This week Microsoft published security updates intended to fix more than 80 vulnerabilities across a wide range of its products, including multiple Windows OS components, Microsoft Office, SharePoint Server, Visual Studio, Azure and Azure Sphere. The March Patch Tuesday release also includes fixes for a zero-day vulnerability in Internet Explorer that had been exploited in attacks against some researchers in the white-hat community earlier this year.

The IE zero-day, tracked as CVE-2021-26411, is a double free flaw that exists due to a boundary error when processing ".mht" files. Using this bug a remote attacker can execute arbitrary code on the target system by tricking a user into visiting a malicious web site. Earlier this year, CVE-2021-26411 was observed being exploited in attacks against security researchers in South Korea. Kaspersky linked these attacks to North-Korea state-backed hacker group known as Lazarus APT.

The security updates for Internet Explorer also include a fix for CVE-2021-27085, which is described as an input validation error that could be used for remote code execution.

In addition to the above described vulnerabilities, Microsoft addressed numerous high-risk flaws affecting Microsoft Visual Studio Code, HEVC Video Extensions, PowerPoint, OpenType Font Parsing, Excel, Office, Windows Graphics Component, Azure Sphere, and other products.

Adobe released a batch of security fixes covering multiple vulnerabilities in Adobe Photoshop, Adobe Animate, Adobe Creative Cloud Desktop Application, and Adobe Connect, including those that allow remote code execution (CVE-2021-21071, CVE-2021-21077, CVE-2021-21067, CVE-2021-21082, CVE-2021-21078, CVE-2021-21068, CVE-2021-21085). The remaining bugs are considered low and medium risk and can be exploited to gain access to sensitive data, escalate privileges on the system, or perform cross-site scripting (XSS) attacks.

F5 Networks released a security advisory urging customers to patch a number of dangerous flaws in its BIG-IP and BIG-IQ enterprise networking infrastructure. If exploited, these vulnerabilities could allow attackers to commandeer vulnerable BIG-IP and BIG-IQ systems.

More specifically, BIG-IP and BIG-IQ products contain several high-risk vulnerabilities, one of them (CVE-2021-22991) is a buffer overflow that exists due to a boundary error when processing HTTP requests within the Traffic Management Microkernel (TMM) URI normalization feature. A remote attacker can create a specially crafted HTTP request to the virtual server associated with an HTTP profile, trigger memory corruption and crash the service or execute arbitrary code on the target system.

The second vulnerability (CVE-2021-22995) is described as a missing authentication for critical function issue in BIG-IQ that allows attackers to gain access to the system and trigger a denial-of-service condition.

The third one (CVE-2021-22986) impacts iControl REST API in BIG-IP and allows a remote attacker to execute arbitrary shell commands on the target system.

Also, several severe vulnerabilities have been found in Siemens Solid Edge modeling software, with three of them (CVE-2021-27381, CVE-2021-27380, CVE-2020-28385) allowing remote code execution, one bug (CVE-2020-28387) is an XML External Entity injection that can be exploited to gain access to sensitive information.

The above flaws impact Solid Edge SE2020 before SE2020MP13, Solid Edge SE2021 versions prior to SE2021MP3.