Governance & Risk Management , Patch Management

Microsoft Patch Tuesday: A Call to Action

Critical Updates to Exchange, Explorer Mitigate Risks
Microsoft Patch Tuesday: A Call to Action

Microsoft's rerelease on Patch Tuesday of the seven patches for the widely exploited Exchange vulnerabilities has given security experts a chance to reiterate the urgent need to install these and other critical security updates.

See Also: Finding and Managing the Risk in your IT Estate: A Comprehensive Overview

"It’s imperative for organizations to ensure they’ve applied patches to address the Microsoft Exchange-related zero-days that were disclosed last week as part of an out-of-band advisory, which nation-state groups and other threat actors have exploited indiscriminately," says Satnam Narang, staff research engineer at Tenable.

On March 2, Microsoft issued emergency software patches for four zero-day vulnerabilities in Exchange email server; those were rereleased on Tuesday. The company says a China-based group it calls Hafnium has exploited the unpatched flaws in an attempt to gain persistent access to email systems (see: Exchange Server Attacks Spread After Disclosure of Flaws).

Internet Explorer Patch

In addition to the Exchange patches, Microsoft also released a patch for an Internet Explorer zero-day vulnerability, CVE-2021-26411, which researchers at the Korean research firm ENKI claim was used to attack security researchers. The Multi-State Information Sharing and Analysis Center issued a cybersecurity advisory telling companies to patch CVE-2021-26411 along with the zero-day flaw CVE-2021-27077, which could allow for privilege escalation if exploited.

Narang notes that ENKI intended to post proof-of-concept code for CVE-2021-26411 after the patches were released, potentially opening the door for attacks.

"As we've seen in the past, once proof-of-concept details become publicly available, attackers quickly incorporate those PoCs into their attack toolkits," Narang says. "We strongly encourage all organizations that rely on Internet Explorer and Microsoft Edge (EdgeHTML-Based) to apply these patches as soon as possible."

If exploited, the CVE-2021-26411 Internet Explorer memory corruption vulnerability could enable an attacker to run malicious code on the affected system when a user visits a specially crafted HTML file.

"While not as impactful as the Exchange bugs, enterprises that rely on Microsoft browsers should definitely roll this out quickly," Trend Micro's Zero Day Initiative warns. "Successful exploitation would yield code execution at the level of the logged-on user, which is another reminder not to browse web pages using an account with Administrative privileges."

Another Zero-Day Vulnerability

Although a proof of concept for exploiting CVE-2021-27077 has been made public, Microsoft says this flaw is not being exploited and exploitation is unlikely.

"This CVE describes a disclosed but not yet exploited vulnerability in Win32k that could allow for privilege escalation," says Tyler Reguly, manager of security R&D at Tripwire. "This is a local vulnerability, meaning that an attacker must already have access to the system to exploit this issue."

The patch for yet another zero-day vulnerability, CVE-2021-26701 was re-released Tuesday to provide links to release notes, says Chris Goettl, senior director of product management and security at Ivanti.

"The vulnerability from February had been publicly disclosed and, if exploited, could allow remote code execution," Goettl says. "The vulnerability has been rated as critical and affects Microsoft .Net 5.0, .Net Core 3.1 and 2.1 as well as Visual Studio 2019 and 2017 versions."

More Patches

In addition to the zero-day and Exchange vulnerabilities included in this month's Patch Tuesday release, several other critical flaws received security updates, including:

  • CVE-2021-27074: A remote code execution flaw in Azure Sphere;
  • CVE-2021-26897: A remote code execution vulnerability issue in multiple Microsoft products, with the company believing exploitation is likely;
  • CVE-2021-26876: A remote code execution vulnerability in multiple Microsoft products, with the company believing exploitation is less likely;
  • CVE-2021-27061: A remote code execution flaw in Microsoft's HEVC Video Extension that is less likely to be exploited, the company says.

About the Author

Doug Olenick

Doug Olenick

Former News Editor, ISMG

Olenick has covered the cybersecurity and computer technology sectors for more than 25 years. Prior to his stint as ISMG as news editor, Olenick was online editor for SC Media, where he covered every aspect of the cybersecurity industry and managed the brand's online presence. Earlier, he worked at TWICE - This Week in Consumer Electronics - for 15 years. He also has contributed to, TheStreet and Mainstreet.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.