Hear what Automox Patch Tuesday experts have to say about this month’s Patch Tuesday releases. You can view a full list of the latest patches and updates from Microsoft and other third-party applications in our Patch Tuesday Index.
March 2021 Overview
Eric Feldman — General Overview
Microsoft addresses 89 new vulnerabilities this month, representing a 60% increase from February. Of this total, 14 are rated as “critical” with 5 that are being actively exploited in the wild, 4 of which are specific to Microsoft Exchange Server. The critical security updates for Microsoft Exchange Server were released out-of-band last week due to the urgent nature of the vulnerabilities. Microsoft attributed the weaponization of these vulnerabilities to a Chinese state-sponsored hacking group known as “Hafnium.”
In addition, these Microsoft Exchange vulnerabilities were important enough for the “CISA,” the US Cybersecurity and Infrastructure Security Agency, to issue an emergency directive following the release of fixes for these zero-day vulnerabilities in Microsoft Exchange. The directive “Mitigate Microsoft Exchange On-Premises Product Vulnerabilities," was issued on March 3. Automox recommended in an alert published last week that organizations prioritize the installation of updates on Microsoft Exchange Servers that are externally facing.
Nick Colyer - Adobe Updates
In the midst of more severe vulnerabilities, Adobe had a modest release of five security updates addressing a handful of vulnerabilities, nine of which are critical affecting Creative Cloud Desktop Application (APSB21-18), Adobe Connect(APSB21-19), Adobe Framemaker (APSB21-14), Adobe Animate (APSB21-21), and Adobe Photoshop (APSB21-17). Administrators contending with more serious fallout of recent nation-state attacks might consider prioritizing APSB21-18 affecting Creative Cloud Desktop Application as it is the more common element for Adobe customers used in launching applications, updates, and managing assets. In contrast, Adobe has given their own priority rating of “3” for all three security updates, which is the lowest of their scale. Given the gravity of recent events, proaction in patching these types of vulnerabilities becomes even more critical in not only reducing the attack surface available, but also to help mitigate less skilled attackers who might be looking to seize on the opportunity of preoccupied administrators in turbulent circumstances.
Eric Feldman - CVE-2021-26867 Windows Hyper-V Remote Code Execution Vulnerability
CVE-2021-26867 is a critical vulnerability impacting Microsoft Windows Hyper-V, a native hypervisor that can create and run virtual machines on x86-64 systems running Windows. An attacker exploiting this vulnerability can run malicious binaries on Hyper-V virtual machines or execute arbitrary code on the host system itself. Automox recommends taking action in prioritizing patching for CVE-2021-26867 as soon as possible on all Hyper-V systems. It is noteworthy that only systems with Hyper-V enabled are affected by this critical vulnerability.
Eric Feldman - CVE-2021-26876 OpenType Font Parsing Remote Code Execution Vulnerability
CVE-2021-26876 is a critical remote code execution vulnerability that affects the OpenType Font Parsing engine on all supported versions of Microsoft Windows operating systems. OpenType® is a cross-platform font file format that was developed jointly by Adobe and Microsoft. Supporting thousands of fonts that work on both Macintosh and Windows platforms, OpenType Fonts are used by default on all current Windows releases..Successful exploitation of this vulnerability requires a Windows user open a maliciously crafted document directly or in a Windows preview pane for an unauthenticated remote attacker to execute arbitrary code with kernel privileges.
Jay Goodman - CVE-2021-21300 - Git for Visual Studio Remote Code Execution Vulnerability
CVE-2021-21300 is a critical vulnerability disclosed in Git for Visual Studio. The vulnerability is a remote code execution vulnerability affecting an unknown function of the Git component. An attacker exploiting this vulnerability could take control of a system where they would be free to install programs, view or change data, or create new accounts on the target system with full user rights. IT and security teams can mitigate this vulnerability somewhat by properly configuring user accounts to have fewer user rights on systems to limit the impact of newly created accounts. The vulnerability is less likely to be exploited, according to Microsoft. However, the attack complexity is low and patching critical vulnerabilities is an important first step to maintaining a safe and secure infrastructure.
Jay Goodman - CVE-2021-26411- Internet Explorer Memory Corruption Vulnerability
CVE-2021-26411 is a memory corruption vulnerability found in Internet Explorer 11, 9, and Edge browsers. This vulnerability is critical and has been disclosed as exploited in the wild. An attack can target the vulnerability with a malicious website designed to exploit the vulnerability through Internet Explorer. Users who view the malicious website could allow attackers to execute code on the system. Although Edge and IE 11/9 are not the most common browsers in use today by market share, they would be present on nearly 75% of laptops and desktops today. Combined with the fact that this vulnerability is a low complexity vulnerability to execute, it is critically important that IT teams quickly and efficiently patch this vulnerability. Latent vulnerabilities left unpatched are one of the leading contributors to attackers being able to gain access and move laterally within a network.
