It’s the third second Tuesday of the year, which means we get the latest security updates from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for their latest security offerings.

Adobe Patches for March 2021

For March, Adobe released three patches covering eight CVEs in Adobe Connect, Creative Cloud Desktop, and Framemaker. Two of these CVEs came through the ZDI program. The update for Framemaker fixes a single Out-of-Bounds (OOB) read vulnerability that could lead to remote code execution. The update for Creative Cloud addresses three different Critical-rated CVEs. Two of these bugs could lead to code execution while the third could allow a privilege escalation. The final Adobe patch for March covers one Critical and three Important-rated vulnerabilities in Adobe Connect. The Critical-rated bug could lead to arbitrary code execution while the other bugs addressed are all reflective cross-site scripting (XSS) bugs). None of the issues addressed by Adobe are listed as publicly known or under active attack at the time of release.

Updated March 10:

After the initial release, Adobe also shipped patches for PhotoShop and Animate to address nine additional CVEs. The Animate patch fixes two Critical and five Important-rated bugs. The Critical bugs are buffer overflows that could allow code execution while the Important-rated bugs could allow information disclosure. The patch for PhotoShop addresses two Critical rated bugs that could allow code execution. None of the issues are listed as publicly known or under active attack at the time of release.

Microsoft Patches for March 2021

Microsoft started the March patch cycle early by shipping an emergency patch for Exchange last week covering seven unique CVEs. Four of these bugs are listed as under active attack, which is why the patch was released outside the normal, patch Tuesday cycle. There has already been a mountain of information published about these vulnerabilities, so I won’t cover the bugs in more detail here. However, if you run Exchange on-premise, you need to follow the published guidance and apply the patches as soon as possible. Microsoft has even taken the extraordinary step of creating patches for out-of-support versions of Exchange. Ignore these updates at your own peril.

For all of March, Microsoft released patches for 89 unique CVEs covering Microsoft Windows components, Azure and Azure DevOps, Azure Sphere, Internet Explorer and Edge (EdgeHTML), Exchange Server, Office and Office Services and Web Apps, SharePoint Server, Visual Studio, and Windows Hyper-V. These 89 CVEs include the seven Exchange CVEs released last week. A total of 15 of these bugs came through the ZDI program. Of these 89 bugs, 14 are listed as Critical and 75 are listed as Important in severity. According to Microsoft, two of these bugs are listed as publicly known while five are listed as under active attack at the time of release.

Please note these CVE counts do not include the CVEs patched in the recent update to the Chromium version of the Edge browser. Last week, Version 89 of this browser was released.

 Let’s take a closer look at some of the more interesting updates for this month, starting with the other bug listed as being under active attack:

 -       CVE-2021-26411 – Internet Explorer Memory Corruption Vulnerability
This patch corrects a bug in Internet Explorer (IE) and Edge (EdgeHTML-based) that could allow an attacker to run their code on affected systems if they view a specially crafted HTML file. Microsoft lists this as both publicly known and under active attack at the time of release. While not as impactful as the Exchange bugs, enterprises that rely on Microsoft browsers should definitely roll this out quickly. Successful exploitation would yield code execution at the level of the logged-on user, which is another reminder not to browse web pages using an account with Administrative privileges.

 -        CVE-2021-26897 – Windows DNS Server Remote Code Execution Vulnerability
This is the second straight month with a DNS server RCE vulnerability, and this month’s bug has company. A total of 5 bugs are listed as DNS Server Remote Code Execution Vulnerabilities, but this CVE is the only one listed as Critical. All note that Secure Zone Updates lessen the likelihood of successful exploitation but are not a full mitigation. This implies dynamic updates may be involved in the exploitation of these bugs. All five of these bugs are listed as a CVSS 9.8, and there is the outside chance this could be wormable between DNS servers. Definitely prioritize the testing and deployment of these updates.

 -       CVE-2021-26867 – Windows Hyper-V Remote Code Execution Vulnerability
This bug could allow an authenticated attacker to execute code on the underlying Hyper-V server. While listed as a CVSS of 9.9, the vulnerability is really only relevant to those using the Plan-9 file system. Microsoft does not list other Hyper-V clients as impacted by this bug, but if you are using Plan-9, definitely roll this patch out as soon as possible.

