Microsoft has released its regularly scheduled March Patch Tuesday updates, which address 89 security vulnerabilities overall.
Included in the slew are 14 critical flaws and 75 important-severity flaws. Microsoft also included five previously disclosed vulnerabilities, which are being actively exploited in the wild.
Four of the actively exploited flaws (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065), found in Microsoft Exchange, were disclosed as part of an emergency patch earlier this month by Microsoft; businesses have been scrambling to patch their systems as the bugs continue to be exploited in targeted attacks. The fifth actively-exploited flaw exists in the Internet Explorer and Microsoft Edge browsers (CVE-2021-26411). Proof-of-concept (PoC) exploit code also exists for this flaw, according to Microsoft.
“For all of March, Microsoft released patches for 89 unique CVEs covering Microsoft Windows components, Azure and Azure DevOps, Azure Sphere, Internet Explorer and Edge (EdgeHTML), Exchange Server, Office and Office Services and Web Apps, SharePoint Server, Visual Studio, and Windows Hyper-V,” said Dustin Childs with Trend Micro’s Zero Day Initiative, on Tuesday.
Internet Explorer’s Actively Exploited Flaw
The memory-corruption flaw (CVE-2021-26411) in Internet Explorer and Microsoft Edge could enable remote code execution. Researchers said the flaw could allow an attacker to run code on affected systems, if victims view a specially crafted HTML file.
“While not as impactful as the Exchange bugs, enterprises that rely on Microsoft browsers should definitely roll this out quickly,” said Childs. “Successful exploitation would yield code execution at the level of the logged-on user, which is another reminder not to browse web pages using an account with administrative privileges.”
PoC exploit code is also publicly available for the issue. The bug is “tied to a vulnerability” that was publicly disclosed in early February by ENKI researchers. The researchers claimed it was one of the vulnerabilities used in a concerted campaign by nation-state actors to target security researchers, and they said they would publish PoC exploit code for the flaw after the bug has been patched.
“As we’ve seen in the past, once PoC details become publicly available, attackers quickly incorporate those PoCs into their attack toolkits,” according to Satnam Narang, staff research engineer at Tenable. “We strongly encourage all organizations that rely on Internet Explorer and Microsoft Edge (EdgeHTML-Based) to apply these patches as soon as possible.”
PoC Exploit Code Available For Windows Privilege Elevation Flaw
In addition to the five actively exploited vulnerabilities, Microsoft issued a patch for a vulnerability in Win32K for which public PoC exploit code is also available. This flaw ranks important in severity, and exists in Windows Win32K (CVE-2021-27077). A local attacker can exploit the flaw to gain elevated privileges, according to Microsoft. While PoC exploit code is available for the flaw, the tech giant said it has not been exploited in the wild, and that exploitation is “less likely.”
Other Microsoft Critical Flaws
Microsoft patched 14 critical vulnerabilities overall in this month’s Patch Tuesday updates, including (CVE-2021-26897), which exists in Windows DNS server and can enable remote code execution. The flaw is one out of seven vulnerabilities in Windows DNS server; the other six are rated important severity. The critical-severity flaw can be exploited by an attacker with an existing foothold on the same network as the vulnerable device; the attack complexity for such an attack is “low.”
A critical remote code-execution flaw also exists in Microsoft’s Windows Hyper-V hardware virtualization product (CVE-2021-26867), which could allow an authenticated attacker to execute code on the underlying Hyper-V server.
“While listed as a CVSS of 9.9, the vulnerability is really only relevant to those using the Plan-9 file system,” said Childs. “Microsoft does not list other Hyper-V clients as impacted by this bug, but if you are using Plan-9, definitely roll this patch out as soon as possible.”
Another bug of note is a remote code-execution flaw existing on Microsoft’s SharePoint Server (CVE-2021-27076). The flaw can be exploited by a remote attacker on the same network as the victim, and has a low attack complexity that makes exploitation more likely, according to Microsoft.
“For an attack to succeed, the attacker must be able to create or modify sites with the SharePoint server,” according to Childs. “However, the default configuration of SharePoint allows authenticated users to create sites. When they do, the user will be the owner of this site and will have all the necessary permissions.”
Microsoft Exchange Updates: Patch Now
The Microsoft Patch Tuesday updates come as businesses grapple with existing Microsoft Exchange zero-day vulnerabilities that were previously disclosed and continue to be used in active exploits. Overall, Microsoft had released out-of-band fixes for seven vulnerabilities – four of which were the actively-exploited flaws.
On Monday, the European Banking Authority disclosed a cyberattack that it said stemmed from an exploit of the Microsoft Exchange flaw. Beyond the European Banking Authority, one recent report said that at least 30,000 organizations across the U.S. have been hacked by attackers exploiting the vulnerability.
“If you run Exchange on-premise, you need to follow the published guidance and apply the patches as soon as possible,” said Childs. “Microsoft has even taken the extraordinary step of creating patches for out-of-support versions of Exchange. Ignore these updates at your own peril.”
Also released on Tuesday were Adobe’s security updates, addressing a cache of critical flaws, which, if exploited, could allow for arbitrary code execution on vulnerable Windows systems.
Check out our free upcoming live webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community:
· March 24: Economics of 0-Day Disclosures: The Good, Bad and Ugly (Learn more and register!)
· April 21: Underground Markets: A Tour of the Dark Economy (Learn more and register!)