Patch Tuesday – March 2021
Another Patch Tuesday (2021-Mar) is upon us and with this month comes a whopping 122 CVEs. As usual Windows tops the list of the most patched product. However, this month it’s browser vulnerabilities taking the second place, outnumbering Office vulnerabilities 3:1! Lastly, the Exchange Server vulnerabilities this month are not to be ignored as more than half of them have been seen exploited in the wild.
Vulnerability Breakdown by Software Family
| Family | Vulnerability Count |
|---|---|
| Windows | 59 |
| Browser | 35 |
| ESU | 24 |
| Microsoft Office | 11 |
| Exchange Server | 7 |
| Developer Tools | 6 |
| Azure | 3 |
| SQL Server | 1 |
Exchange Server Vulnerabilities
Earlier this month Microsoft released out of band updates for Exchange Server. These critical updates fixed a number of publicly exploited vulnerabilities, but not before attackers were able to compromise over 30,000 internet facing instances.
Yesterday, Microsoft issued an additional set of patches for older, unsupported versions of Exchange Server. This allows customers who have not been able to update to the most recent version of Exchange the ability to defend against these widespread exploit attempts.
If you administer an Exchange Server, stop reading this blog and go patch these systems! For more information please see our blog post on the topic.
Patch those Windows systems!
Almost half of the newly announced vulnerabilities this month affect components of Windows itself. Some major highlights include:
- Multiple high severity RCE vulnerabilities in Windows DNS Server
(CVE-2021-26877, CVE-2021-26893, CVE-2021-26894, CVE-2021-26895, and CVE-2021-26897) - Remote Code Execution in Hyper-V (CVE-2021-26867) enabling virtual machine escape (CVSSv3 9.9)
Browser Vulnerabilities
Since going end-of-life in November 2020, we haven’t seen any Internet Explorer patches from Microsoft. However, this month Microsoft has made two new updates available: CVE-2021-27085 and CVE-2021-26411. CVE-2021-26411 has been exploited in the wild, so don’t delay applying patches if IE is still in your environment.
The majority of the browser vulnerabilities announced this month affect Microsoft Edge on Chromium. These patches are courtesy of vulnerabilities being fixed upstream in the Chromium project.
Summary Tables
Here are this month’s patched vulnerabilities split by the product family.
Azure Vulnerabilities
| CVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ |
|---|---|---|---|---|---|
| CVE-2021-27075 | Azure Virtual Machine Information Disclosure Vulnerability | No | No | 6.8 | Yes |
| CVE-2021-27080 | Azure Sphere Unsigned Code Execution Vulnerability | No | No | 9.3 | Yes |
| CVE-2021-27074 | Azure Sphere Unsigned Code Execution Vulnerability | No | No | 6.2 | Yes |
Browser Vulnerabilities
| CVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ |
|---|---|---|---|---|---|
| CVE-2021-27085 | Internet Explorer Remote Code Execution Vulnerability | No | No | 8.8 | No |
| CVE-2021-21190 | Chromium CVE-2021-21190 : Uninitialized Use in PDFium | No | No | N/A | Yes |
| CVE-2021-21189 | Chromium CVE-2021-21189: Insufficient policy enforcement in payments | No | No | N/A | Yes |
| CVE-2021-21188 | Chromium CVE-2021-21188: Use after free in Blink | No | No | N/A | Yes |
| CVE-2021-21187 | Chromium CVE-2021-21187: Insufficient data validation in URL formatting | No | No | N/A | Yes |
| CVE-2021-21186 | Chromium CVE-2021-21186: Insufficient policy enforcement in QR scanning | No | No | N/A | Yes |
| CVE-2021-21185 | Chromium CVE-2021-21185: Insufficient policy enforcement in extensions | No | No | N/A | Yes |
| CVE-2021-21184 | Chromium CVE-2021-21184: Inappropriate implementation in performance APIs | No | No | N/A | Yes |
| CVE-2021-21183 | Chromium CVE-2021-21183: Inappropriate implementation in performance APIs | No | No | N/A | Yes |
