Microsoft Has Busy April Patch Tuesday with Zero-Days, Exchange Fixes

Cyber Security News

Microsoft fixes 110 vulnerabilities, with 19 classified as critical and another flaw under active attack.

Microsoft had its hands full Tuesday snuffing out five zero-day vulnerabilities, a flaw under active attack and applying more patches to its problem-plagued Microsoft Exchange Server software.

In all, Microsoft released patches for 110 security holes, 19 classified critical in severity and 88 considered important. The most dire of those flaws disclosed is arguably a Win32k elevation of privilege vulnerability (CVE-2021-28310) actively being exploited in the wild by the cybercriminal group BITTER APT.

Actively Exploited Zero-Day

“We believe this exploit is used in the wild, potentially by several threat actors. It is an escalation of privilege (EoP) exploit that is likely used together with other browser exploits to escape sandboxes or get system privileges for further access,” wrote Kaspersky in a Tuesday report detailing its find.

The bug is an out-of-bounds write vulnerability in Windows dwmcore.dll library, which is part of Desktop Window Manager (dwm.exe). “Due to the lack of bounds checking, attackers are able to create a situation that allows them to write controlled data at a controlled offset using DirectComposition API,” wrote Kaspersky researchers Boris Larin, Costin Raiu and Brian Bartholomew, co-authors of the report.

More Bugs Tied to Problem Plagued Exchange Fixed

Of note, the US National Security Agency released information on four critical Exchange Server vulnerabilities (CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, CVE-2021-28483) impacting versions released between 2013 and 2019.

“These vulnerabilities have been rated ‘Exploitation More Likely’ using Microsoft’s Exploitability Index. Two of the four vulnerabilities (CVE-2021-28480, CVE-2021-28481) are pre-authentication, meaning an attacker does not need to authenticate to the vulnerable Exchange server to exploit the flaw. With the intense interest in Exchange Server since last month, it is crucial that organizations apply these Exchange Server patches immediately,” wrote Satnam Narang, staff research engineer with Tenable in commentary shared with Threatpost.

Microsoft notes that two of the four Exchange bugs reported by the NSA were also found internally by its own research team.

Bugs, Bugs and More Bugs

Flaws fixed by Microsoft also included patches for its Chromium-based Edge web browser, Azure and Azure DevOps Server, Microsoft Office, SharePoint Server, Hyper-V, Team Foundation Server and Visual Studio.

“April’s Patch Tuesday yields… [are] the highest monthly total for 2021 (so far) and showing a return to the 100-plus totals we consistently saw in 2020. This month’s haul includes 19 critical vulnerabilities and a high-severity zero-day that is actively being exploited in the wild,” wrote Justin Knapp, senior product marketing manager with Automox, in a prepared analysis shared with Threatpost.

“We’re also seeing multiple browser related vulnerabilities this month that should be addressed immediately,” Knapp wrote. “This represents an overall upward trend that’s expected to continue throughout the year and draw greater urgency around patching velocity to ensure organizations are not taking on unnecessary exposure, especially given the increased exploitation of known, dated vulnerabilities.”

Interestingly, Knapp pointed out patching best practices were vitally important to companies as they are challenged by a workforce that is still largely remote and forced to social distance because of the COVID-19 pandemic.

“With the dramatic shift to remote work in 2020 now becoming a permanent fixture in 2021, it’s also worth noting the significance of employing measures that can immediately push newly released security updates across a more decentralized, diverse set of assets and environments,” he said.

Office Remote Code Execution Bugs

Troublesome given the ubiquitous nature of the Microsoft Office are four remote code execution vulnerabilities patched this month within the productivity suite. Impacted are Microsoft Word (CVE-2021-28453) and Excel (CVE-2021-28454, CVE-2021-28451) and a fourth bug (CVE-2021-28449) only listed as effecting Microsoft Office. Updates are rated important and, according to Microsoft, impact all versions of Office including Office 365.

Jay Goodman, manager of product marketing at Automox, notes in prepared Patch Tuesday commentary that Microsoft’s round of patches include a number of flaws identified as remote procedure call (RPC) runtime remote code execution bugs.

“RPC is a protocol used to request a service from a program that is located on another computer or device on the same network. The vulnerabilities allow for remote code execution on the target system,” Goodman wrote. “The vulnerability may be exploited by sending a specially crafted RPC request. Depending on the user privileges, an attacker could install programs, change or delete data, or create additional user accounts with full user rights.”

Microsoft marks the vulnerability as “exploitation less likely”, however, it is highly recommended to quickly patch and remediate any RCE vulnerabilities on systems, Goodman said. “Leaving latent vulnerabilities with RCE exploits can easily lead to a faster-spreading attack.”

Ever wonder what goes on in underground cybercrime forums? Find out on April 21 at 2 p.m. ET during a FREE Threatpost event, “Underground Markets: A Tour of the Dark Economy.” Experts will take you on a guided tour of the Dark Web, including what’s for sale, how much it costs, how hackers work together and the latest tools available for hackers. Register here for the Wed., April 21 LIVE event.