News

Microsoft's March Security Patch Tally Hits 89

• By Kurt Mackie
• 03/10/2021

Microsoft's March security update release delivered patches for 89 common vulnerabilities and exposures (CVEs), up 60 percent from last month.

That tally is from Eric Feldman, a senior product marketing manager at software security solutions company Automox, in a patch Tuesday "Overview" article.

The March patches contain 14 CVEs rated "Critical," with five under active exploit. Four of those Critical CVEs are related to Exchange Server, which is said to be under active attack by the "Hafnium" advanced persistent threat group.

Microsoft last week released "out-of-band" (outside the normal update Tuesday release schedule) fixes for those four zero-day Critical Exchange Server flaws. Those patches require organizations to have the latest Exchange Server cumulative updates installed to use them, but Microsoft this week announced downloadable patches that don't require the latest cumulative updates, which is available as a temporary fix.

Another exploited Critical vulnerability this month is a remote code execution (RCE) flaw (CVE-2021-26411) in Internet Explorer 9 and 11 browsers and the older Microsoft Edge (EdgeHTML) browser. These vulnerabilities were publicly known before today's patch release, which potentially increases risks for users. A successful exploit would gain user privileges for an attacker.

"Successful exploitation would yield code execution at the level of the logged-on user, which is another reminder not to browse web pages using an account with Administrative privileges," explained Dustin Childs regarding these browser flaws, in Trend Micro's Zero Day Initiative blog post on the March security patches.

In a related support announcement, Microsoft noted that its Microsoft Edge "legacy" (EdgeHTML) browser for desktops has fallen out of support as of March 9, 2021. The browser no longer gets security patches from Microsoft. Moreover, it'll get removed and replaced with the Chromium-based Edge browser when April's security patches arrive (on April 13).

Other Critical Patches
Microsoft's revamped "Security Update Guide" doesn't use the Critical terminology used by most security researchers. Instead, it offers generic descriptions and Common Vulnerability Scoring System (CVSS) rankings from 1 to 10 in severity throughout its 5,755 pages. Microsoft switched to this less descriptive format back in November.

Security researchers nonetheless offered some descriptions. Other notable Critical flaws of the 14 this month included:

• A Critical Windows Hyper-V RCE vulnerability (CVE-2021-26867). "While listed as a CVSS of 9.9, the vulnerability is really only relevant to those using the Plan-9 file system," Childs noted.
• A Windows DNS RCE vulnerability (CVE-2021-26897) consisting of five flaws. It should be prioritized as "all five of these bugs are listed as a CVSS 9.8, and there is the outside chance this could be wormable between DNS servers," according to Childs.
• An OpenType font parsing RCE vulnerability (CVE-2021-26876) in all Windows systems, which could get triggered via "a maliciously crafted document directly or in a Windows preview pane," according to Feldman.

Other Critical vulnerabilities include HEVC Video Extensions RCE flaws (CVE-2021-24089, CVE-2021-26902 and CVE-2021-27061), a Git for Visual Studio vulnerability (CVE-2021-21300) and Azure Sphere unsigned code vulnerabilities (CVE-2021-27074 and CVE-2021-27080).

Azure Sphere is Microsoft's IoT chipset. The Azure Sphere issues just apply to devices that have been disconnected from the Internet for a while.

"In design, Azure Sphere connected devices should update daily, thus impact according to Microsoft is limited to Internet of Things (IoT) devices that have not connected to the internet since prior to the fix," explained Nick Colyer, a senior product marketing manager at Automox.

Other Patch Details
In addition to the 14 Critical patches, Microsoft issued 75 fixes that security researchers rated as "Important."

In general, most of the fixes in this month's patch bundle are addressing RCE issues. Childs tallied 45 of 90 vulnerabilities as being associated with RCE problems.  

The March bundle also include 30 fixes for elevation-of-privilege flaws, which mostly affect the Windows kernel and Windows components, Childs noted.

Just six of the vulnerabilities in this month's bundle were associated with information disclosure issues. There were also four denial-of-service bugs, according to Childs.