IaaS, Azure & IT News | Foundation IT

Patch Tuesday Update - February 2021 | Foundation IT

Written by Lizzie Arcari | Mar 12, 2021 12:05:34 PM

Microsoft has released its security updates for March 2021, which has fixes for 82 vulnerabilities in Microsoft products. Every month we will post our vulnerability risk and tips around each patch released, to provide advice for IT professionals and businesses.

Out of the 82 patches; 10 are classed as critical and 72 are classed as important. These do not include the 7 Microsoft Exchange and 33 Chromium Edge vulnerabilities released earlier this month. There were also 2 Zero-Days discovered this month, both fixed Monday:

  • CVE-2021-26411 - Internet Explorer Memory Corruption Vulnerability.
  • CVE-2021-27077 - Windows Win32k Elevation of Privilege Vulnerability. 

Microsoft's out-of-band security updates for the ProxyLogon vulnerability that's being used to compromise Microsoft Exchange Servers:

  • CVE-2021-26854 - Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2021-26855 - Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2021-26857 - Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2021-26858 - Microsoft Exchange Server Remote Code Execution Vulnerability

Microsoft also released fixes for 3 Microsoft Exchange vulnerabilities not exploited in attacks:

  • CVE-2021-26412 - Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2021-27065 - Microsoft Exchange Server Remote Code Execution Vulnerability
  • CVE-2021-27078 - Microsoft Exchange Server Remote Code Execution Vulnerability

 

Other Products:

Other companies who have released security updates this week:

- Adobe: released security updates for Adobe Creative Cloud Desktop, FrameMaker and    Connect.

- Android: March security updates were released last week.

- Apple: released iOS, macOS, watchOS and Safari updates yesterday.

- Cisco: released security updates for numerous products.

- SAP: released it’s March 2021 security updates.

- VMWare: released security updates for the View Planner tool.

 

All the patches can be found in the table below or alternatively downloaded here.

We have also curated a downloadable Patching Best Practice Guide.

Category

CVE IDs

CVE Title

Severity

FIT Risk & Tip

Application Virtualisation 

1

CVE-2021-26890

Application Virtualization Remote Code Execution Vulnerability

Important

4/5 - Although important, often its worth nothing that anything marked as remote code execution, can be hazardous if left unpatched.

Azure

1

CVE-2021-27075

Azure Virtual Machine Information Disclosure Vulnerability

Important

4/5 - If you have multiple parts of your infrastructure within Azure, in this case virtual machines, I'd endeavour to get this one updated sooner rather than later.

Azure Sphere

2

CVE-2021-27074

CVE-2021-27080

Azure Sphere Unsigned Code Execution Vulnerability

Critical

4/5- Flagged as critical, I'd endeavour to get Azure Sphere updated as soon as possible.

Internet Explorer

1

CVE-2021-26411

Internet Explorer Memory Corruption Vulnerability

Critical

4/5- Internet Explorer isn't used so much these days, but its still embedded into a lot of operating systems. As this is flagged as critical, I'd get this one patched as soon as possible.

Internet Explorer

1

CVE-2021-27085

Internet Explorer Remote Code Execution Vulnerability

Important

4/5 - Internet Explorer isn't used so much these days, but its still embedded into a lot of operating systems. As this is flagged as critical, I'd get this one patched as soon as possible.

Microsoft ActiveX

1

CVE-2021-24109

Windows ActiveX Installer Service Information Disclosure Vulnerability

Important

3/5- ActiveX is used daily as part of your operating systems. I'd patch this when you have the ability to.

Microsoft Edge on Chromium

33

CVE-2021-21173 CVE-2021-21172 CVE-2021-21169 CVE-2021-21170 CVE-2021-21171 CVE-2021-21175 CVE-2021-21176 CVE-2021-21177 CVE-2021-21174 CVE-2021-21178 CVE-2021-21161 CVE-2021-21162 CVE-2021-21160 CVE-2021-27844 CVE-2021-21159 CVE-2021-21163 CVE-2021-21167 CVE-2021-21168 CVE-2021-21166 CVE-2021-21164 CVE-2021-21165 CVE-2021-21189 CVE-2021-21181 CVE-2021-21186 CVE-2021-21190 CVE-2021-21183 CVE-2021-21185 CVE-2021-21187 CVE-2021-21182 CVE-2021-21180 CVE-2021-21184 CVE-2021-21179 CVE-2021-21188

Downloadable Excel table expands on the CVE title's.

