Microsoft’s March Patch Tuesday security updates address 89 vulnerabilities in its products, including Microsoft Windows components, Azure and Azure DevOps, Azure Sphere, Internet Explorer and Edge, Exchange Server, Office and Office Services and Web Apps, SharePoint Server, Visual Studio, and Windows Hyper-V.
The list of CVEs covered by the security updates includes seven vulnerabilities in Microsoft Exchange recently addressed by Microsoft with the release of out-of-band fixes. 14 of the vulnerabilities fixed with the release of Microsoft’s March Patch Tuesday are listed as Critical and 75 are listed as Important in severity. Two of these vulnerabilities are publicly known and five were actively exploited in attacks in the wild at the time of release.
One of the most severe flaws addressed with the release of Microsoft’s March Patch Tuesday is an Internet Explorer memory corruption bug tracked as CVE-2021-26411. The flaw could allow attackers to run arbitrary code on affected systems, at the level of the logged-on user, by tricking victims into viewing a specially crafted HTML file.
“CVE-2021-26411 – Internet Explorer Memory Corruption Vulnerability
This patch corrects a bug in Internet Explorer and Edge that could allow an attacker to run their code on affected systems if they view a specially crafted HTML file.”.
“Microsoft lists this as both publicly known and under active attack at the time of release. While not as impactful as the Exchange bugs, enterprises that rely on Microsoft browsers should definitely roll this out quickly. Successful exploitation would yield code execution at the level of the logged-on user, which is another reminder not to browse web pages using an account with Administrative privileges.”
The vulnerability received a CVSS score of 8.8.
Another critical issue addressed by Microsoft, tracked as CVE-2021-26897, is a Windows DNS Server Remote Code Execution vulnerability. The vulnerability received a CVSS score of 9.8.
Other critical issues fixed by Microsoft are CVE-2021-27074 and CVE-2021-27080, unsigned code execution bugs in Azure Sphere, and CVE-2021-27076 Server Remote Code Execution vulnerability in Microsoft SharePoint.