As part of March Patch Tuesday, Microsoft has fixed 82 vulnerabilities in its products, including 0-day in IE. 10 of these vulnerabilities were classified as critical and 72 as important.
It is necessary to note that this does not include 7 vulnerabilities in Microsoft Exchange and 33 more vulnerabilities in Chromium Edge that were addressed earlier this month. In addition, among the bugs fixed were two zero-day vulnerabilities, one of which was under attack.Let me remind you that earlier this month Microsoft provided unscheduled patches for vulnerabilities in the Exchange mail server code. The company warned that Chinese hackers from the Hafnium group were already exploiting these problems, and soon other hack groups joined the attacks.
- CVE-2021-26855 — SSRF vulnerability that allowed sending arbitrary HTTP requests and bypassing authentication.
- CVE-2021-26857 – Unified Messaging deserialization issue. Using this bug gave a hacker the ability to run code with SYSTEM privileges on the Exchange server. For the exploit to work properly, administrator rights or another vulnerability were required.
- CVE-2021-26858 – a vulnerability that allows writing arbitrary files (after authentication with Exchange).
- CVE-2021-27065 – Another arbitrary file writing vulnerability (also after authentication with Exchange).
Considering severity of the situation, in addition to the usual patches, Microsoft engineers prepared hotfixes for old and unsupported versions of Exchange, and also released a special PowerShell script designed to check Exchange servers for compromises and known indicators of compromise (web shells).
Along with fixes for zero-day bugs, experts prepared fixes for three vulnerabilities in Microsoft Exchange that were not used by hackers:
- CVE-2021-26412 – Microsoft Exchange issue related to remote code execution;
- CVE-2021-26854 – Microsoft Exchange issue related to remote code execution;
- CVE-2021-27078 – A Microsoft Exchange issue related to remote code execution.
Now, among the regular patches, fixes have been released for two other zero-day vulnerabilities, one of which was under attack. So, in January 2021, Google experts reported that the Lazarus hack group attacked information security researchers using compromised Visual Studio projects and previously unknown exploits for zero-day problems.
In February, Enki warned that attackers were using 0-day Internet Explorer in these attacks to install their own backdoors. As a result, this problem got the identifier CVE-2021-26411.
As it turned out, the bug was related to information corruption in memory, and now a patch has finally been released for it.
Another zero-day vulnerability that was fixed this week is CVE-2021-27077. It is related to privilege escalation in Windows Win32k. It was discovered and described by Trend Micro Zero Day Initiative experts back in January, and initially Microsoft had no plans to fix it.
Other companies have released updates to their products this week as well. Among them:
- Adobe: has released critical bug patches for Adobe Creative Cloud Desktop, Framemaker, and Connect.
- Android: March security updates were released last week.
- Apple: has released updates for iOS, macOS, watchOS and Safari.
- Cisco: has released patches for many products.
- SAP: Introduced the March set of updates.
- VMware: prepared a patch for the RCE bug as part of the View Planner.
