclosure vulnerabilities that Microsoft described as less likely to be exploited. The other two publicly known flaws — CVE-2021-43208 and CVE-2021-43209 — are both remote code execution flaws in Microsoft's 3D Viewer Remote technology. Microsoft has disclosed multiple severe to critical flaws in the 3D model viewing software over the past year.

As always, the 55 vulnerabilities for which Microsoft has issued patches impact a wide range of the company's products, including Microsoft Office, Windows, Azure, Power BI, and Visual Studio. However, the actual number of flaws the company disclosed this month is lower than in some previous months this year. Microsoft's January 2021 security update, for instance, addressed 83 vulnerabilities. In June and September, the company disclosed more than 60 bugs, and Microsoft's October 21 update contained fixes for more than 70 flaws.