The March 2021 Security Update Review

March 09, 2021 | Dustin Childs

It’s the third second Tuesday of the year, which means we get the latest security updates from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for their latest security offerings.

Adobe Patches for March 2021

For March, Adobe released three patches covering eight CVEs in Adobe Connect, Creative Cloud Desktop, and Framemaker. Two of these CVEs came through the ZDI program. The update for Framemaker fixes a single Out-of-Bounds (OOB) read vulnerability that could lead to remote code execution. The update for Creative Cloud addresses three different Critical-rated CVEs. Two of these bugs could lead to code execution while the third could allow a privilege escalation. The final Adobe patch for March covers one Critical and three Important-rated vulnerabilities in Adobe Connect. The Critical-rated bug could lead to arbitrary code execution while the other bugs addressed are all reflective cross-site scripting (XSS) bugs). None of the issues addressed by Adobe are listed as publicly known or under active attack at the time of release.

Updated March 10:

After the initial release, Adobe also shipped patches for PhotoShop and Animate to address nine additional CVEs. The Animate patch fixes two Critical and five Important-rated bugs. The Critical bugs are buffer overflows that could allow code execution while the Important-rated bugs could allow information disclosure. The patch for PhotoShop addresses two Critical rated bugs that could allow code execution. None of the issues are listed as publicly known or under active attack at the time of release.

Microsoft Patches for March 2021

Microsoft started the March patch cycle early by shipping an emergency patch for Exchange last week covering seven unique CVEs. Four of these bugs are listed as under active attack, which is why the patch was released outside the normal, patch Tuesday cycle. There has already been a mountain of information published about these vulnerabilities, so I won’t cover the bugs in more detail here. However, if you run Exchange on-premise, you need to follow the published guidance and apply the patches as soon as possible. Microsoft has even taken the extraordinary step of creating patches for out-of-support versions of Exchange. Ignore these updates at your own peril.

For all of March, Microsoft released patches for 89 unique CVEs covering Microsoft Windows components, Azure and Azure DevOps, Azure Sphere, Internet Explorer and Edge (EdgeHTML), Exchange Server, Office and Office Services and Web Apps, SharePoint Server, Visual Studio, and Windows Hyper-V. These 89 CVEs include the seven Exchange CVEs released last week. A total of 15 of these bugs came through the ZDI program. Of these 89 bugs, 14 are listed as Critical and 75 are listed as Important in severity. According to Microsoft, two of these bugs are listed as publicly known while five are listed as under active attack at the time of release.

Please note these CVE counts do not include the CVEs patched in the recent update to the Chromium version of the Edge browser. Last week, Version 89 of this browser was released.

 Let’s take a closer look at some of the more interesting updates for this month, starting with the other bug listed as being under active attack:

 -       CVE-2021-26411 – Internet Explorer Memory Corruption Vulnerability
This patch corrects a bug in Internet Explorer (IE) and Edge (EdgeHTML-based) that could allow an attacker to run their code on affected systems if they view a specially crafted HTML file. Microsoft lists this as both publicly known and under active attack at the time of release. While not as impactful as the Exchange bugs, enterprises that rely on Microsoft browsers should definitely roll this out quickly. Successful exploitation would yield code execution at the level of the logged-on user, which is another reminder not to browse web pages using an account with Administrative privileges.

 -        CVE-2021-26897 – Windows DNS Server Remote Code Execution Vulnerability
This is the second straight month with a DNS server RCE vulnerability, and this month’s bug has company. A total of 5 bugs are listed as DNS Server Remote Code Execution Vulnerabilities, but this CVE is the only one listed as Critical. All note that Secure Zone Updates lessen the likelihood of successful exploitation but are not a full mitigation. This implies dynamic updates may be involved in the exploitation of these bugs. All five of these bugs are listed as a CVSS 9.8, and there is the outside chance this could be wormable between DNS servers. Definitely prioritize the testing and deployment of these updates.

 -       CVE-2021-26867 – Windows Hyper-V Remote Code Execution Vulnerability
This bug could allow an authenticated attacker to execute code on the underlying Hyper-V server. While listed as a CVSS of 9.9, the vulnerability is really only relevant to those using the Plan-9 file system. Microsoft does not list other Hyper-V clients as impacted by this bug, but if you are using Plan-9, definitely roll this patch out as soon as possible.

 -       CVE-2021-27076 – Microsoft SharePoint Server Remote Code Execution Vulnerability
This patch fixes a code execution bug originally submitted through the ZDI program. For an attack to succeed, the attacker must be able to create or modify Sites with the SharePoint server. However, the default configuration of SharePoint allows authenticated users to create sites. When they do, the user will be the owner of this site and will have all the necessary permissions. This is similar to some other SharePoint bugs we have blogged about in the past, and we’ll have additional details about this vulnerability on our blog in the near future.

Here’s the full list of CVEs released by Microsoft for March 2021.

