Another Patch Tuesday (2021-Mar) is upon us and with this month comes a whopping 122 CVEs. As usual Windows tops the list of the most patched product. However, this month it’s browser vulnerabilities taking the second place, outnumbering Office vulnerabilities 3:1! Lastly, the Exchange Server vulnerabilities this month are not to be ignored as more than half of them have been seen exploited in the wild.
Vulnerability Breakdown by Software Family
Family
Vulnerability Count
Windows
59
Browser
35
ESU
24
Microsoft Office
11
Exchange Server
7
Developer Tools
6
Azure
3
SQL Server
1
Exchange Server Vulnerabilities
Earlier this month Microsoft released out of band updates for Exchange Server. These critical updates fixed a number of publicly exploited vulnerabilities, but not before attackers were able to compromise over 30,000 internet facing instances.
Yesterday, Microsoft issued an additional set of patches for older, unsupported versions of Exchange Server. This allows customers who have not been able to update to the most recent version of Exchange the ability to defend against these widespread exploit attempts.
If you administer an Exchange Server, stop reading this blog and go patch these systems! For more information please see our blog post on the topic.
Patch those Windows systems!
Almost half of the newly announced vulnerabilities this month affect components of Windows itself. Some major highlights include:
Multiple high severity RCE vulnerabilities in Windows DNS Server (CVE-2021-26877, CVE-2021-26893, CVE-2021-26894, CVE-2021-26895, and CVE-2021-26897)
Remote Code Execution in Hyper-V (CVE-2021-26867) enabling virtual machine escape (CVSSv3 9.9)
Browser Vulnerabilities
Since going end-of-life in November 2020, we haven’t seen any Internet Explorer patches from Microsoft. However, this month Microsoft has made two new updates available: CVE-2021-27085 and CVE-2021-26411. CVE-2021-26411 has been exploited in the wild, so don’t delay applying patches if IE is still in your environment.
The majority of the browser vulnerabilities announced this month affect Microsoft Edge on Chromium. These patches are courtesy of vulnerabilities being fixed upstream in the Chromium project.
Summary Tables
Here are this month’s patched vulnerabilities split by the product family.
Azure Vulnerabilities
CVE
Vulnerability Title
Exploited
Disclosed
CVSS3
FAQ
CVE-2021-27075
Azure Virtual Machine Information Disclosure Vulnerability
No
No
6.8
Yes
CVE-2021-27080
Azure Sphere Unsigned Code Execution Vulnerability
No
No
9.3
Yes
CVE-2021-27074
Azure Sphere Unsigned Code Execution Vulnerability
No
No
6.2
Yes
Browser Vulnerabilities
CVE
Vulnerability Title
Exploited
Disclosed
CVSS3
FAQ
CVE-2021-27085
Internet Explorer Remote Code Execution Vulnerability
No
No
8.8
No
CVE-2021-21190
Chromium CVE-2021-21190 : Uninitialized Use in PDFium
No
No
N/A
Yes
CVE-2021-21189
Chromium CVE-2021-21189: Insufficient policy enforcement in payments
No
No
N/A
Yes
CVE-2021-21188
Chromium CVE-2021-21188: Use after free in Blink
No
No
N/A
Yes
CVE-2021-21187
Chromium CVE-2021-21187: Insufficient data validation in URL formatting
No
No
N/A
Yes
CVE-2021-21186
Chromium CVE-2021-21186: Insufficient policy enforcement in QR scanning
No
No
N/A
Yes