Chris Hass - CVE-2021-26855/26857/26858/27065 - Exchange Server Remote Code Execution Vulnerability
On Tuesday, March 2nd, Microsoft released an out-of-band patch for a number of critical vulnerabilities found in Microsoft Exchange Server, due to a highly sophisticated state-sponsored Chinese threat attacker, known as Hafnium, actively exploiting these in the wild. While the number of compromises are still speculated at this point, it is estimated that over 30,000 organizations in the US have likely been compromised as a result of these vulnerabilities. These critical vulnerabilities impact only on-premise Exchange Server 2013, Exchange Server 2016, and Exchange Server 2019. It's important to note that Exchange online servers were not affected by these vulnerabilities. Patching these vulnerabilities as soon as possible is of utmost importance. If patching at this time is not feasible for your organization, Microsoft has provided interim mitigation guidance, as well as a repository of scripts to aid security teams in identifying if the threat actor may have compromised their systems. Microsoft has also provided updates to now unsupported versions of Exchange, something we have not seen since 2019, due to a Critical flaw in RDP, and again in 2017 in response to WannaCry.
Justin Knapp - CVE-2021-26897 Windows DNS Server Remote Code Execution Vulnerability
CVE-2021-26897 is a critical remote code execution vulnerability discovered in Windows Domain Name System (DNS) servers when they fail to properly handle requests. Successful exploitation of the vulnerability could allow an attacker to run arbitrary code in the context of the Local System Account. Only Windows servers configured as DNS servers are at risk of having this vulnerability exploited. To exploit the vulnerability, an unauthenticated attacker could send malicious requests to the Windows DNS server. Given the low level of attack complexity and higher probability of exploitation, this is a vulnerability that should be prioritized and addressed immediately.
Justin Knapp - CVE-2021-24089/26902/27061 HEVC Video Extensions Remote Code Execution Vulnerability
CVE-2021-24089, 26902, and 27061 are all critical vulnerabilities identified in HEVC Video Extensions. HEVC is an advanced video compression standard used for video storage and playback on Windows 10 systems. This vulnerability can lead to remote code execution (RCE), which can be highly impactful and dangerous given that it can provide attackers the opportunity to directly run malicious code on the exploited systems. RCE vulnerabilities were a consistent struggle for system administrators in 2020 given the increased quantity throughout the year and that trend seems to have carried over into 2021. Microsoft does not provide mitigation recommendations aside from patching. However, most affected customers will automatically be updated via the Microsoft Store and guidance is provided to check the package version to ensure it has the current update.
Nick Colyer - CVE-2021-27074 // 27080 - Critical Azure Sphere Remote Code Execution Vulnerabilities
CVE-2021-27074 & CVE-2021-27080 are both critically rated remote code execution vulnerabilities impacting the Microsoft Azure Sphere platform. In design, Azure Sphere connected devices should update daily, thus impact according to Microsoft is limited to Internet of Things (IoT) devices that have not connected to the internet since prior to the fix. It is unclear whether these vulnerabilities are related to recent Exchange Server attacks attributed to nation-state hacking group “Hafnium”, however the increase of supply chain threat activity does suggest a trend. The importance of patch velocity around emergent vulnerabilities will continue to be of critical importance across server, workstation, and IoT based infrastructure.
To see all the latest details and advice on this month’s Patch Tuesday, check out the Automox Patch Tuesday Rapid Response Center.
About Automox Automated Patch Management
Facing growing threats and a rapidly expanding attack surface, understaffed and alert-fatigued organizations need more efficient ways to eliminate their exposure to vulnerabilities. Automox is a modern cyber hygiene platform that closes the aperture of attack by more than 80% with just half the effort of traditional solutions.
Cloud-native and globally available, Automox enforces OS & third-party patch management, security configurations, and custom scripting across Windows, macOS, and Linux from a single intuitive console. IT and SecOps can quickly gain control and share visibility of on-prem, remote and virtual endpoints without the need to deploy costly infrastructure.
Experience modern, cloud-native patch management today with a 15-day free trial of Automox and start recapturing more than half the time you're currently spending on managing your attack surface. Automox dramatically reduces corporate risk while raising operational efficiency to deliver best-in-class security outcomes, faster and with fewer resources.