Patch Tuesday A week after Microsoft warned that four zero-day flaws and three others in its Exchange Server were being actively exploited and issued out-of-band remediation, the cloudy Windows biz has delivered software fixes to address 82 other vulnerabilities as part of its monthly Patch Tuesday ritual.
All told, that makes 89 CVEs for the month, 14 of which have been deemed critical. Microsoft says two of these vulnerabilities (CVE-2021-26411 and CVE-2021-27077) are publicly known and five are under active exploitation (CVE-2021-26411, CVE-2021-26855, CVE-2021-26857, CVE-2021-27065, and CVE-2021-26858).
Forty-one products or services are slated to get these repairs, mostly related to Office, Windows, and a bit of Azure. That’s just too many to list individually without one’s eyes glazing over.
The March patch cycle will also be the last for Microsoft’s Edge Legacy browser. Upon installing the April patch set, Edge Legacy will be removed from Windows 10 and replaced with Redmond’s replatformed Chromium-based version of Edge.
US National Security Council urges review of Exchange Servers in wake of Hafnium attack
Exchange bugs from last week aside, CVE-2021-26411, an Internet Explorer memory corruption vulnerability, deserves immediate attention. It has a severity rating of 8.8, is publicly known, and is under active exploitation.
“While not as impactful as the Exchange bugs, enterprises that rely on Microsoft browsers should definitely roll this out quickly,” said Dustin Childs, director of communications for the Zero Day Initiative, in a blog post. “Successful exploitation would yield code execution at the level of the logged-on user, which is another reminder not to browse web pages using an account with Administrative privileges.”
Childs also recommends paying attention to CVE-2021-26897, a critical Windows DNS Server remote code execution (RCE) flaw rated 9.8 severity. He notes that there are four other DNS Server RCE bugs designated important and that a similar DNS Server RCE vulnerability was dealt with last month. Half of the vulnerabilities this month, he observed, involve some form of remote code execution.
Another critical bug, CVE-2021-26867, a Windows Hyper-V RCE flaw, just misses a perfect 10 score, coming in at 9.9 severity. But it only affects Hyper-V clients configured to use the Plan 9 file system, which is not exactly ubiquitous these days.
A critical flaw (CVE-2021-21300) was also found in Git for Visual Studio, Microsoft’s Integrated Development Environment (IDE). Redmond’s cross-platform sibling code editor, Visual Studio Code, meanwhile, had five flaws rated important that could allow RCE. Several have to do with extensions like ESLint and Java Extension Pack.
Everyone else piles in too
SAP, however, managed not just one but two bugs that scored 10 out of 10 on their CVSS, also released today. The enterprise biz grants them the designation “Hot News,” alongside two other bugs rated 9.9 and 9.6. The Hot News notes #2890213 and #2622660, for SAP Solution Manager (User Experience Monitoring) v7.2 and SAP Business Client v6.5 respectively, both amend previously issued patches from March 2020 and April 2018.
However, according to Onapsis security researcher Thomas Fritsch, these aren’t as bad as they sound. “HotNews note #2890213 titled, ‘Missing Authentication Check in SAP Solution Manager’ only contains a minor textual update to the possible symptoms of the vulnerability,” said Fritsch in a blog post.
And #2622660, he said, is a fix applied to update SAP Business Client ‘s Chromium version to 88.0.4324.150, which addresses 67 browser flaws, including two critical ones.
The Creative Cloud Desktop App note describes three critical arbitrary code execution bugs that only affect Windows versions of the app. It cites three CVEs: CVE-2021-21068, CVE-2021-21078, CVE-2021-21069.
The Framemaker flaw, also Windows only, enables arbitrary code execution. The single CVE, CVE-2021-21056, is considered critical.
About this point, you might have been expected to see something about Adobe Flash. But no, that’s all done. Flash support ended at the end of 2020.
Delayed, overbudget and broken. Of course Microsoft’s finest would be found in NASA’s Orion
Apple jumped the Patch Tuesday gun and on Monday issued iOS 14.4.1 and iPadOS 14.4.1, watchOS 7.3.2, macOS Big Sur 11.2.3, and, for macOS Catalina and macOS Mojave, Safari 14.0.3 (v. 14610.4.3.1.7 and 15610.4.3.1.7). The various updates all address a single bug in the company’s WebKit browser engine. Reported by Google and Microsoft researchers working together, CVE-2021-1844 covers a memory corruption issue that could allow arbitrary code execution.
IBM also opted for a Monday patch dump of eight bulletins, which include six identified CVEs. Three of the updates are high severity and the other five are medium. The most serious appears to be a bulletin detailing multiple security vulnerabilities (CVE-2020-4687, CVE-2020-4760, CVE-2020-4704) in the IBM Content Navigator component of IBM Business Automation Workflow.
And at the beginning of the month, Google dropped 38 CVEs for Android, 16 related to the Android runtime (one critical) and 22 are associated with closed-source Qualcomm components (five critical). ®