CVE Title Severity CVSS Public Exploited DOS
CVE-2021-26411 Internet Explorer Memory Corruption Vulnerability Critical 8.8 Yes Yes RCE
CVE-2021-26855 Microsoft Exchange Server Remote Code Execution Vulnerability Critical 9.1 No Yes RCE
CVE-2021-26857 Microsoft Exchange Server Remote Code Execution Vulnerability Critical 7.8 No Yes RCE
CVE-2021-27065 Microsoft Exchange Server Remote Code Execution Vulnerability Critical 7.8 No Yes RCE
CVE-2021-26858 Microsoft Exchange Server Remote Code Execution Vulnerability Important 7.8 No Yes RCE
CVE-2021-27077 Windows Win32k Elevation of Privilege Vulnerability Important 7.8 Yes No EoP
CVE-2021-27074 Azure Sphere Unsigned Code Execution Vulnerability Critical 6.2 No No RCE
CVE-2021-27080 Azure Sphere Unsigned Code Execution Vulnerability Critical 9.3 No No RCE
CVE-2021-21300 Git for Visual Studio Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-24089 HEVC Video Extensions Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-26902 HEVC Video Extensions Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-27061 HEVC Video Extensions Remote Code Execution Vulnerability Critical 7.8 No No RCE
CVE-2021-26412 Microsoft Exchange Server Remote Code Execution Vulnerability Critical 9.1 No No RCE
CVE-2021-26876 OpenType Font Parsing Remote Code Execution Vulnerability Critical 8.8 No No RCE
CVE-2021-26897 Windows DNS Server Remote Code Execution Vulnerability Critical 9.8 No No RCE
CVE-2021-26867 Windows Hyper-V Remote Code Execution Vulnerability Critical 9.9 No No RCE
CVE-2021-26890 Application Virtualization Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27075 Azure Virtual Machine Information Disclosure Vulnerability Important 6.8 No No Info
CVE-2021-24095 DirectX Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-24110 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27047 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27048 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27049 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27050 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27051 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27062 HEVC Video Extensions Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27085 Internet Explorer Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-27053 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27054 Microsoft Excel Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-26854 Microsoft Exchange Server Remote Code Execution Vulnerability Important 6.6 No No RCE
CVE-2021-27078 Microsoft Exchange Server Remote Code Execution Vulnerability Important 9.1 No No RCE
CVE-2021-27058 Microsoft Office ClickToRun Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-24108 Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27057 Microsoft Office Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27059 Microsoft Office Remote Code Execution Vulnerability Important 7.6 No No RCE
CVE-2021-26859 Microsoft Power BI Information Disclosure Vulnerability Important 7.7 No No Info
CVE-2021-27056 Microsoft PowerPoint Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27052 Microsoft SharePoint Server Information Disclosure Vulnerability Important 5.3 No No Info
CVE-2021-27076 Microsoft SharePoint Server Remote Code Execution Vulnerability Important 8.8 No No RCE
CVE-2021-24104 Microsoft SharePoint Spoofing Vulnerability Important 4.6 No No Spoof
CVE-2021-27055 Microsoft Visio Security Feature Bypass Vulnerability Important 7 No No SFB
CVE-2021-26887 Microsoft Windows Folder Redirection Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26881 Microsoft Windows Media Foundation Remote Code Execution Vulnerability Important 7.5 No No RCE
CVE-2021-27082 Quantum Development Kit for Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-26882 Remote Access API Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-27083 Remote Development Extension for Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-26880 Storage Spaces Controller Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26886 User Profile Service Denial of Service Vulnerability Important 5.5 No No DoS
CVE-2021-27081 Visual Studio Code ESLint Extension Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27084 Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability Important Unlisted No No RCE
CVE-2021-27060 Visual Studio Code Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-27070 Windows 10 Update Assistant Elevation of Privilege Vulnerability Important 7.3 No No EoP
CVE-2021-26869 Windows ActiveX Installer Service Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-27066 Windows Admin Center Security Feature Bypass Vulnerability Important 4.3 No No SFB
CVE-2021-26860 Windows App-V Overlay Filter Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26865 Windows Container Execution Agent Elevation of Privilege Vulnerability Important 8.8 No No EoP
CVE-2021-26891 Windows Container Execution Agent Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26896 Windows DNS Server Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-27063 Windows DNS Server Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-26877 Windows DNS Server Remote Code Execution Vulnerability Important 9.8 No No RCE
CVE-2021-26893 Windows DNS Server Remote Code Execution Vulnerability Important 9.8 No No RCE
CVE-2021-26894 Windows DNS Server Remote Code Execution Vulnerability Important 9.8 No No RCE
CVE-2021-26895 Windows DNS Server Remote Code Execution Vulnerability Important 9.8 No No RCE
CVE-2021-24090 Windows Error Reporting Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26872 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26898 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26901 Windows Event Tracing Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-24107 Windows Event Tracing Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-26892 Windows Extensible Firmware Interface Security Feature Bypass Vulnerability Important 6.2 No No SFB
CVE-2021-26868 Windows Graphics Component Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26861 Windows Graphics Component Remote Code Execution Vulnerability Important 7.8 No No RCE
CVE-2021-26862 Windows Installer Elevation of Privilege Vulnerability Important 6.3 No No EoP
CVE-2021-26884 Windows Media Photo Codec Information Disclosure Vulnerability Important 5.5 No No Info
CVE-2021-26879 Windows NAT Denial of Service Vulnerability Important 7.5 No No DoS
CVE-2021-26874 Windows Overlay Filter Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-1640 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26878 Windows Print Spooler Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26870 Windows Projected File System Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26866 Windows Update Service Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2021-26889 Windows Update Stack Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2021-1729 Windows Update Stack Setup Elevation of Privilege Vulnerability Important 7.1 No No EoP
CVE-2021-26899 Windows UPnP Device Host Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26873 Windows User Profile Service Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-26864 Windows Virtual Registry Provider Elevation of Privilege Vulnerability Important 8.4 No No EoP
CVE-2021-26871 Windows WalletService Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26885 Windows WalletService Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26863 Windows Win32k Elevation of Privilege Vulnerability Important 7 No No EoP
CVE-2021-26875 Windows Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP
CVE-2021-26900 Windows Win32k Elevation of Privilege Vulnerability Important 7.8 No No EoP

