This month wasn’t a good one for IT admins – especially those running Microsoft Exchange servers. A Chinese hacker organization going by the moniker “Hafnium” was discovered to be exploiting security vulnerabilities in Exchange 2013, 2016, and 2019. This allowed them to access the email of the many thousands of businesses and government agencies using this server software. Note that the Exchange Online service was not affected, so if your company’s email is hosted through Microsoft 365/Office 365, you don’t have to worry about it.
Microsoft released out-of-band patches ahead of this month’s regular Patch Tuesday release, to fix the four Exchange flaws, which include the following:
Exchange wasn’t the only Microsoft product that fell victim to exploitation recently, though. An Internet Explorer memory corruption vulnerability that impacts some versions of Edge as well as IE has been used by North Korean hackers in zero day attacks on security researchers. The patch for this exploit has just now been released in this month’s slate of Patch Tuesday releases, and we’ll talk more about it in the Critical and Exploited Vulnerabilities section below.
If you have users who are still running the legacy version of Microsoft Edge, it’s time to upgrade to the new Chromium-based version of Edge. Support for the older Edge browser ends this month, so this is the last patch it will get. Many enterprises continue to run the even older Internet Explorer 11, which is still supported. Chromium-based Edge includes an IE mode that will allow users to access content that requires IE 11 features.
Now let’s take a look at some of this month’s critical and important updates.
As usual, you can download the Excel spreadsheet from the Microsoft Security Update Guide web site for a full list of the March releases. You’ll find that these apply to a long list of Microsoft products and features, including:
Application Virtualization, Azure, Azure DevOps, Azure Sphere, Internet Explorer, Microsoft ActiveX, Microsoft Exchange Server, Microsoft Edge (Chromium-based), Microsoft Graphics Component, Microsoft Office, Microsoft Office Excel, Microsoft Office PowerPoint, Microsoft Office SharePoint, Microsoft Office Visio, Microsoft Windows Codecs Library, Power BI, Role: DNS Server, Role: Hyper-V, Visual Studio, Visual Studio Code, Windows Admin Center, Windows Container Execution Agent, Windows DirectX, Windows Error Reporting, Windows Event Tracing, Windows Extensible Firmware Interface, Windows Folder Redirection, Windows Installer, Windows Media, Windows Overlay Filter, Windows Print Spooler Components, Windows Projected File System Filter Driver, Windows Registry, Windows Remote Access API, Windows Storage Spaces Controller, Windows Update Assistant,
Windows Update Stack, Windows UPnP Device Host, Windows User Profile Service, Windows WalletService, and Windows Win32K.
If you’re running any of these software products, you might want to check the updates page for more information about each, including mitigations for those who can’t install the updates and any known issues with the patches.
It’s not surprising, given the large number of products being updated, that this slate of patches fixes over eighty vulnerabilities. The good news is that only ten of these are rated critical, and those are the ones on which we’ll focus.
Critical and exploited vulnerabilities
Interestingly, none of this month’s critical vulnerabilities are in the Windows client operating systems. Windows 8.1 and Windows 7 (which is in extended support only) have five important vulnerabilities patched, and the latest versions of Windows 10 have eight, also all rated important.
There is one critical vulnerability that affects Windows Server versions 2008 R2, 2012 R2, 2016, and 2019. This is the Windows DNS Server Remote Code Execution issue that we discuss below.
Vulnerabilities exposed prior to patch release
CVE-2021-26411 – Internet Explorer Memory Corruption Vulnerability. This vulnerability affects Microsoft Edge HTML-based version on Windows client and server operating systems. In January, Google reported that the exploit was being used by a group backed by the North Korean government in targeted attacks to place malicious software on the computers of security researchers through social media accounts on Twitter, LinkedIn and other sites, as well as via email.
The exploit combines social engineering and malware, as the hackers disguised as fellow researchers would use their fake accounts to contact real researchers and persuade them to collaborate on research projects, then send a Visual Studio project that uses PowerShell to execute a malicious DLL. You can read Google’s report here. You can find a list of the KB articles and update downloads for the affected operating systems in the CVE link.
CVE-2021-26855, -26857, –27065, and –26858 – Microsoft Exchange Server Remote Code Execution Vulnerabilities discussed above, which were patched on March 2. The first three of these are rated critical and the last is rated important.
