There was an interesting start to March, with four Exchange Server exploits and an out of band update. There is an additional Zero Day vulnerability being exploited in Internet Explorer and three publicly disclosed vulnerabilities to discuss this month. A total of 83 unique CVEs (Common Vulnerabilities and Exposures) have been resolved in Microsoft’s March Patch Tuesday update. Microsoft products affected this month include Windows OS, Office, Internet Explorer, Edge, Exchange Server, and Sharepoint, as well as many development tools and updates for Azure, Azure DevOps, and Azure Sphere.

Exchange Zero Day Update:

Microsoft has provided a set of links to many relevant articles on the Exchange vulnerabilities, steps to identify if your environment has been compromised, mitigation options meant to protect environments short-term at the sacrifice of some functionality, and steps to take if you believe you have found indications of compromise. They also expanded the release with additional version\CU coverage.

It is rare for Microsoft to update out of support versions of a product. This is an indication of the severity and reach of the attacks targeting the Exchange Server on-prem products. Revision note:

Reason for Revision: Microsoft is releasing security updates for CVE-2021-27065, CVE-2021-26855, CVE-2021-26857, and CVE-2021-26858 for several Cumulative Updates that are out of support, including Exchange Server 2019 CU 6, CU 5, and CU 4 and Exchange Server 2016 CU 16, CU 15, and CU14.

Please see the following for more information on the Microsoft Exchange Server Vulnerabilities:

Exploited and Publicly Disclosed Vulnerabilities:

Internet Explorer and Edge (HTML-based) browsers are being targeted by attacks in the wild. This vulnerability has also been publicly disclosed, which would allow other threats. CVE-2021-26411 is a memory corruption vulnerability that could allow an attacker to target users with specially crafted content. An attacker could utilize specially crafted websites or websites that accept user-provided content or advertisements to host content designed to exploit this vulnerability.

A publicly disclosed vulnerability (CVE-2021-27077) exists in Windows Win32k that could allow an attacker to elevate privileges on the affected system. The vulnerability is rated as Important and carries a base score of 7.8, but the exposure of being publicly disclosed raises the potential risk