This month’s Patch Tuesday (or Update Tuesday, as the MSRC team blog prefers to call it) falls on the 13th which may give pause to the superstitious among us. Some users felt pretty unlucky after installing the March updates, which came with continuing problems for those using certain printer models. Let’s hope this month’s fixes come without too many “side effects.” The company ended up having to patch the patch that was supposed to patch the patch.
All that aside, It’s been an interesting month on the cybersecurity front. Microsoft hasn’t been the only tech giant in the limelight – thanks to a zero day exploit for Google’s Chrome browser that was posted on Twitter – although their LinkedIn service was in the news when the personal information of an estimated 500 million users was “scraped” and sold on a forum for cybercriminals. In addition, a series of critical vulnerabilities in Microsoft Exchange was discovered by the NSA, which disclosed them to Microsoft. The fixes for those are included in this month’s slate of patches and we’ll talk more about them below.
According to sources, this month’s fixes address 108 vulnerabilities, nineteen of which are rated critical and five of which are considered zero day issues. One of the latter has been exploited in the wild. The total doesn’t include the six Microsoft Edge (Chromium version, which replaced the legacy version in February) fixes that were released on April 1, so the total patched (thus far) this month is 114.
Depending on the version, Windows 10 gets fixes for 77 to 79 vulnerabilities, and Windows Server gets from 47 to 77 fixes.
Now let’s take a closer look at some of this month’s critical and important updates.
As usual, you can download the Excel spreadsheet from the Microsoft Security Update Guide web site for a full list of the April releases. You’ll find that these apply to an even longer-than-usual list of Microsoft products and features, including:
Azure AD Web Sign-in, Azure DevOps, Azure Sphere, Microsoft Edge (Chromium-based), Microsoft Exchange Server, Microsoft Graphics Component, Microsoft Internet Messaging API, Microsoft NTFS, Microsoft Office Excel, Microsoft Office Outlook, Microsoft Office SharePoint, Microsoft Office Word, Microsoft Windows Codecs Library, Microsoft Windows Speech, Open Source Software, Role: DNS Server, Role: Hyper-V, Visual Studio, Visual Studio Code, Visual Studio Code – GitHub Pull Requests and Issues Extension, Visual Studio Code – Kubernetes Tools, Visual Studio Code – Maven for Java Extension, Windows Application Compatibility Cache, Windows AppX Deployment Extensions, Windows Console Driver, Windows Diagnostic Hub, Windows Early Launch Antimalware Driver, Windows ELAM, Windows Event Tracing, Windows Installer, Windows Kernel, Windows Media Player, Windows Network File System, Windows Overlay Filter, Windows Portmapping, Windows Registry, Windows Remote Procedure Call Runtime, Windows Resource Manager, Windows Secure Kernel Mode, Windows Services and Controller App, Windows SMB Server, Windows TCP/IP, Windows Win32K, and Windows WLAN Auto Config Service.
If you’re running any of these software products, you might want to check the updates page for more information about each, including mitigations for those who can’t install the updates and any known issues with the patches.
There is also an usually long list this time of vulnerabilities that have mitigations, workarounds, or FAQs. Be sure to check those out in the release notes.
And finally, there are the inevitable known issues with some of these patches, affecting various versions of Windows Server and client, SharePoint, and Exchange Server.
Zero day and critical vulnerabilities
We’ll focus on the most serious vulnerabilities that were patched this month: those that were publicly disclosed before the release of their updates (zero day vulnerabilities), and others rated critical.
A critical rating pertains to a vulnerability whose exploitation could allow code execution without user interaction. These scenarios include self-propagating malware (e.g. network worms), or unavoidable common use scenarios where code execution occurs without warnings or prompts. This could mean browsing to a web page or opening email.
Microsoft recommends that customers apply Critical updates immediately.
Zero day vulnerabilities patched
CVE-2021-28310 – Win32k Elevation of Privilege Vulnerability – this is the only one of the zero-day vulnerabilities known to have been exploited in the wild. It’s an elevation of privilege issue that’s based on an out-of-bounds write vulnerability in the Desktop Window Manager and is believed to have been used by the BITTER APT group and possibly others.
CVE-2021-27091 – RPC Endpoint Mapper Service Elevation of Privilege Vulnerability – This is another elevation of privilege issue. It is rated important but is included here because it is a zero-day issue. It is not known to have been exploited in the wild.
CVE-2021-28312 – Windows NTFS Denial of Service Vulnerability – This is a vulnerability in the NT File System that can be used to create a denial of service attack. It affects Windows 10 and Windows Server (various versions). User interaction is required, making it more difficult to exploit.
CVE-2021-28437 – Windows Installer Information Disclosure Vulnerability – PolarBear – This is a vulnerability in the Windows Installer code that could be used to create an information disclosure. This could result in total or partial loss of confidentiality, with the attacker obtaining access to some or all of the restricted information. It impacts various versions of Windows client and server operating systems.