Moving on to the remaining Critical-rated patches, two affect Azure Sphere, but you likely won’t need to take any action. Devices running Azure Sphere are connected to the Internet receive automatic updates. If your devices are isolated, you should make sure these updates are applied. There are four patches to correct bugs in the HEVC Video Extensions, and these updates are available from the Windows Store. There’s a patch for a bug in OpenType Fonts that could be exploited by viewing a specially crafted font. Finally, there’s an intriguing update for Git for Visual Studio that fixes a bug that requires no privileges but some level of user interaction. The attack complexity is also listed as low, so we may hear more about this vulnerability in the future.

Shifting to the Important-rated patches, there are still a bunch of code execution bugs to look at. In fact, 45 of the 90 bugs patched this month are listed as some form of remote code execution. Many of the affected components have matching Important updates to go with their Critical counterparts. These include Exchange, DNS Server, HVEC Video Extensions, and IE. This month’s release included five RCE bugs impacting Visual Studio. Most are straightforward, however, the update for the Quantum Development Kit for Visual Studio must be manually downloaded. This can be done through the extensions page within Visual Studio. There are also the expected updates for Office and Office components. Similar to last month, users of Microsoft Office 2019 for Mac will need to wait for their update to be made available.

Looking at the 30 Elevation of Privilege (EoP) bugs addressed in this month’s release, most require an attacker to log on to an affected system and run specially crafted code to escalate privileges. Almost all of these patches impact the Windows kernel and various Windows components. One bug to note had previously been disclosed by ZDI as Microsoft stated it did not meet their bar for servicing. At some point after we published our advisory, Microsoft changed course and produced a patch to address this issue. We’re glad they changed their mind.

This month’s release includes patches for six information disclosure bugs. Usually, these types of cases only lead to leaks consisting of unspecified memory contents. That’s true for three of these bugs, but the others leak some significant info. The vulnerability in Azure Virtual Machine could allow a low-privileged user to gain virtual machine credentials as well as credentials to extensions associated with the virtual machine. Speaking of credentials, the bug in Microsoft Power BI could expose NTLM hashes, which could then be brute-forced to reveal plaintext passwords. Finally, according to the Microsoft write-up, the info leak in SharePoint Server could allow an attacker access to an “organizational's email, sites, filename, url of file...” There’s nothing more than this generic description listed, but assume valuable information could be exposed by an attacker.

Three components receive patches to fix security feature bypasses (SFB) this month. The bypasses for Windows Extensible Firmware Interface and the Windows Admin Center receive patches but no documentation. The SFB for Visio does get some additional information, but the attack scenario seems far from common. Systems would be affected only with a specific Group Policy Object. An attacker would still need to modify a macro-enabled template that ships with Excel. If those two conditions occur and the user runs a malicious file on a system affected by that Group Policy, some form of bypass can occur. Based on the write-up, it doesn’t read like imminent danger, but still probably best to roll out the patch.

This month’s release is rounded out by four denial-of-service (DoS) bugs and a spoofing vulnerability. The spoofing bug occurs in the SharePoint server, but no further information is provided. Two of the DoS bugs impact the DNS Server service, and they have the same caveats as the previously mentioned code execution bugs. There’s also a DoS in the NAT Server service. For these bugs, it’s not clear if the service can just be restarted or if a full system reboot is required. The final DoS was reported through the ZDI program, but it doesn’t impact a service. Instead, it notes a bug in the User Profile Service. By creating a junction, an attacker can abuse the service to overwrite the contents of a chosen file, thus creating a DoS condition.

Finally, the servicing stack advisory (ADV990001) was revised for multiple versions of Windows. No additional advisories were released this month.

Looking Ahead

The next Patch Tuesday falls on April 13, and we’ll return with details and patch analysis then. Until then, stay safe, happy patching, and may all your reboots be smooth and clean!