March 2021 Patch Tuesday saw Microsoft deliver patches for 82 vulnerabilities across its product range, including fixes for 10 critical flaws and 2 zero-day vulnerabilities for which exploits have been made public. The remaining 72 vulnerabilities are all rated important.
In addition to the patches released today, Microsoft issued 7 patches to correct flaws in Microsoft Exchange since February 2021 Patch Tuesday, four of which are being actively exploited, along with patches for 33 vulnerabilities affecting Chromium Edge.
The two zero-day vulnerabilities patched on Tuesday are a memory corruption vulnerability in Internet Explorer – CVE-2021-26411 and an elevation of privilege vulnerability in Windows Win32k. The IE vulnerability is being actively exploited by hackers linked with the North Korean regime on companies in South Korea, while the Windows Win32k vulnerability was publicly disclosed by the Trend Micro Zero Day initiative after Microsoft said it would not be patching the flaw.
The critical flaws patched on March 9 are:
- Azure Sphere – CVE-2021-27074, CVE-2021-27080
- Internet Explorer – CVE-2021-26411
- Microsoft Graphics Component – CVE-2021-26876
- Microsoft Windows Codecs Library – CVE-2021-24089, CVE-2021-27061, CVE-2021-26902
- DNS Server – CVE-2021-26897
- Hyper-V – CVE-2021-26867
- Visual Studio – CVE-2021-21300
The four actively exploited flaws in Microsoft Exchange Server that were patched last week are: CVE-2021-26412, CVE-2021-27065, CVE-2021-26857, CVE-2021-27855. Prompt patching of these flaws is critical, as multiple threat actors are exploiting the flaws to steal data and ensure persistent access to Exchange servers. At least 30,000 companies are believed to have had these flaws exploited.
The other patches for Exchange Server flaws that were patched, which are not currently exploited, are CVE-2021-26412, CVE-2021-27065, and CVE-2021-27078.
Adobe Patches 5 Critical Flaws in Connect, Creative Cloud Desktop Application, and Framemaker
Adobe also released patches to correct 8 vulnerabilities across three products, five of which are rated critical. None are believed to have been exploited so far.
One critical – CVE-2021-21085 – and three important – CVE-2021-21079, CVE-2021-21080, CVE-2021-21081 vulnerabilities have been corrected in Adobe Connect, three critical flaws – CVE-2021-21068, CVE-2021-21078, CVE-2021-21069 – have been patched in Creative Cloud Desktop Application, and one critical flaw – CVE-2021-21056 – has been corrected in Adobe Framemaker.
All the critical flaws could lead to remote code execution; however, the patches have been given a priority rating of 3, meaning exploitation is not expected.