Unknown

4/5 - As this relates to something that end users will use on a daily basis, its potentially risky to leave vulnerabilities unpatched for web browsers, that's why I would encourage this to be updated as soon as viably possible.

Microsoft Exchange Server 

4

CVE-2021-26412 CVE-2021-27065 CVE-2021-26857 CVE-2021-26855

Microsoft Exchange Server Remote Code Execution Vulnerability

Critical

5/5 - Probably the most critical this month, There have been several discoveries with Microsoft Exchange which require remediation as soon as possible. I'd prioritise this and even encourage downtime if you are effected.

Microsoft Exchange Server

3

CVE-2021-27078
CVE-2021-26854 CVE-2021-26858

Microsoft Exchange Server Remote Code Execution Vulnerability

Important

5/5 - Probably the most critical this month, There have been several discoveries with Microsoft Exchange which require remediation as soon as possible. I'd prioritise this and even encourage downtime if you are effected.

Microsoft Graphics Component

1

CVE-2021-26876

OpenType Font Parsing Remote Code Execution Vulnerability

Critical 

4/5- Flagged as critical, I'd endeavour to patch this as soon as possible.

Microsoft Graphics Component

5

CVE-2021-26863
CVE-2021-27077
CVE-2021-26861
CVE-2021-26875 CVE-2021-26868

Windows Win32k Elevation of Privilege Vulnerability 

Windows Graphics Component Remote Code Execution Vulnerability

Windows Graphics Component Elevation of Privilege Vulnerability

Important

3/5 - Often this will be updated when parts of the operating system or office are updated. I'd patch this when get the opportunity, perhaps during your regular maintenance cycles.

Microsoft Office

3

CVE-2021-24108
CVE-2021-27058
CVE-2021-27059

Microsoft Office Remote Code Execution Vulnerability

Microsoft Office ClickToRun Remote Code Execution Vulnerability

 

Important

4/5 - As with anything end user related, if the end users utilises an application heavily, such as Office, I'd recommend getting it patch sooner rather than later. After all, it only takes one weak link to break a chain.

Microsoft Office Excel 

3

CVE-2021-27053 CVE-2021-27054 CVE-2021-27057

Microsoft Excel Remote Code Execution Vulnerability

Microsoft Office Remote Code Execution Vulnerability

Important

4/5 - As with anything end user related, if the end users utilises an application heavily, such as Office, I'd recommend getting it patch sooner rather than later. After all, it only takes one weak link to break a chain.

Microsoft PowerPoint

1

CVE-2021-27056

Microsoft PowerPoint Remote Code Execution Vulnerability

Important

4/5 - As with anything end user related, if the end users utilises an application heavily, such as Office, I'd recommend getting it patch sooner rather than later. After all, it only takes one weak link to break a chain.

Microsoft Office SharePoint

3

CVE-2021-27052 CVE-2021-24104 CVE-2021-27076

Microsoft SharePoint Server Information Disclosure Vulnerability

Microsoft SharePoint Spoofing Vulnerability

Microsoft SharePoint Server Remote Code Execution Vulnerability

Important

3/5 - Worth being aware that this relates to on-premise SharePoint and not Office 356's SharePoint Online.

Microsoft Office Visio

1

CVE-2021-27055

Microsoft Visio Security Feature Bypass Vulnerability

Important

4/5 - As with anything end user related, if the end users utilises an application heavily, such as Office, I'd recommend getting it patch sooner rather than later. After all, it only takes one weak link to break a chain.

Microsoft Windows Codecs Library 3

CVE-2021-24089
CVE-2021-27061 CVE-2021-26902

HEVC Video Extensions Remote Code Execution Vulnerability

Critical

4/5 - Flagged as critical, I'd endeavour to patch this as soon as possible.