CVE-2021-28458 – Azure ms-rest-nodeauth Library Elevation of Privilege Vulnerability – This is an elevation of privilege issue in the Azure ms-rest-nodeauth library. An exploit can result in total loss of confidentiality, integrity, and availability.
Other critical vulnerabilities patched
This month’s patches address three sets of related critical vulnerabilities in Windows and Exchange, along with one critical vulnerability in Azure Sphere.
CVE-2021-28329 CVE-2021-28330 CVE-2021-28331 CVE-2021-28332 CVE-2021-28333 CVE-2021-28334 CVE-2021-28335 CVE-2021-28336 CVE-2021-28337 CVE-2021-28338 CVE-2021-28339 CVE-2021-28343 – Remote Procedure Call Runtime Remote Code Execution Vulnerabilities – These are critical vulnerabilities that impact Windows client and server operating systems, including server core installations. They can be exploited to allow an attacker to run arbitrary code and can result in total loss of confidentiality, integrity, and availability.
CVE-2021-28480 CVE-2021-28481 CVE-2021-28482 CVE-2021-28483 – Microsoft Exchange Server Remote Code Execution Vulnerabilities – These are the vulnerabilities in Microsoft Exchange Server that were reported by the NSA. They are remote code execution issues by which an attacker could run arbitrary code, resulting in a total loss of confidentiality, integrity, and availability. They affect Exchange Server 2013, 2016, and 2019.
CVE-2021-28315 CVE-2021-27095 – Windows Media Video Decoder Remote Code Execution Vulnerabilities – These are vulnerabilities in the Windows Media Video Decoder that could be used by an attacker to run arbitrary code resulting in a complete loss of confidentiality, integrity, and availability. It affects Windows client and Windows Server (various versions), including the server core installations. User interaction is required, making it more difficult to exploit.
CVE-2021-28460 – Azure Sphere Unsigned Code Execution Vulnerability – This is a vulnerability in Azure Sphere, Microsoft’s IoT solution, a high level application platform for Internet-connected devices. It’s an unsigned code executive vulnerability that could be exploited resulting in total loss of confidentiality, integrity, and availability. Versions of Azure Sphere that are 21.03 and higher are protected from this vulnerability.
In addition to the critical vulnerabilities discussed above, Patch Tuesday brings us fixed for eighty-nine that are rated Important. These cover a broad base and include spoofing vulnerabilities, security features bypasses, Use-after-free, buffer overflows, information disclosure, denial of service, remote code execution, and elevation of privilege issues in an array of Windows components such as Installer, SMB Server, the TCP/IP stack, WLAN auto config service, Azure AD web sign-in, Azure DevOps, graphics component, Internet messaging API and more. Also addressed are issues in Microsoft Office Excel, Word, Outlook, and SharePoint, the Windows Codecs library, Windows DNS, Windows Speech, the Hyper-V role, and other Microsoft products, services, and components.
Per Microsoft guidance, a rating of Important pertains to a vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources. These scenarios include common use scenarios where client is compromised with warnings or prompts regardless of the prompt’s provenance, quality, or usability. Sequences of user actions that do not generate prompts or warnings are also covered.
Microsoft recommends that customers apply Important updates at the earliest opportunity.
CVE-2021-28447 – Windows Early Launch Antimalware Driver Security Feature Bypass Vulnerability – This security feature bypass vulnerability in the Windows early launch antimalware driver affects all the supported versions of Windows client and server operating systems, including the server core installations. It could be used by an attacker to bring about a total loss of integrity, so that the attacker would be able to modify any or all files protected by the impacted component.
Applying the updates
Most organizations will deploy Microsoft and third party software updates automatically to their servers and managed client systems using a patch management system of their choice, such as GFI’s LanGuard. Automated patch management saves time and reduces the risk of botched installations.
Most home users will receive the updates via the Windows Update service that’s built into the operating system. Cumulative and security-only updates are available for supported versions of Windows client and server. Microsoft provides direct downloads for those who need to install the updates manually. You can download these from the Microsoft Update Catalog. Following are links to the downloadable updates for the most recent versions of Windows 10:
- Windows 10 version 1909 – KB5001337
- Windows 10 version 2004 and 20H2 – KB5001330
Before installing updates, you should always research whether there are known issues that could affect your particular machines and configurations before rolling out an update to your production systems. There are a large number of such known issues that impact this month’s updates. A full list of links to the KB articles detailing these issues can be found in the release notes.
Malicious Software Removal Tool (MSRT) update
The MSRT is used to find and remove malicious software from Windows systems and its definitions are updated regularly. The updates are normally installed via Windows Update but if you need to download and install them manually, you’ll find the links for the 32- and 64-bit versions in KB890830.
Third party releases
In addition to Microsoft’s security updates, this month’s Patch Tuesday brought four security updates from Adobe, applicable to Photoshop, Adobe Digital Editions, Adobe Bridge, and RoboHelp.