March 2021 Patch Tuesday: Microsoft fixes yet another actively exploited IE zero-day

As system administrators and security teams around the world are working on ascertaining whether they’ve been breached and compromised via vulnerable Microsoft Exchange Server installations, on this March 2021 Patch Tuesday:

• Microsoft has fixed 89 CVEs. Among those are the seven Microsoft Exchange flaws fixed last week, one Internet Explorer memory corruption flaw that’s being exploited in the wild, and one Windows Win32k EoP flaw that is publicly known
• Adobe has delivered security updates for Connect, Creative Cloud Desktop Application, and Framemaker
• SAP has released 9 new security notes and updated 4 previously released ones
• Apple has pushed out security updates to fix a critical RCE flaw in WebKit

Microsoft updates

Patches for four actively exploited Exchange Server vulnerabilities (plus three additional ones) have already been delivered with the updates for supported versions released last week. On Monday, the Exchange team announced the release of an additional series of security updates that can be applied to some older and unsupported cumulative updates for Exchange 2016 and 2019.

Among the vulnerabilities patched by Microsoft on this March 2021 Patch Tuesday are several deserving extra attention.

CVE-2021-26411, for example, is an Internet Explorer vulnerability that’s publicly known and under active attack.

“While not as impactful as the Exchange bugs, enterprises that rely on Microsoft browsers should definitely roll this out quickly. Successful exploitation would yield code execution at the level of the logged-on user, which is another reminder not to browse web pages using an account with Administrative privileges,” said Dustin Childs of Trend Micro’s Zero Day Initiative.

“[CVE-2021-26411] is tied to a vulnerability that was publicly disclosed in early February by researchers at ENKI who claim it was one of the vulnerabilities used in a concerted campaign by nation-state actors to target security researchers,” commented Satnam Narang, staff research engineer at Tenable.

“In the ENKI blog post, the researchers say they will publish proof-of-concept (PoC) details after the bug has been patched. As we’ve seen in the past, once PoC details become publicly available, attackers quickly incorporate those PoCs into their attack toolkits. We strongly encourage all organizations that rely on Internet Explorer and Microsoft Edge (EdgeHTML-Based) to apply these patches as soon as possible.”

Childs also singled out CVE-2021-27076 (a Microsoft SharePoint Server RCE bug), CVE-2021-26867 (a Windows Hyper-V RCE) and several Windows DNS Server RCEs as security holes that should be patched sooner rather than later.

“There’s an intriguing update for Git for Visual Studio that fixes a bug that requires no privileges but some level of user interaction. The attack complexity is also listed as low, so we may hear more about this vulnerability in the future,” he added.

Adobe updates

Adobe has released security updates for Connect, Creative Cloud Desktop Application, and Framemaker.

Despite most of the vulnerabilities fixed with these updates being critical (allowing arbitrary code execution), none affect a product that attackers usually favor and none are under active exploitation. Adobe, therefore, recommends administrators install these updates “at their discretion.”

SAP updates

For March 2021 Patch Tuesday, SAP has released 9 new security notes and updated 4 previously released ones.

Of these, the ones that should be perused and acted upon with some urgency are:

• #2622660, which deals with security issues in the browser control Google Chromium delivered with SAP Business Client, and
• #3022622, which patches a critical code injection vulnerability in SAP Manufacturing Integration and Intelligence (SAP MII)

“SAP MII is an SAP NetWeaver AS Java based platform that enables real-time production monitoring and provides extensive data analysis tools. An integral part of SAP MII is the Self Service Composition Environment (SSCE) that can be used to design dashboards by simple drag and drop. The SSCE allows users to save a dashboard as a JSP file,” Onapsis researcher Thomas Fritsch explained.

“An attacker can intercept a request to the server, inject malicious JSP code in the request and forward it to the server. When such an infected dashboard is opened in production by a user having a minimum of authorizations, the malicious content gets executed, leading to remote code execution in the server.”

Ultimately, a compromise of this kind could allow attackers to access and modify SAP databases, use the compromised server to pivot to other servers, place malware, etc.

Apple updates

Apple has pushed out security updates for macOS Big Sur, iOS, iPadOS, watchOS and Safari. All of those fix one single vulnerability in WebKit, the browser engine developed by Apple: CVE-2021-1844.

CVE-2021-1844 is a memory corruption issue that can be exploited to achieve arbitrary code execution, after tricking targets into visiting a web page with maliciously crafted web content (i.e., an exploit).

The vulnerability has been flagged by Clément Lecigne of Google’s Threat Analysis Group (TAG) and Alison Huffman of Microsoft Browser Vulnerability Research, a fact that raises the possibility of this being a zero-day flaw that has been spotted being exploited by attackers.

We’ll know in due time, of course, and I expect that Apple will release fixes for the flaw in the older OSes and tvOS soon.