Critical Updates to Exchange, Explorer Mitigate Risks
Microsoft’s rerelease on Patch Tuesday of the seven patches for the widely exploited Exchange vulnerabilities has given security experts a chance to reiterate the urgent need to install these and other critical security updates.
“It’s imperative for organizations to ensure they’ve applied patches to address the Microsoft Exchange-related zero-days that were disclosed last week as part of an out-of-band advisory, which nation-state groups and other threat actors have exploited indiscriminately,” says Satnam Narang, staff research engineer at Tenable.
On March 2, Microsoft issued emergency software patches for four zero-day vulnerabilities in Exchange email server; those were rereleased on Tuesday. The company says a China-based group it calls Hafnium has exploited the unpatched flaws in an attempt to gain persistent access to email systems (see: Exchange Server Attacks Spread After Disclosure of Flaws).
Internet Explorer Patch
In addition to the Exchange patches, Microsoft also released a patch for an Internet Explorer zero-day vulnerability, CVE-2021-26411, which researchers at the Japanese research firm ENKI claim was used to attack security researchers. The Multi-State Information Sharing and Analysis Center issued a cybersecurity advisory telling companies to patch CVE-2021-26411 along with the zero-day flaw CVE-2021-27077, which could allow for privilege escalation if exploited.
Narang notes that ENKI intended to post proof-of-concept code for CVE-2021-26411 after the patches were released, potentially opening the door for attacks.
“As we’ve seen in the past, once proof-of-concept details become publicly available, attackers quickly incorporate those PoCs into their attack toolkits,” Narang says. “We strongly encourage all organizations that rely on Internet Explorer and Microsoft Edge (EdgeHTML-Based) to apply these patches as soon as possible.”
If exploited, the CVE-2021-26411 Internet Explorer memory corruption vulnerability could enable an attacker to run malicious code on the affected system when a user visits a specially crafted HTML file.
“While not as impactful as the Exchange bugs, enterprises that rely on Microsoft browsers should definitely roll this out quickly,” Trend Micro’s Zero Day Initiative warns. “Successful exploitation would yield code execution at the level of the logged-on user, which is another reminder not to browse web pages using an account with Administrative privileges.”
Another Zero-Day Vulnerability
Although a proof of concept for exploiting CVE-2021-27077 has been made public, Microsoft says this flaw is not being exploited and exploitation is unlikely.
“This CVE describes a disclosed but not yet exploited vulnerability in Win32k that could allow for privilege escalation,” says Tyler Reguly, manager of security R&D at Tripwire. “This is a local vulnerability, meaning that an attacker must already have access to the system to exploit this issue.”
The patch for yet another zero-day vulnerability, CVE-2021-26701 was re-released Tuesday to provide links to release notes, says Chris Goettl, senior director of product management and security at Ivanti.
“The vulnerability from February had been publicly disclosed and, if exploited, could allow remote code execution,” Goettl says. “The vulnerability has been rated as critical and affects Microsoft .Net 5.0, .Net Core 3.1 and 2.1 as well as Visual Studio 2019 and 2017 versions.”
In addition to the zero-day and Exchange vulnerabilities included in this month’s Patch Tuesday release, several other critical flaws received security updates, including:
- CVE-2021-27074: A remote code execution flaw in Azure Sphere;
- CVE-2021-26897: A remote code execution vulnerability issue in multiple Microsoft products, with the company believing exploitation is likely;
- CVE-2021-26876: A remote code execution vulnerability in multiple Microsoft products, with the company believing exploitation is less likely;
- CVE-2021-27061: A remote code execution flaw in Microsoft’s HEVC Video Extension that is less likely to be exploited, the company says.