Microsoft fixes 110 vulnerabilities, with 19 classified as ‘critical’ & another flaw under active attack.
Microsoft was busy Tues. dealing with 5 Zero-Day vulnerabilities, a flaw under active attack & applying more patches to its problem-ridden Microsoft Exchange Server software.
They released patches for a total of 110 security issues, 19 classified critical in severity & 88 considered important. The most severe of those flaws disclosed is probably a Win32k elevation of privilege vulnerability (CVE-2021-28310) actively being exploited in the wild by the cyber-criminal group BITTER APT.
“We believe this exploit is used in the wild, potentially by several threat players. It is an escalation of privilege (EoP) exploit that is likely used together with other browser exploits to escape sandboxes or get system privileges for further access,” wrote Kaspersky in a Tues. report detailing its findings.
The bug is an out-of-bounds write vulnerability in Windows dwmcore.dll library, which is part of Desktop Window Manager (dwm.exe).
“Due to the lack of bounds checking, attackers are able to create a situation that allows them to write controlled data at a controlled offset using Direct Composition API,” wrote Kaspersky researchers Boris Larin, Costin Raiu & Brian Bartholomew, co-authors of the report.
The US National Security Agency released information on 4 critical Exchange Server vulnerabilities (CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, CVE-2021-28483) impacting versions released 2013-2019.
“These vulnerabilities have been rated ‘Exploitation More Likely’ using Microsoft’s Exploitability Index. 2 of the 4 vulnerabilities (CVE-2021-28480, CVE-2021-28481) are pre-authentication, meaning an attacker does not need to authenticate to the vulnerable Exchange server to exploit the flaw.
With the intense interest in Exchange Server since last month, it is crucial that organisations apply these Exchange Server patches immediately,” wrote Satnam Narang, staff research engineer with Tenable.
Microsoft notes that 2 of the 4 Exchange bugs reported by the NSA were also found internally by its own research team.
Bugs, Lots of Bugs
Flaws fixed by Microsoft also included patches for its Chromium-based Edge web browser, Azure & Azure DevOps Server, Microsoft Office, SharePoint Server, Hyper-V, Team Foundation Server & Visual Studio.
“April’s Patch Tues. yields are the highest monthly total for 2021 so far & showing a return to the 100-plus totals we consistently saw in 2020. This month’s haul includes 19 critical vulnerabilities & a high-severity zero-day that is actively being exploited in the wild,” wrote Justin Knapp, Senior Product Marketing Manager with Automox, in a prepared analysis.
Overall Upward Trend
“We’re also seeing multiple browser related vulnerabilities this month that should be addressed immediately,” Knapp wrote.
“This represents an overall upward trend that’s expected to continue throughout the year & draw greater urgency around patching velocity to ensure organisations are not taking on unnecessary exposure, especially given the increased exploitation of known, dated vulnerabilities.”
Also, Knapp pointed out patching best practices were vitally important to companies as they are challenged by a workforce that is still largely remote & forced to social distance because of the COVID-19 pandemic.
“With the dramatic shift to remote work in 2020 now becoming a permanent fixture in 2021, it’s also worth noting the significance of employing measures that can immediately push newly released security updates across a more decentralised, diverse set of assets & environments,” he commented.
Troublesome given the universal nature of the Microsoft Office are 4 remote code execution vulnerabilities patched this month within the productivity suite. Impacted are Microsoft Word (CVE-2021-28453) & Excel (CVE-2021-28454, CVE-2021-28451) & a 4th bug (CVE-2021-28449) only listed as effecting Microsoft Office. Updates are rated ‘important’ & according to Microsoft, impact all versions of Office including Office 365.
Jay Goodman, Manager of Product Marketing at Automox, notes in prepared Patch Tuesday commentary that Microsoft’s round of patches include a number of flaws identified as remote procedure call (RPC) runtime remote code execution bugs.
“RPC is a protocol used to request a service from a program that is located on another computer or device on the same network. The vulnerabilities allow for remote code execution on the target system,” Goodman wrote.
“The vulnerability may be exploited by sending a specially crafted RPC request. Depending on the user privileges, an attacker could install programs, change or delete data, or create additional user accounts with full user rights.”
Microsoft marks the vulnerability as “exploitation less likely”, however, it is highly recommended to quickly patch & remediate any RCE vulnerabilities on systems, Goodman concluded. “Leaving latent vulnerabilities with RCE exploits can easily lead to a faster-spreading attack.”