Microsoft today issued fixes for 114 vulnerabilities as part of its monthly security update release, which this month addressed 19 critical flaws, four critical Microsoft Exchange Server bugs found by the National Security Agency (NSA), and one zero-day bug in Desktop Window Manager.
The patches released today address flaws in Microsoft Windows, the Edge browser, Microsoft Office, Azure and Azure DevOps Server, Exchange Server, SharePoint Server, Hyper-V, Visual Studio, and Team Foundation Server. None of the bugs were disclosed at the recent Pwn2Own.
CVE-2021-28310, a Win32k elevation of privilege vulnerability, is the only CVE under active attack patched this month. Kaspersky researchers who found it believe it's potentially being used in the wild by several attackers. They note it's likely used with other browser exploits to escape sandboxes or achieve system privileges; however, they did not capture a full chain so are unable to confirm the full attack sequence.
Attack complexity for this vulnerability is low, according to Microsoft, and it requires low-level privileges. An attacker would have to access the target system locally or remotely, or rely on a user to run the malicious code for them.
Today's patches also addressed four critical remote code execution vulnerabilities in Microsoft Exchange Server: CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, and CVE-2021-28483. All of these were discovered by the NSA and affect Exchange Server versions 2013 through 2019.
CVE-2021-28480 and CVE-2021-28481 have a CVSS score of 9.8 and require no authorization or user interaction to exploit. Dustin Childs of Trend Micro's Zero-Day Initiative notes this CVSS score is higher than the scores for the Exchange Server vulnerabilities disclosed last month, and given that Microsoft lists the attack vector as "Network," it's likely they are wormable - at least between Exchange Servers. Considering they came from the NSA, patching should be a priority.
"We have not seen the vulnerabilities used in attacks against our customers," Microsoft says of the on-premise Exchange Server flaws patched today. "However, given recent adversary focus on Exchange, we recommend customers install the updates as soon as possible to ensure they remain protected from these and other threats." Exchange Online users are already protected.
Microsoft has also identified a whopping 27 remote code execution flaws in Remote Procedure Call, a protocol that lets a program request service from a program on another machine in the same network. Of these, 12 are rated as Critical and 15 are categorized at Important in severity.