| CVE-2021-21182 | Chromium CVE-2021-21182: Insufficient policy enforcement in navigations | No | No | N/A | Yes |
| CVE-2021-21181 | Chromium CVE-2021-21181: Side-channel information leakage in autofill | No | No | N/A | Yes |
| CVE-2021-21180 | Chromium CVE-2021-21180: Use after free in tab search | No | No | N/A | Yes |
| CVE-2021-21179 | Chromium CVE-2021-21179: Use after free in Network Internals | No | No | N/A | Yes |
| CVE-2021-21178 | Chromium CVE-2021-21178 : Inappropriate implementation in Compositing | No | No | N/A | Yes |
| CVE-2021-21177 | Chromium CVE-2021-21177: Insufficient policy enforcement in Autofill | No | No | N/A | Yes |
| CVE-2021-21176 | Chromium CVE-2021-21176: Inappropriate implementation in full screen mode | No | No | N/A | Yes |
| CVE-2021-21175 | Chromium CVE-2021-21175: Inappropriate implementation in Site isolation | No | No | N/A | Yes |
| CVE-2021-21174 | Chromium CVE-2021-21174: Inappropriate implementation in Referrer | No | No | N/A | Yes |
| CVE-2021-21173 | Chromium CVE-2021-21173: Side-channel information leakage in Network Internals | No | No | N/A | Yes |
| CVE-2021-21172 | Chromium CVE-2021-21172: Insufficient policy enforcement in File System API | No | No | N/A | Yes |
| CVE-2021-21171 | Chromium CVE-2021-21171: Incorrect security UI in TabStrip and Navigation | No | No | N/A | Yes |
| CVE-2021-21170 | Chromium CVE-2021-21170: Incorrect security UI in Loader | No | No | N/A | Yes |
| CVE-2021-21169 | Chromium CVE-2021-21169: Out of bounds memory access in V8 | No | No | N/A | Yes |
| CVE-2021-21168 | Chromium CVE-2021-21168: Insufficient policy enforcement in appcache | No | No | N/A | Yes |
| CVE-2021-21167 | Chromium CVE-2021-21167: Use after free in bookmarks | No | No | N/A | Yes |
| CVE-2021-21166 | Chromium CVE-2021-21166: Object lifecycle issue in audio | No | No | N/A | Yes |
| CVE-2021-21165 | Chromium CVE-2021-21165: Object lifecycle issue in audio | No | No | N/A | Yes |
| CVE-2021-21164 | Chromium CVE-2021-21164: Insufficient data validation in Chrome for iOS | No | No | N/A | Yes |
| CVE-2021-21163 | Chromium CVE-2021-21163: Insufficient data validation in Reader Mode | No | No | N/A | Yes |
| CVE-2021-21162 | Chromium CVE-2021-21162: Use after free in WebRTC | No | No | N/A | Yes |
| CVE-2021-21161 | Chromium CVE-2021-21161: Heap buffer overflow in TabStrip | No | No | N/A | Yes |
| CVE-2021-21160 | Chromium CVE-2021-21160: Heap buffer overflow in WebAudio | No | No | N/A | Yes |
| CVE-2021-21159 | Chromium CVE-2021-21159: Heap buffer overflow in TabStrip | No | No | N/A | Yes |
| CVE-2020-27844 | Chromium CVE-2020-27844: Heap buffer overflow in OpenJPEG | No | No | N/A | Yes |
Browser ESU Vulnerabilities
| CVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ |
|---|---|---|---|---|---|
| CVE-2021-26411 | Internet Explorer Memory Corruption Vulnerability | Yes | Yes | 8.8 | Yes |
Developer Tools Vulnerabilities
| CVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ |
|---|---|---|---|---|---|
| CVE-2021-27060 | Visual Studio Code Remote Code Execution Vulnerability | No | No | 7.8 | No |
| CVE-2021-27084 | Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability | No | No | N/A | No |
| CVE-2021-27081 | Visual Studio Code ESLint Extension Remote Code Execution Vulnerability | No | No | 7.8 | No |
| CVE-2021-27083 | Remote Development Extension for Visual Studio Code Remote Code Execution Vulnerability | No | No | 7.8 | No |
| CVE-2021-27082 | Quantum Development Kit for Visual Studio Code Remote Code Execution Vulnerability | No | No | 7.8 | No |
| CVE-2021-21300 | Git for Visual Studio Remote Code Execution Vulnerability | No | No | 8.8 | No |
Exchange Server Vulnerabilities
| CVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ |
|---|---|---|---|---|---|