Microsoft Windows Codecs Library

8

CVE-2021-27050
CVE-2021-27049 CVE-2021-26884 CVE-2021-27051 CVE-2021-27062 CVE-2021-24110 CVE-2021-27048 CVE-2021-27047

HEVC Video Extensions Remote Code Execution Vulnerability

Windows Media Photo Codec Information Disclosure Vulnerability

Important 

4/5 - This is part of the underlying operating system, so it will be updated as part of your routine maintenance cycle and the latest patch sets.

Power BI

1

CVE-2021-26859

Microsoft Power BI Information Disclosure Vulnerability

Important

5/5 - Power BI is used to collate and report on your data, and if you use it I would make sure you keep it updated. If your data is compromised from Power BI you could disclose vital company information.

Role: DNS Server

1

CVE-2021-26897

Windows DNS Server Remote Code Execution Vulnerability

Critical

5/5 - Most Windows Domain networks will have a DNS Server on them, I'd get this patched when you can.

Role: DNS Server

6

CVE-2021-27063 CVE-2021-26893 CVE-2021-26894 CVE-2021-26895 CVE-2021-26896 CVE-2021-26877

Windows DNS Server Denial of Service Vulnerability

Windows DNS Server Remote Code Execution Vulnerability

 

Important

4/5 - Most Windows Domain networks will have a DNS Server on them, I'd get this patched when you can.

Role: Hyper-V

1

CVE-2021-26867

Windows Hyper-V Remote Code Execution Vulnerability

Critical

5/5 - Flagged as critical, I'd endeavour to patch this as soon as possible.

Role: Hyper-V

1

CVE-2021-26879

Windows NAT Denial of Service Vulnerability

Important

4/5 - As this is Hyper-V and virtualisation is often used for large scale infrastructure, I'd recommend getting this patched as soon as possible.

Visual Studio

1

CVE-2021-21300

Git for Visual Studio Remote Code Execution Vulnerability

Critical

4/5 - Flagged as critical, I'd endeavour to patch this as soon as possible.

Visual Studio

1

CVE-2021-27084

Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability

Important

4/5- Important if you utilise Visual Studio, I'd get this updated when you can.

Visual Studio Code

4

CVE-2021-27060 CVE-2021-27081 CVE-2021-27083 CVE-2021-27082

Visual Studio Code Remote Code Execution Vulnerability

Visual Studio Code ESLint Extension Remote Code Execution Vulnerability

Remote Development Extension for Visual Studio Code Remote Code Execution Vulnerability

Quantum Development Kit for Visual Studio Code Remote Code Execution Vulnerability

Important

4/5 - Important if you utilise Visual Studio, I'd get this updated when you can.

Windows Admin Center

1

CVE-2021-27066

Windows Admin Center Security Feature Bypass Vulnerability

Important

2/5 - I only recently discovered Windows Admin Center, and it’s a brilliant tool and can make mass management much easier. If you use it, you should patch it. If you don't use it, I'd research more into it.

Windows Container Execution Agent 

2

CVE-2021-26891
CVE-2021-26865

Windows Container Execution Agent Elevation of Privilege Vulnerability

Important

4/5 - This is part of the underlying operating system, so it will be updated as part of your routine maintenance cycle and the latest patch sets.

Windows DirectX

1

CVE-2021-24095

DirectX Elevation of Privilege Vulnerability

Important

4/5- This is part of the underlying operating system, so it will be updated as part of your routine maintenance cycle and the latest patch sets.

Windows Error Reporting

1

CVE-2021-24090

Windows Error Reporting Elevation of Privilege Vulnerability

Important

4/5 - This is part of the underlying operating system, so it will be updated as part of your routine maintenance cycle and the latest patch sets.

Windows Event Tracing

4

CVE-2021-24107 CVE-2021-26872 CVE-2021-26901 CVE-2021-26898

Windows Event Tracing Information Disclosure Vulnerability

Windows Event Tracing Elevation of Privilege Vulnerability

Important

4/5 - This is part of the underlying operating system, so it will be updated as part of your routine maintenance cycle and the latest patch sets.

Windows Extensible Firmware Interface

1

CVE-2021-26892

Windows Extensible Firmware Interface Security Feature Bypass Vulnerability

Important

4/5- This is part of the underlying operating system, so it will be updated as part of your routine maintenance cycle and the latest patch sets.