Other critical vulnerabilities patched
The following vulnerabilities are rated critical:
CVE-2021-24089, –27061, and 26902 – HVEC extension vulnerabilities. These are a trio of critical remote code execution vulnerabilities in HEVC video extensions. High Efficiency Video Coding (HEVC) extensions are designed to take advantage of hardware capabilities on some newer devices when playing videos on Windows devices. These vulnerabilities are due to improper input validation. A remote attacker can send a specially crafted request and execute arbitrary code on the target system.
CVE-2021-26897 – Windows DNS Server Remote Code Execution Vulnerability. This vulnerability affects supported versions of Windows Server, including server core installations. There are a total of five DNS server RCE vulnerabilities patched this month, but this is the only one that’s rated critical. Windows Servers that are configured as DNS servers are at risk from this vulnerability. Secure Zone Updates lessen the likelihood of successful exploitation but do not fully mitigate the risk.
CVE-2021-26867 – Windows Hyper-V Remote Code Execution Vulnerability. This vulnerability could be exploited to enable the attacker to run code on the Hyper-V server running on Windows 10 or Windows Server 1909 or 20H2, including the server core installation. This vulnerability is due to improper input validation in the Windows Hyper-V.
CVE-2021-27074 and –27080 – Azure Sphere Unsigned Code Execution Vulnerabilities. Azure Sphere is an application platform for internet-connected devices. Microsoft releases updates for the Azure Sphere OS through the Azure Sphere Security Service. An IoT device that is running Azure Sphere and is connected to a network is automatically updated every day. Microsoft has stated that all versions of Azure Sphere that are 21.02 and higher are protected from this vulnerability.
CVE-2021-21300 – Git for Visual Studio Remote Code Execution Vulnerability. This vulnerability affects VS versions 15.9, 16.4, 16.7, 16.8, and 16.9. This remote code execution vulnerability exists when Visual Studio clones a malicious repository.
CVE-2021-26876 – OpenType Font Parsing Remote Code Execution Vulnerability. This vulnerability affects Windows client and server operating systems, including server core installations and Windows 10 on ARM64-based systems.
CVE-2021-26897 – Windows DNS Server Remote Code Execution Vulnerability. This is another DNS server RCE vulnerability. It impacts Windows server and client operating systems running the DNS service, including server core installations.
Select important vulnerabilities patched
CVE-2021-27076 – Microsoft SharePoint Server Remote Code Execution Vulnerability. This vulnerability could enable the attacker to execute code through the ability to create or modify SharePoint sites (which authenticated users can do by default). SharePoint 2013, 2016, and 2019 are affected, as is Microsoft Business Productivity Servers 2010 Service Pack 2.
Other important vulnerabilities patched this month include additional RCE, information disclosure, spoofing, denial of service, security feature bypass, and elevation of privilege issues.
Applying the updates
Most organizations will deploy Microsoft and third party software updates automatically to their servers and managed client systems using a patch management system of their choice, such as GFI’s LanGuard. Automated patch management saves time and reduces the risk of botched installations.
Most home users will receive the updates via the Windows Update service that’s built into the operating system.
Microsoft provides direct downloads for those who need to install the updates manually. You can download these from the Microsoft Update Catalog. Following are links to the downloadable updates for the most recent versions of Windows 10:
KB5000808 — 2021-03 Cumulative Update for Windows 10 Version 1909
KB5000802 — 2021-03 Cumulative Update for Windows 10 Version 2004
KB5000802— 2021-03 Cumulative Update for Windows 10 Version 20H2
Before installing updates, you should always research whether there are known issues that could affect your particular machines and configurations before rolling out an update to your production systems. There are a large number of such known issues that impact this month’s updates. A full list of links to the KB articles detailing these issues can be found here in the release notes for this month’s updates.
When updating Windows 10 version 1909, 2004, 20H2, system and user certificates may be lost during updates. Microsoft suggests to roll back the upgrade to the new version of Windows.
There have been some reports of problems with printing and blue screens after installation of this month’s updates.
Malicious Software Removal Tool (MSRT) update
The MSRT is used to find and remove malicious software from Windows systems and its definitions are updated regularly. The updates are normally installed via Windows Update but if you need to download and install them manually, you’ll find the links for the 32- and 64-bit versions in KB890830.
In addition to Microsoft’s security updates, this month’s Patch Tuesday brought five updates from Adobe to address vulnerabilities across their products (Animate, Photoshop, Connect, Creative Cloud desktop application, and Framemaker).