Microsoft’s March Patch Tuesday fixes 14 Critical flaws

Microsoft’s March Patch Tuesday security updates address 89 vulnerabilities in its products, 14 are listed as Critical and 75 are listed as Important in severity.

Microsoft’s March Patch Tuesday security updates address 89 vulnerabilities in its products, including Microsoft Windows components, Azure and Azure DevOps, Azure Sphere, Internet Explorer and Edge (EdgeHTML), Exchange Server, Office and Office Services and Web Apps, SharePoint Server, Visual Studio, and Windows Hyper-V.

The list of CVEs covered by the security updates includes seven vulnerabilities in Microsoft Exchange recently addressed by Microsoft with the release of out-of-band fixes. 14 of the vulnerabilities fixed with the release of Microsoft’s March Patch Tuesday are listed as Critical and 75 are listed as Important in severity. Two of these vulnerabilities are publicly known and five were actively exploited in attacks in the wild at the time of release.

One of the most severe flaws addressed with the release of Microsoft’s March Patch Tuesday is an Internet Explorer memory corruption bug tracked as CVE-2021-26411. The flaw could allow attackers to run arbitrary code on affected systems, at the level of the logged-on user, by tricking victims into viewing a specially crafted HTML file.

“CVE-2021-26411 – Internet Explorer Memory Corruption Vulnerability
This patch corrects a bug in Internet Explorer (IE) and Edge (EdgeHTML-based) that could allow an attacker to run their code on affected systems if they view a specially crafted HTML file.” reads the post published by Zero Day Initiative.

“Microsoft lists this as both publicly known and under active attack at the time of release. While not as impactful as the Exchange bugs, enterprises that rely on Microsoft browsers should definitely roll this out quickly. Successful exploitation would yield code execution at the level of the logged-on user, which is another reminder not to browse web pages using an account with Administrative privileges.”

The vulnerability received a CVSS score of 8.8.

Another critical issue addressed by Microsoft, tracked as CVE-2021-26897, is a Windows DNS Server Remote Code Execution vulnerability. The vulnerability received a CVSS score of 9.8.

Other interesting critical issues fixed by Microsoft are CVE-2021-27074 and CVE-2021-27080, unsigned code execution bugs in Azure Sphere, and CVE-2021-27076 Server Remote Code Execution vulnerability in Microsoft SharePoint.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Microsoft’s March Patch Tuesday)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.