Another Patch Tuesday (2021-Mar) is upon us and with this month comes a whopping 122 CVEs.  As usual, Windows tops the list of the most patched product. However, this month it’s browser vulnerabilities taking second place, outnumbering Office vulnerabilities 3:1! Lastly, the Exchange Server vulnerabilities this month are not to be ignored as more than half of them have been seen exploited in the wild.

Exchange Server Vulnerabilities

Earlier this month Microsoft released out of band updates for Exchange Server. These critical updates fixed a number of publicly exploited vulnerabilities, but not before attackers were able to compromise over 30,000 internet-facing instances.

Yesterday, Microsoft issued an additional set of patches for older, unsupported versions of the Exchange Server. This allows customers who have not been able to update to the most recent version of Exchange the ability to defend against these widespread exploit attempts.

If you administer an Exchange Server, stop reading this blog and go patch these systems!

Patch those Windows systems!

Almost half of the newly announced vulnerabilities this month affect components of Windows itself. Some major highlights include:

• Multiple high severity RCE vulnerabilities in Windows DNS Server
  (CVE-2021-26877, CVE-2021-26893, CVE-2021-26894, CVE-2021-26895, and CVE-2021-26897)
• Remote Code Execution in Hyper-V (CVE-2021-26867) enabling virtual machine escape (CVSSv3 9.9)

Browser Vulnerabilities

Since going end-of-life in November 2020, we haven’t seen any Internet Explorer patches from Microsoft. However, this month Microsoft has made two new updates available: CVE-2021-27085 and CVE-2021-26411. CVE-2021-26411 has been exploited in the wild, so don’t delay applying patches if IE is still in your environment.

The majority of the browser vulnerabilities announced this month affect Microsoft Edge on Chromium. These patches are courtesy of vulnerabilities being fixed upstream in the Chromium project.