Microsoft April 2021 Patch Tuesday

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,057
Today is Microsoft's April 2021 Patch Tuesday, and with it comes five zero-day vulnerabilities and more Critical Microsoft Exchange vulnerabilities. It has been a tough couple of months for Windows and Microsoft Exchange admins, and it looks like April won't be any easier, so please be nice to your IT staff today.

With today's update, Microsoft has fixed 108 vulnerabilities, with 19 classified as Critical and 89 as Important. These numbers do not include the 6 Chromium Edge vulnerabilities released earlier this month.

There are also five zero-day vulnerabilities patched today that were publicly disclosed, with one known to be used in attacks.

To make matters worse, Microsoft fixed four critical Microsoft Exchange vulnerabilities that the NSA discovered.
Five zero-day vulnerabilities fixed

As part of today's Patch Tuesday, Microsoft has fixed four publicly disclosed vulnerabilities and one actively exploited vulnerability.

The following four vulnerabilities Microsoft states were publicly exposed but not exploited:
  • CVE-2021-27091 - RPC Endpoint Mapper Service Elevation of Privilege Vulnerability
  • CVE-2021-28312 - Windows NTFS Denial of Service Vulnerability
  • CVE-2021-28437 - Windows Installer Information Disclosure Vulnerability - PolarBear
  • CVE-2021-28458 - Azure ms-rest-nodeauth Library Elevation of Privilege Vulnerability
The following vulnerability discovered by Kaspersky researcher Boris Larin was found exploited in the wild.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
The April 2021 Security Update Review:
It’s the second Tuesday of the month, which means the latest security updates from Adobe and Microsoft are released. Take a break from your regularly scheduled activities and join us as we review the details for their latest security offerings.

Adobe Patches for April 2021

For April, Adobe released four patches addressing 10 CVEs in Adobe Photoshop, Digital Editions, RoboHelp, and Bridge. The update for Bridge fixes six CVEs, all of which were reported through the ZDI program. Four of these bugs are rated Critical and could allow arbitrary code execution if exploited. The patch for Photoshop fixes two Critical-rated CVEs. Both of these buffer overflows could all arbitrary code execution. The update for Digital Editions fixes a Critical-rated privilege escalation bug that could lead to an arbitrary file system write. Finally, the patch for RoboHelp fixes a single privilege escalation bug. None of the CVEs addressed by Adobe are listed as publicly known or under active attack at the time of release.

Microsoft Patches for April 2021

For April, Microsoft released patches for 114 CVEs in Microsoft Windows, Edge (Chromium-based), Azure and Azure DevOps Server, Microsoft Office, SharePoint Server, Hyper-V, Team Foundation Server, Visual Studio, and Exchange Server. This is the largest number of CVEs addressed in a month by Microsoft this year, and it is slightly higher than April of last year. A total of five of these bugs came through the ZDI program. None of the bugs being addressed this month were disclosed at the recent Pwn2Own contest. Of these 114 bugs, 19 are rated as Critical, 88 are rated Important, and one is rated Moderate in severity. Six additional bugs impact Edge (Chromium-based) and were ingested from a recent Chromium update. According to Microsoft, one bug is currently being exploited while four others are publicly known at the time of release.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
April Patch Tuesday out – Exchange once again:
Small business guidance up first:
Exchange (Microsoft’s on premises mail server) has an update. This time I’m ignoring any guidance that might say “targeted attacks only” and saying – if you have on prem Exchange patch TODAY just to be safe. I totally understand that to ask any business large or small to have them take down the mail server on a business day is asking a lot, but I’m not taking chances this time with my small business peeps getting nailed.
Patch them.
Do it.

Reboot that Exchange server ahead of time.
Ensure you open a command prompt and run as admin to run the commands to update Exchange. Ensure you watch that services fully restarted after the box is rebooted.

Released: April 2021 Exchange Server Security Updates
Zero Day Initiative — The April 2021 Security Update Review

– CVE-2021-28480/28481 – Microsoft Exchange Server Remote Code Execution Vulnerability
Both of these CVEs are listed at a 9.8 CVSS and have identical write-ups, so they both get listed here. Both code execution bugs are unauthenticated and require no user interaction. Since the attack vector is listed as “Network,” it is likely these bugs are wormable – at least between Exchange servers. The CVSS score for these two bugs is actually higher than the Exchange bugs exploited earlier this year. These bugs were credited to the National Security Agency. Considering the source, and considering these bugs also receive Microsoft’s highest Exploit Index rating, assume they will eventually be exploited. Update your systems as soon as possible.

For consumers and home users, pop that popcorn and we’re going to be in patch testing mode as usual watching for the dead bodies. As usual the full write up will be coming up in Monday’s Plus newsletter. Biggies to watch out for – old Edge goes, and… for how many months past October end of life for Office 2010 we are STILL patching Office 2010.
 

Gandalf_The_Grey

Level 76
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,506
MS-DEFCON 4: Patching is approved:
Proceed to update.

I’m separating my patching guidance into two categories — one for consumer or home users and one for business users. And I’m changing our MS-DEFCON level to 4. At this time, I’m not seeing major issues with updating.

Consumer and home users

The April updates have been much better behaved and I’m not seeing any major issues with the releases. Problems identified in 2004/20H2 as impacting performance in games have been automatically mitigated by Microsoft, using its Known issue rollback process. The April updates also resolved the lingering issues with printing triggered with the March updates. Importantly, the April updates install the new, Chromium-based Edge as the default browser and remove the old, “legacy” Edge. Be aware that this update will reset default programs, such as your PDF reader, to the new Edge; you’ll need to make manual adjustments to restore your preferences.

Note: Going forward, when AskWoody mentions “Edge,” you should assume we mean the new, Chromium-based Edge. Otherwise, we will refer to legacy Edge.

If you are still using Windows 10 Home or Pro 1909 you have only until May before that version is no longer supported. If you have not already upgraded to 20H2, I recommend taking this opportunity to do so. Remember, my favorite way to upgrade is to use the Update now button on the Software download page.

Business users

Coming with the preview releases for Windows 10, and included in the May Security releases, Microsoft will be including a new “News and Interests” taskbar item that will feature topics of interest to your users. If you want to proactively block it, use the Group Policy editor or adjust registry keys.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top