Microsoft Patch Tuesday, March 2021 Edition – Krebs on Security

In the event that you are looking for more security tasks from Microsoft today … the company released software updates to fix more than 82 security holes in Windows and other compatible software. Ten of them obtained a “critical” rating from Microsoft, which means that they can be exploited by malware or criminals with little or no help from users.

At the top of the stack this month (in addition to the massive global Exchange Server compromise underway) is a patch for a Internet Explorer bug that is seeing active exploitation. IE’s weakness – CVE-2021-26411 – affects IE11 and the latest EdgeHTML-based versions and allows attackers to run a file of their choice by having you view a hacked or malicious website in IE.

The IE flaw is linked to a vulnerability that was publicly disclosed in early February by researchers at ENKI, who say it was one of those used in a recent campaign by actors from the nation-state to target security researchers. In the ENKI blog post, the researchers said they will post proof of concept (PoC) details after the bug is fixed.

“As we’ve seen in the past, once PoC details become publicly available, attackers quickly incorporate these PoCs into their attack toolkits,” he said. Satnam Narang, research engineer on the team at Sustainable. “We encourage all organizations that rely on Internet Explorer and Microsoft Edge (EdgeHTML-Based) to apply these patches as soon as possible.”

This is probably a good place to quote Martin Brinkman from Ghacks.net: This is the latest patch for the legacy browser Microsoft Edge, which is being retired by Microsoft.

For the second month in a row, Microsoft has fixed frightening DNS server failures in Windows Server 2008 Through the 2019 versions that can be used to remotely install software of choice for the attacker. All five DNS bugs eliminated in today’s patch batch earned a CVSS (danger metric) score of 9.8 – almost the worst that can happen.

“There is a remote chance that this could be wormable between DNS servers,” warned Trend Micro’s Dustin Childs.

As mentioned above, hundreds of thousands of organizations are dealing with a security nightmare after having their Exchange Server and Outlook Web Access (OWA) hacked and adapted with a backdoor. If an organization you know has been affected by this attack, ask them to check out the new victim notification website mentioned in today’s story.

Susan Bradley at Askwoody.com says that “nothing in the March security updates (other than those for Exchange released last week) is making me want to urge you to run to your machines and fix this right now.” I agree, unless you browse the web with older Microsoft browsers.

It is a good idea for Windows users to get in the habit of updating at least once a month, but for regular users (read: not companies) it is generally safe to wait a few days until patches are released, so that Microsoft take time to resolve any folds in the new armor.

But before upgrading, please make sure you have backed up your system and / or important files. It is not uncommon for a Windows update package to lock the system or prevent it from booting properly, and some updates can erase or corrupt files.

So do yourself a favor and back up before installing any patches. Windows 10 even has a few built-in tools to help you do that, either by file / folder or by making a complete, bootable copy of your hard drive at once.

And if you want to ensure that Windows has been configured to pause the update so that you can back up your files and / or system before the operating system decides to restart and install patches according to its own schedule, see this guide.

As always, if you have any flaws or problems installing any of these patches this month, leave a comment on that below; there is a better than equal chance that other readers have experienced the same and may appear here with some useful tips.

Share this:

Related