Microsoft has released the April 2021 Security updates that includes patches for 114 vulnerabilities, 19 of those rated Critical. The updates also include fixes for multiple Microsoft Exchange Server flaws that have a higher likelihood of being exploited.
A remote attacker could exploit some of these vulnerabilities to take control of unpatched systems.
In all, the Microsoft security updates address vulnerabilities in the following products:
- Azure AD Web Sign-in
- Azure DevOps
- Azure Sphere
- Microsoft Edge (Chromium-based)
- Microsoft Exchange Server
- Microsoft Graphics Component
- Microsoft Internet Messaging API
- Microsoft NTFS
- Microsoft Office Excel
- Microsoft Office Outlook
- Microsoft Office SharePoint
- Microsoft Office Word
- Microsoft Windows Codecs Library
- Microsoft Windows Speech
- Open Source Software
- Role: DNS Server
- Role: Hyper-V
- Visual Studio
- Visual Studio Code
- Visual Studio Code – GitHub Pull Requests and Issues Extension
- Visual Studio Code – Kubernetes Tools
- Visual Studio Code – Maven for Java Extension
- Windows Application Compatibility Cache
- Windows AppX Deployment Extensions
- Windows Console Driver
- Windows Diagnostic Hub
- Windows Early Launch Antimalware Driver
- Windows ELAM
- Windows Event Tracing
- Windows Installer
- Windows Kernel
- Windows Media Player
- Windows Network File System
- Windows Overlay Filter
- Windows Portmapping
- Windows Registry
- Windows Remote Procedure Call Runtime
- Windows Resource Manager
- Windows Secure Kernel Mode
- Windows Services and Controller App
- Windows SMB Server
- Windows TCP/IP
- Windows Win32K
- Windows WLAN Auto Config Service
Critical RCE bugs
Microsoft addressed 19 Critical remote code execution (RCE) vulnerabilities in this month’s updates. The patches cover Azure, Exchange Server, Windows, and Extended Security Updates (ESU) for end of life software.
Four of the Critical RCE patches address Exchange Server vulnerabilities where “exploitation is more likely“:
Microsoft also credited the National Security Agency (NSA) with finding two of these Exchange flaws, CVE-2021-28480 and CVE-2021-28481. Both of them carry a CVSS score of 9.8.
Moreover, the Cybersecurity and Infrastructure Security Agency (CISA) issued an Emergency Directive (ED) 21-02 with additional mitigation guidance.
“CISA has determined that these vulnerabilities pose an unacceptable risk to the Federal enterprise and require an immediate and emergency action. This determination is based on the likelihood of the vulnerabilities being weaponized, combined with the widespread use of the affected software across the Executive Branch and high potential for a compromise of integrity and confidentiality of agency information,” CISA warned in the advisory.
Microsoft also patched an Azure Sphere Unsigned Code Execution vulnerability CVE-2021-28460.
Microsoft noted the remaining RCE patches address Critical vulnerabilities that are “less likely” to be exploited and address multiple Windows issues, such as Windows Media Video Decoder (2) and Remote Procedure Call Runtime (12) bugs.
Other security updates
In addition to the Critical RCEs, Microsoft also patched 95 other Important or Moderate rated vulnerabilities across multiple products. The tech giant addressed various typed of vulnerabilities, to include Denial of Service, Elevation of Privilege, Information Disclosure, RCE, Security Feature Bypass and Spoofing.
- CISA publishes reports on DearCry ransomware and China Chopper Web Shell malware linked to Exchange Server exploits (update-2)
- Microsoft releases emergency patches for Exchange Server RCE vulnerabilities exploited in the wild (Updated)
- Microsoft: New analysis of Exchange Server vulnerabilities and cyberattacks
- Cybersecurity experts warn exploits grow ten-fold after Exchange Server zero-day vulnerabilities revealed
- FBI and CISA issue urgent joint cybersecurity advisory on Exchange server hacks