Microsoft, on 13 April 2021, released updates to plug at least 110 security holes in its Windows operating systems and other products. The patches include four security fixes for Microsoft Exchange Server. Over the last month, the same systems have been besieged by attacks on four separate bugs in the email software. Nineteen of the vulnerabilities fixed this month were such that they could be used by malware or malcontents to seize remote control over vulnerable Windows systems without users’ help.
Details about Microsoft patch –
Microsoft fixed four more flaws in Exchange Server versions 2013-2019. The U.S. National Security Agency reported all four, but two bugs were found internally as per Microsoft’s claims. In the blog post, Microsoft urged Exchange Server users to make patching their systems a top priority.
Two of the four vulnerabilities are pre-authentication, which means to exploit the flaw, an attacker does not need to authenticate to the vulnerable Exchange server. Since last month, with the intense interest in Exchange Server, organizations must immediately apply these Exchange Server patches. The patch released on 13 April was a vulnerability in Windows, which is being exploited in active attacks already. On a target system, the flaw allows an attacker to elevate their privileges.
As per Dustin Childs of Trend Micro, “This does mean that they will either need to log on to a system or trick a legitimate user into running the code on their behalf. Considering who is listed as discovering this bug, it is probably being used in malware. Bugs of this nature are typically combined with other bugs, such as browser bug of PDF exploit, to take over a system.”
A senior architect at Recorded Future said that there are several remote code execution vulnerabilities released this month in Microsoft Office products. CVE-2021-28454 and CVE-2021-28451 related to excel, CVE-2021-28453 is related to the word, and CVE-2021-28449 is associated with Microsoft Office. These are labelled by Microsoft as “Important” and impact all versions of their respective products.