Microsoft Has Busy April Patch Tuesday with Zero-Days, Exchange Fixes

Microsoft fixes 110 vulnerabilities, with 19 classified as critical and another flaw under active attack.

Microsoft had its hands full Tuesday snuffing out five zero-day vulnerabilities, a flaw under active attack and applying more patches to its problem-plagued Microsoft Exchange Server software.

In all, Microsoft released patches for 110 security holes, 19 classified critical in severity and 88 considered important. The most dire of those flaws disclosed is arguably a Win32k elevation of privilege vulnerability (CVE-2021-28310) actively being exploited in the wild by the cybercriminal group BITTER APT.

Actively Exploited Zero-Day

“We believe this exploit is used in the wild, potentially by several threat actors. It is an escalation of privilege (EoP) exploit that is likely used together with other browser exploits to escape sandboxes or get system privileges for further access,” wrote Kaspersky in a Tuesday report detailing its find.

The bug is an out-of-bounds write vulnerability in Windows dwmcore.dll library, which is part of Desktop Window Manager (dwm.exe). “Due to the lack of bounds checking, attackers are able to create a situation that allows them to write controlled data at a controlled offset using DirectComposition API,” wrote Kaspersky researchers Boris Larin, Costin Raiu and Brian Bartholomew, co-authors of the report.

More Bugs Tied to Plagued Exchange

Of note, the U.S. National Security Agency released information on four critical Exchange Server vulnerabilities  (CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, CVE-2021-28483) impacting versions released between 2013 and 2019.

“These vulnerabilities have been rated ‘exploitation more likely’ using Microsoft’s Exploitability Index. Two of the four vulnerabilities (CVE-2021-28480, CVE-2021-28481) are pre-authentication, meaning an attacker does not need to authenticate to the vulnerable Exchange server to exploit the flaw. With the intense interest in Exchange Server since last month, it is crucial that organizations apply these Exchange Server patches immediately,” wrote Satnam Narang, staff research engineer with Tenable in commentary shared with Threatpost.

Microsoft notes that two of the four Exchange bugs reported by the NSA were also found internally by its own research team.

Bugs, Bugs and More Bugs

Microsoft also included patches for its Chromium-based Edge web browser, Azure and Azure DevOps Server, Microsoft Office, SharePoint Server, Hyper-V, Team Foundation Server and Visual Studio.

“April’s Patch Tuesday yields… [are] the highest monthly total for 2021 (so far) and showing a return to the 100-plus totals we consistently saw in 2020,” wrote Justin Knapp, senior product marketing manager with Automox, in a prepared analysis shared with Threatpost. “This month’s haul includes 19 critical vulnerabilities and a high-severity zero-day that is actively being exploited in the wild.”

He added, “We’re also seeing multiple browser-related vulnerabilities this month that should be addressed immediately. This represents an overall upward trend that’s expected to continue throughout the year and draw greater urgency around patching velocity, to ensure organizations are not taking on unnecessary exposure — especially given the increased exploitation of known, dated vulnerabilities.”

Interestingly, Knapp pointed out patching best practices were vitally important to companies as they are challenged by a workforce that is still largely remote and forced to socially distance because of the COVID-19 pandemic.

“With the dramatic shift to remote work in 2020 now becoming a permanent fixture in 2021, it’s also worth noting the significance of employing measures that can immediately push newly released security updates across a more decentralized, diverse set of assets and environments,” he said.

Office Remote Code-Execution Bugs

Troublesome given the ubiquitous nature of the Microsoft Office are four remote code execution (RCE) vulnerabilities patched this month within the productivity suite. Microsoft Word (CVE-2021-28453) and Excel (CVE-2021-28454,  CVE-2021-28451) are impacted, and a fourth bug (CVE-2021-28449) is only listed as effecting Microsoft Office. The updates are rated “important” and, according to Microsoft, impact all versions of Office including Office 365.

Jay Goodman, manager of product marketing at Automox, noted in his Patch Tuesday commentary that Microsoft’s security holes this month include a number of flaws identified as remote procedure call (RPC) runtime RCE bugs.

“RPC is a protocol used to request a service from a program that is located on another computer or device on the same network,” he explained. “The vulnerabilities allow for remote code execution on the target system. The vulnerability may be exploited by sending a specially crafted RPC request. Depending on the user privileges, an attacker could install programs, change or delete data, or create additional user accounts with full user rights.”

Microsoft marks the vulnerability type as “exploitation less likely,” however, it’s highly recommended to quickly patch and remediate any RCE vulnerabilities on systems, Goodman said: “Leaving latent vulnerabilities with RCE exploits can easily lead to a faster-spreading attack.”

Microsoft’s April Patch Tuesday update was complemented by Adobe’s monthly slew of patches, which addressed 10 security bugs, seven of them critical.