 -       CVE-2021-27076 – Microsoft SharePoint Server Remote Code Execution Vulnerability
This patch fixes a code execution bug originally submitted through the ZDI program. For an attack to succeed, the attacker must be able to create or modify Sites with the SharePoint server. However, the default configuration of SharePoint allows authenticated users to create sites. When they do, the user will be the owner of this site and will have all the necessary permissions. This is similar to some other SharePoint bugs we have blogged about in the past, and we’ll have additional details about this vulnerability on our blog in the near future.

Here’s the full list of CVEs released by Microsoft for March 2021.

Moving on to the remaining Critical-rated patches, two affect Azure Sphere, but you likely won’t need to take any action. Devices running Azure Sphere are connected to the Internet receive automatic updates. If your devices are isolated, you should make sure these updates are applied. There are four patches to correct bugs in the HEVC Video Extensions, and these updates are available from the Windows Store. There’s a patch for a bug in OpenType Fonts that could be exploited by viewing a specially crafted font. Finally, there’s an intriguing update for Git for Visual Studio that fixes a bug that requires no privileges but some level of user interaction. The attack complexity is also listed as low, so we may hear more about this vulnerability in the future.

Shifting to the Important-rated patches, there are still a bunch of code execution bugs to look at. In fact, 45 of the 90 bugs patched this month are listed as some form of remote code execution. Many of the affected components have matching Important updates to go with their Critical counterparts. These include Exchange, DNS Server, HVEC Video Extensions, and IE. This month’s release included five RCE bugs impacting Visual Studio. Most are straightforward, however, the update for the Quantum Development Kit for Visual Studio must be manually downloaded. This can be done through the extensions page within Visual Studio. There are also the expected updates for Office and Office components. Similar to last month, users of Microsoft Office 2019 for Mac will need to wait for their update to be made available.

Looking at the 30 Elevation of Privilege (EoP) bugs addressed in this month’s release, most require an attacker to log on to an affected system and run specially crafted code to escalate privileges. Almost all of these patches impact the Windows kernel and various Windows components. One bug to note had previously been disclosed by ZDI as Microsoft stated it did not meet their bar for servicing. At some point after we published our advisory, Microsoft changed course and produced a patch to address this issue. We’re glad they changed their mind.

This month’s release includes patches for six information disclosure bugs. Usually, these types of cases only lead to leaks consisting of unspecified memory contents. That’s true for three of these bugs, but the others leak some significant info. The vulnerability in Azure Virtual Machine could allow a low-privileged user to gain virtual machine credentials as well as credentials to extensions associated with the virtual machine. Speaking of credentials, the bug in Microsoft Power BI could expose NTLM hashes, which could then be brute-forced to reveal plaintext passwords. Finally, according to the Microsoft write-up, the info leak in SharePoint Server could allow an attacker access to an “organizational's email, sites, filename, url of file...” There’s nothing more than this generic description listed, but assume valuable information could be exposed by an attacker.

Three components receive patches to fix security feature bypasses (SFB) this month. The bypasses for Windows Extensible Firmware Interface and the Windows Admin Center receive patches but no documentation. The SFB for Visio does get some additional information, but the attack scenario seems far from common. Systems would be affected only with a specific Group Policy Object. An attacker would still need to modify a macro-enabled template that ships with Excel. If those two conditions occur and the user runs a malicious file on a system affected by that Group Policy, some form of bypass can occur. Based on the write-up, it doesn’t read like imminent danger, but still probably best to roll out the patch.

This month’s release is rounded out by four denial-of-service (DoS) bugs and a spoofing vulnerability. The spoofing bug occurs in the SharePoint server, but no further information is provided. Two of the DoS bugs impact the DNS Server service, and they have the same caveats as the previously mentioned code execution bugs. There’s also a DoS in the NAT Server service. For these bugs, it’s not clear if the service can just be restarted or if a full system reboot is required. The final DoS was reported through the ZDI program, but it doesn’t impact a service. Instead, it notes a bug in the User Profile Service. By creating a junction, an attacker can abuse the service to overwrite the contents of a chosen file, thus creating a DoS condition.

Finally, the servicing stack advisory (ADV990001) was revised for multiple versions of Windows. No additional advisories were released this month.

Looking Ahead

The next Patch Tuesday falls on April 13, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!