Microsoft Patch Tuesday has arrived – this time around, the patches address 110 security vulnerabilities in Microsoft Windows and other related products, the most crucial of which is the fix for Microsoft Exchange Server.
Over the past month, Exchange Server has been on the receiving end of several attacks targeting its email software.
In total, 19 out of 110 vulnerabilities have earned the ‘critical’ rating, the highest one in terms of severity – exploiting it would give the attacker complete control over the targeted system without any help on the user’s end.
Microsoft has also released updates to fix the vulnerabilities in Exchange Server versions 2013 to 2019, and they have been dubbed as follows:
These were discovered thanks to the reporting efforts of the US National Security Agency.
According to Satnam Narang, staff research engineer at Tenable, two out of the four vulnerabilities require no prior authentication to exploit the flaw.
Therefore, applying these patches should be at the top of every organisation’s priority list.
CVE-2021-28310, which has been patched, is a Windows vulnerability that allows an attacker to elevate their privileges on the system they are targeting – it is already seeing exploitation in the wild.
Dustin Childs of Trend Micro warns that bugs of this nature tend to be combined with other bugs for the purposes of taking over a system (for instance, a PDF exploit).
On top of that, Kaspersky Lab researchers noted that CVE-2021-28310 has the capacity to escape the sandbox protections of the browser.
As for the rest of the patches released this month, there are several fixes for Microsoft Office products that address remote code execution flaws, four of which have received the rating of ‘important’.
Also worth mentioning are patches for:
- Visual Studio
- Azure DevOps Server
- SharePoint Server
- Team Foundation Server
- Adobe products