Microsoft has released its monthly set of security updates addressing over 80 vulnerabilities across a wide range of its products, including multiple Windows OS components, Microsoft Office, SharePoint Server, Visual Studio, Azure and Azure Sphere. This month’s Patch Tuesday release also includes fixes for a zero-day vulnerability in Internet Explorer that had been exploited in attacks against some researchers in the white-hat community earlier this year.
The IE zero-day, tracked as CVE-2021-26411, is a double free flaw that exists due to a boundary error when processing ".mht" files. Using this bug a remote attacker can execute arbitrary code on the target system by tricking a user into visiting a malicious web site. Earlier this year, CVE-2021-26411 was observed being exploited in attacks against security researchers in South Korea. Kaspersky linked these attacks to North-Korea state-backed hacker group known as Lazarus APT.
The security updates for Internet Explorer also include a fix for CVE-2021-27085, which is described as an input validation error that could be used for remote code execution.
In addition to the above mentioned flaws, Microsoft addressed numerous high-risk flaws affecting Microsoft Visual Studio Code, HEVC Video Extensions, PowerPoint, OpenType Font Parsing, Excel, Office, Windows Graphics Component, Azure Sphere, and other products.
March Patch Tuesday release comes just one week after Microsoft released emergency security fixes for four zero day flaws affecting Exchange Server (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, CVE-2021-27065). All of them are described as an input validation error issue and allow remote code execution using specially crafted data sent to the Exchange server.
The vulnerable Exchange Server versions include Microsoft Exchange Server 2013, Microsoft Exchange Server 2016, and Microsoft Exchange Server 2019. Microsoft Exchange Online is not affected.