| CVE-2021-26412 | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 9.1 | No |
| CVE-2021-26855 | Microsoft Exchange Server Remote Code Execution Vulnerability | Yes | No | 9.1 | Yes |
| CVE-2021-27078 | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 9.1 | No |
| CVE-2021-26857 | Microsoft Exchange Server Remote Code Execution Vulnerability | Yes | No | 7.8 | Yes |
| CVE-2021-27065 | Microsoft Exchange Server Remote Code Execution Vulnerability | Yes | No | 7.8 | Yes |
| CVE-2021-26858 | Microsoft Exchange Server Remote Code Execution Vulnerability | Yes | No | 7.8 | Yes |
| CVE-2021-26854 | Microsoft Exchange Server Remote Code Execution Vulnerability | No | No | 6.6 | No |
Microsoft Office Vulnerabilities
| CVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ |
|---|---|---|---|---|---|
| CVE-2021-27055 | Microsoft Visio Security Feature Bypass Vulnerability | No | No | 7 | Yes |
| CVE-2021-24104 | Microsoft SharePoint Spoofing Vulnerability | No | No | 4.6 | Yes |
| CVE-2021-27076 | Microsoft SharePoint Server Remote Code Execution Vulnerability | No | No | 8.8 | Yes |
| CVE-2021-27052 | Microsoft SharePoint Server Information Disclosure Vulnerability | No | No | 5.3 | Yes |
| CVE-2021-27056 | Microsoft PowerPoint Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2021-24108 | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2021-27057 | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2021-27059 | Microsoft Office Remote Code Execution Vulnerability | No | No | 7.6 | Yes |
| CVE-2021-27058 | Microsoft Office ClickToRun Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2021-27053 | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2021-27054 | Microsoft Excel Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
SQL Server Vulnerabilities
| CVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ |
|---|---|---|---|---|---|
| CVE-2021-26859 | Microsoft Power BI Information Disclosure Vulnerability | No | No | 7.7 | Yes |
Windows Vulnerabilities
| CVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ |
|---|---|---|---|---|---|
| CVE-2021-26900 | Windows Win32k Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2021-26863 | Windows Win32k Elevation of Privilege Vulnerability | No | No | 7 | No |
| CVE-2021-26871 | Windows WalletService Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2021-26885 | Windows WalletService Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2021-26864 | Windows Virtual Registry Provider Elevation of Privilege Vulnerability | No | No | 8.4 | No |
| CVE-2021-1729 | Windows Update Stack Setup Elevation of Privilege Vulnerability | No | No | 7.1 | No |
| CVE-2021-26889 | Windows Update Stack Elevation of Privilege Vulnerability | No | No | 7.1 | No |
| CVE-2021-26866 | Windows Update Service Elevation of Privilege Vulnerability | No | No | 7.1 | No |
| CVE-2021-26870 | Windows Projected File System Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2021-26874 | Windows Overlay Filter Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2021-26879 | Windows NAT Denial of Service Vulnerability | No | No | 7.5 | No |
| CVE-2021-26884 | Windows Media Photo Codec Information Disclosure Vulnerability | No | No | 5.5 | Yes |
| CVE-2021-26867 | Windows Hyper-V Remote Code Execution Vulnerability | No | No | 9.9 | Yes |
| CVE-2021-26868 | Windows Graphics Component Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2021-26892 | Windows Extensible Firmware Interface Security Feature Bypass Vulnerability | No | No | 6.2 | No |
| CVE-2021-24090 | Windows Error Reporting Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2021-26865 | Windows Container Execution Agent Elevation of Privilege Vulnerability | No | No | 8.8 | No |
