Microsoft has released the March 2021 Security updates that includes patches for 89 vulnerabilities, 14 of those rated Critical. The fixes follow just after the tech giant released emergency patched for Exchange flaws being exploited in the wild.
A remote attacker could exploit some of these vulnerabilities to take control of unpatched systems.
In all, the Microsoft security updates address vulnerabilities in the following products:
- Application Virtualization
- Azure
- Azure DevOps
- Azure Sphere
- Internet Explorer
- Microsoft ActiveX
- Microsoft Exchange Server
- Microsoft Edge (Chromium-based)
- Microsoft Graphics Component
- Microsoft Office
- Microsoft Office Excel
- Microsoft Office PowerPoint
- Microsoft Office SharePoint
- Microsoft Office Visio
- Microsoft Windows Codecs Library
- Power BI
- Role: DNS Server
- Role: Hyper-V
- Visual Studio
- Visual Studio Code
- Windows Admin Center
- Windows Container Execution Agent
- Windows DirectX
- Windows Error Reporting
- Windows Event Tracing
- Windows Extensible Firmware Interface
- Windows Folder Redirection
- Windows Installer
- Windows Media
- Windows Overlay Filter
- Windows Print Spooler Components
- Windows Projected File System Filter Driver
- Windows Registry
- Windows Remote Access API
- Windows Storage Spaces Controller
- Windows Update Assistant
- Windows Update Stack
- Windows UPnP Device Host
- Windows User Profile Service
- Windows WalletService
- Windows Win32K.
Readers can review the March 2021 Security Updates Release Notes and also download more vulnerability and patch details via Microsoft’s Security Update Guide.
Critical RCE bugs
Microsoft addressed 14 Critical remote code execution (RCE) vulnerabilities in this month’s updates. The patches cover Azure, Browser, Developer Tools, Exchange Server, Windows, and Extended Security Updates (ESU) for end of life software.
One of the patches addressed an Internet Explorer memory corruption vulnerability CVE-2021-26411. Microsoft confirmed that “exploitation has been detected.”
Another patch fixed a Windows DNS Server RCE vulnerability CVE-2021-26897. Microsoft wrote “exploitation is more likely.”
As previously mentioned, Microsoft previously released emergency out-of-band security updates to fix multiple Critical vulnerabilities impacting Microsoft Exchange Server 2013, 2016 and 2019. The Exchange CVEs include: CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065.
Microsoft strongly urged customers to patch Exchange Servers as soon as possible given “active exploitation of these vulnerabilities has been detected” in the wild.
Moreover, Microsoft also addressed these additional RCE vulnerabilities (along with product families impacted):
- Azure Sphere Unsigned Code Execution: CVE-2021-27074 and CVE-2021-27080
- Git for Visual Studio: CVE-2021-21300:
- HEVC Video Extensions: CVE-2021-24089, CVE-2021-26902 and CVE-2021-27061
- OpenType Font Parsing: CVE-2021-26876
- Windows Hyper-V: CVE-2021-26867
Other security updates
In addition to the Critical RCEs, Microsoft also patched 75 other important vulnerabilities across multiple products to include Azure, Browser, Developer Tools, Exchange Server, Microsoft Office, Microsoft Dynamics, SQL Server and Windows.
Adobe patches
Finally, Adobe issued patches to fix multiple vulnerabilities in FrameMaker, Creative Cloud Desktop and Adobe Connect.
According to Adobe, there were no reports of exploits in the wild targeting these Adobe products at the time of publication.