April Microsoft Security Patches Released, Bringing More Critical Exchange Server Fixes
Microsoft on Tuesday released security updates for 114 common vulnerabilities and exposures (CVEs) in its software products, while also publishing a supplementary note urging organizations to apply the new April Exchange Server "Critical" patches "as soon as possible."
The count of 114 CVEs for this April bundle comes from Trend Micro's Zero Day Initiative (ZDI) blog post. It also counted 19 Critical vulnerabilities, 88 "Important" vulnerabilities and one flaw that was considered "Moderate" in severity in this month's Microsoft patch bundle.
Cisco's Talos security blog had a slightly different count. It described the Microsoft April security bundle as bringing fixes for a total of 108 vulnerabilities, of which 20 were deemed Critical, one was deemed Moderate and all of the rest being rated Important.
Any way that you count it, security researchers are saying that Microsoft's April security patch release represents its biggest monthly release so far this year.
The tallies and descriptions by non-Microsoft security researchers are helpful. Microsoft, for its part, doesn't publish total patch-count figures. Moreover, its severity descriptions in its "Security Update Guide" are just Common Vulnerability Scoring System (CVSS) numbered rankings, ranging from 1 to 10 (low to high).
Patch Exchange Server Now
Exchange Server products have four Critical vulnerabilities that could enable remote code execution attacks, as described in security bulletins CVE-2021-28480, CVE-2021-28481, CVE-2021-28482 and CVE-2021-28483. Affected products include Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019. There's no related patch for Exchange Server 2010, which isn't affected. Also not affected is the Exchange Online service.
The Exchange Server vulnerabilities this month are new. They aren't the same ones that were uncovered during ZDI's recent Pwn2Own contest, according to Dustin Childs of ZDI. During that event, Microsoft's products, especially Exchange Server, took a severe drubbing by various security researchers.
Two of the Exchange Server vulnerabilities (CVE-2021-28480 and CVE-2021-28481) have CVSS rankings at 9.8. Discovery credit was attributed to the U.S. National Security Agency, so it's serious.
"The CVSS score for these two bugs is actually higher than the Exchange bugs exploited earlier this year," Childs noted. He likely was referring to Microsoft's March 2 out-of-band fixes to address Exchange Server "Hafnium" attacks, which were attributed to a nation-state attacker.
The National Security Agency joined the chorus of encouraging organizations to apply Microsoft's April Exchange Server patches, saying in a Twitter post that an exploit "could allow persistent access and control of enterprise networks."
Microsoft's Exchange Team on Tuesday offered a resource-filled blog post describing tools organizations can use to inventory their Exchange Server installations to check if they have the latest cumulative updates installed. There's also a wizard tool available that will indicate the steps that IT pros can take if they don't have the latest cumulative updates installed.
Organizations that only use Exchange Server on-premises to manage their Exchange Online subscriptions will still need to apply Microsoft's April cumulative updates (CUs), the Exchange team explained.
Unlike Microsoft's March patch release for the Hafnium flaws, this time around Microsoft isn't releasing security patches for unsupported Exchange Server products, the Exchange team indicated:
We have no plans to release the April 2021 security updates for older or unsupported CUs. In March, we took unprecedented steps and released SUs [security updates] for unsupported CUs because there were active exploits in the wild. You should update your Exchange Servers to supported CUs and then install the SUs.
Patch expert and Microsoft Most Valuable Professional Susan Bradley is advising companies, even small businesses, to take the time to apply these April Exchange Server security patches right away, even if it incurs downtime, according to this AskWoody.com post. Columnists at AskWoody.com are often skeptical of applying Microsoft's patches right away, but not in this case.
Windows Kernel Active Exploit
Just one vulnerability (CVE-2021-28310) was described by security researchers as being under active attack before this month's security patch release. It's a Win32k elevation of privilege vulnerability, rated as Important. It gets triggered by tricking a user to run code. Alternatively, it can be exploited if the attacker has Windows user log-on privileges.
Win32k.sys is described by Microsoft as a Windows "kernel-mode device driver" that's associated with multiple functions, such as display, screen output, device inputs and application messaging, along with managing graphics device output.
Publicly Known Vulnerabilities
Four of the vulnerabilities getting patches this month were listed by ZDI as being publicly known prior to the April patch release, which potentially increases risks for organizations. They include:
- CVE-2021-28458, an Important "Azure ms-rest-nodeauth" vulnerability that could enable elevation of privilege.
- CVE-2021-27091, an Important "RPC Endpoint Mapper Service" vulnerability that could enable elevation of privilege.
- CVE-2021-28437, an Important "Windows Installer Information Disclosure Vulnerability" that could lead to information disclosure.
- CVE-2021-28312, the one Moderate "Windows NTFS" vulnerability that could enable denial-of-service.
More Patch Commentary
More useful patch indexes and blog commentary about Microsoft's April security patch release can be had from patch management and security solutions firm Automox at this page.
Endpoint management and security solutions company Ivanti also offers regular patch Tuesday talks, with sign-up available at this page.
Security solutions firm Rapid7 also published an index and commentary on Microsoft April patch release, which can be found here.
Kurt Mackie is senior news producer for 1105 Media's Converge360 group.