| CVE-2021-26891 | Windows Container Execution Agent Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2021-26860 | Windows App-V Overlay Filter Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2021-27066 | Windows Admin Center Security Feature Bypass Vulnerability | No | No | 4.3 | No |
| CVE-2021-27070 | Windows 10 Update Assistant Elevation of Privilege Vulnerability | No | No | 7.3 | No |
| CVE-2021-26886 | User Profile Service Denial of Service Vulnerability | No | No | 5.5 | No |
| CVE-2021-26880 | Storage Spaces Controller Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2021-26876 | OpenType Font Parsing Remote Code Execution Vulnerability | No | No | 8.8 | No |
| CVE-2021-24089 | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2021-26902 | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2021-27061 | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2021-24110 | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2021-27047 | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2021-27048 | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2021-27049 | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2021-27050 | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2021-27051 | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2021-27062 | HEVC Video Extensions Remote Code Execution Vulnerability | No | No | 7.8 | Yes |
| CVE-2021-24095 | DirectX Elevation of Privilege Vulnerability | No | No | 7 | No |
| CVE-2021-26890 | Application Virtualization Remote Code Execution Vulnerability | No | No | 7.8 | No |
Windows ESU Vulnerabilities
| CVE | Vulnerability Title | Exploited | Disclosed | CVSS3 | FAQ |
|---|---|---|---|---|---|
| CVE-2021-27077 | Windows Win32k Elevation of Privilege Vulnerability | No | Yes | 7.8 | No |
| CVE-2021-26875 | Windows Win32k Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2021-26873 | Windows User Profile Service Elevation of Privilege Vulnerability | No | No | 7 | No |
| CVE-2021-26899 | Windows UPnP Device Host Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2021-1640 | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | Yes |
| CVE-2021-26878 | Windows Print Spooler Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2021-26862 | Windows Installer Elevation of Privilege Vulnerability | No | No | 6.3 | No |
| CVE-2021-26861 | Windows Graphics Component Remote Code Execution Vulnerability | No | No | 7.8 | No |
| CVE-2021-24107 | Windows Event Tracing Information Disclosure Vulnerability | No | No | 5.5 | Yes |
| CVE-2021-26872 | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2021-26898 | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2021-26901 | Windows Event Tracing Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2021-26897 | Windows DNS Server Remote Code Execution Vulnerability | No | No | 9.8 | Yes |
| CVE-2021-26877 | Windows DNS Server Remote Code Execution Vulnerability | No | No | 9.8 | Yes |
| CVE-2021-26893 | Windows DNS Server Remote Code Execution Vulnerability | No | No | 9.8 | Yes |
| CVE-2021-26894 | Windows DNS Server Remote Code Execution Vulnerability | No | No | 9.8 | Yes |
| CVE-2021-26895 | Windows DNS Server Remote Code Execution Vulnerability | No | No | 9.8 | Yes |
| CVE-2021-26896 | Windows DNS Server Denial of Service Vulnerability | No | No | 7.5 | Yes |
| CVE-2021-27063 | Windows DNS Server Denial of Service Vulnerability | No | No | 7.5 | Yes |
| CVE-2021-26869 | Windows ActiveX Installer Service Information Disclosure Vulnerability | No | No | 5.5 | Yes |
| CVE-2021-26882 | Remote Access API Elevation of Privilege Vulnerability | No | No | 7.8 | No |
| CVE-2021-26881 | Microsoft Windows Media Foundation Remote Code Execution Vulnerability | No | No | 7.5 | No |
| CVE-2021-26887 | Microsoft Windows Folder Redirection Elevation of Privilege Vulnerability | No | No | 7.8 | Yes |
Summary Graphs
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.