Windows Folder Redirection

1

CVE-2021-26887

Microsoft Windows Folder Redirection Elevation of Privilege Vulnerability

Important

4/5 - This is part of the underlying operating system, so it will be updated as part of your routine maintenance cycle and the latest patch sets.

Windows Installer

1

CVE-2021-26862

Windows Installer Elevation of Privilege Vulnerability

Important

4/5- This is part of the underlying operating system, so it will be updated as part of your routine maintenance cycle and the latest patch sets.

Windows Media

1

CVE-2021-26881

Microsoft Windows Media Foundation Remote Code Execution Vulnerability

Important

3/5 - This is part of the underlying operating system, so it will be updated as part of your routine maintenance cycle and the latest patch sets.

Windows Overlay Filter

2

CVE-2021-26874 CVE-2021-26860

Windows Overlay Filter Elevation of Privilege Vulnerability

Windows App-V Overlay Filter Elevation of Privilege Vulnerability

Important

3/5 - This is part of the underlying operating system, so it will be updated as part of your routine maintenance cycle and the latest patch sets.

Windows Print Spooler Components

2

CVE-2021-1640 CVE-2021-26878

Windows Print Spooler Elevation of Privilege Vulnerability

Important

3/5 - This is part of the underlying operating system, so it will be updated as part of your routine maintenance cycle and the latest patch sets.

Windows Projected File System Filter Driver

1

CVE-2021-26870

Windows Projected File System Elevation of Privilege Vulnerability

Important

3/5 - This is part of the underlying operating system, so it will be updated as part of your routine maintenance cycle and the latest patch sets.

Windows Registry

1

CVE-2021-26864

Windows Virtual Registry Provider Elevation of Privilege Vulnerability

Important

4/5 - This is part of the underlying operating system, so it will be updated as part of your routine maintenance cycle and the latest patch sets. Windows Registry is often regarded as the keys to the castle.

Windows Remote Access API

1

CVE-2021-26882

Remote Access API Elevation of Privilege Vulnerability

Important

3/5 - This is part of the underlying operating system, so it will be updated as part of your routine maintenance cycle and the latest patch sets.

Windows Storage Spaces Controller

1

CVE-2021-26880

Storage Spaces Controller Elevation of Privilege Vulnerability

Important

3/5 - This is part of the underlying operating system, so it will be updated as part of your routine maintenance cycle and the latest patch sets.

Windows Update Assistant

1

CVE-2021-27070

Windows 10 Update Assistant Elevation of Privilege Vulnerability

Important

3/5 - This is part of the underlying operating system, so it will be updated as part of your routine maintenance cycle and the latest patch sets.

Windows Update Stack

3

CVE-2021-1729 CVE-2021-26889 CVE-2021-26866

Windows Update Stack Setup Elevation of Privilege Vulnerability

Windows Update Stack Elevation of Privilege Vulnerability

Important

2/5 - Servicing Stacks are always released throughout the year and naturally will be applied during routine patching. Your previous Windows Update Servicing Stack will operate fine, and applying these do not require reboots.

Windows UPnP Device Host

1

CVE-2021-26899

Windows UPnP Device Host Elevation of Privilege Vulnerability

Important

4/5 - This is part of the underlying operating system, so it will be updated as part of your routine maintenance cycle and the latest patch sets.

Windows User Profile Service

2

CVE-2021-26873 CVE-2021-26886

Windows User Profile Service Elevation of Privilege Vulnerability

User Profile Service Denial of Service Vulnerability

Important

4/5 - This is part of the underlying operating system, so it will be updated as part of your routine maintenance cycle and the latest patch sets.

Windows WalletService

2

CVE-2021-26871 CVE-2021-26885

Windows WalletService Elevation of Privilege Vulnerability

Important

4/5 - This is part of the underlying operating system, so it will be updated as part of your routine maintenance cycle and the latest patch sets.

Windows Win32K

1

CVE-2021-26900

Windows Win32k Elevation of Privilege Vulnerability

Important

4/5 - This is part of the underlying operating system, so it will be updated as part of your routine maintenance cycle and the latest patch sets.