CVE-2021-21185
Chromium CVE-2021-21185: Insufficient policy enforcement in extensions
No
No
N/A
Yes
CVE-2021-21184
Chromium CVE-2021-21184: Inappropriate implementation in performance APIs
No
No
N/A
Yes
CVE-2021-21183
Chromium CVE-2021-21183: Inappropriate implementation in performance APIs
No
No
N/A
Yes
CVE-2021-21182
Chromium CVE-2021-21182: Insufficient policy enforcement in navigations
No
No
N/A
Yes
CVE-2021-21181
Chromium CVE-2021-21181: Side-channel information leakage in autofill
No
No
N/A
Yes
CVE-2021-21180
Chromium CVE-2021-21180: Use after free in tab search
No
No
N/A
Yes
CVE-2021-21179
Chromium CVE-2021-21179: Use after free in Network Internals
No
No
N/A
Yes
CVE-2021-21178
Chromium CVE-2021-21178 : Inappropriate implementation in Compositing
No
No
N/A
Yes
CVE-2021-21177
Chromium CVE-2021-21177: Insufficient policy enforcement in Autofill
No
No
N/A
Yes
CVE-2021-21176
Chromium CVE-2021-21176: Inappropriate implementation in full screen mode
No
No
N/A
Yes
CVE-2021-21175
Chromium CVE-2021-21175: Inappropriate implementation in Site isolation
No
No
N/A
Yes
CVE-2021-21174
Chromium CVE-2021-21174: Inappropriate implementation in Referrer
No
No
N/A
Yes
CVE-2021-21173
Chromium CVE-2021-21173: Side-channel information leakage in Network Internals
No
No
N/A
Yes
CVE-2021-21172
Chromium CVE-2021-21172: Insufficient policy enforcement in File System API
No
No
N/A
Yes
CVE-2021-21171
Chromium CVE-2021-21171: Incorrect security UI in TabStrip and Navigation
No
No
N/A
Yes
CVE-2021-21170
Chromium CVE-2021-21170: Incorrect security UI in Loader
No
No
N/A
Yes
CVE-2021-21169
Chromium CVE-2021-21169: Out of bounds memory access in V8
No
No
N/A
Yes
CVE-2021-21168
Chromium CVE-2021-21168: Insufficient policy enforcement in appcache
No
No
N/A
Yes
CVE-2021-21167
Chromium CVE-2021-21167: Use after free in bookmarks
No
No
N/A
Yes
CVE-2021-21166
Chromium CVE-2021-21166: Object lifecycle issue in audio
No
No
N/A
Yes
CVE-2021-21165
Chromium CVE-2021-21165: Object lifecycle issue in audio
No
No
N/A
Yes
CVE-2021-21164
Chromium CVE-2021-21164: Insufficient data validation in Chrome for iOS
No
No
N/A
Yes
CVE-2021-21163
Chromium CVE-2021-21163: Insufficient data validation in Reader Mode
No
No
N/A
Yes
CVE-2021-21162
Chromium CVE-2021-21162: Use after free in WebRTC
No
No
N/A
Yes
CVE-2021-21161
Chromium CVE-2021-21161: Heap buffer overflow in TabStrip
No
No
N/A
Yes
CVE-2021-21160
Chromium CVE-2021-21160: Heap buffer overflow in WebAudio
No
No
N/A
Yes
CVE-2021-21159
Chromium CVE-2021-21159: Heap buffer overflow in TabStrip
No
No
N/A
Yes
CVE-2020-27844
Chromium CVE-2020-27844: Heap buffer overflow in OpenJPEG
No
No
N/A
Yes
Browser ESU Vulnerabilities
CVE
Vulnerability Title
Exploited
Disclosed
CVSS3
FAQ
CVE-2021-26411
Internet Explorer Memory Corruption Vulnerability
Yes
Yes
8.8
Yes
CVE
Vulnerability Title
Exploited
Disclosed
CVSS3
FAQ
CVE-2021-27060
Visual Studio Code Remote Code Execution Vulnerability
No
No
7.8
No
CVE-2021-27084
Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability
No
No
N/A
No
CVE-2021-27081
Visual Studio Code ESLint Extension Remote Code Execution Vulnerability
No
No
7.8
No
CVE-2021-27083
Remote Development Extension for Visual Studio Code Remote Code Execution Vulnerability
No
No
7.8
No
CVE-2021-27082
Quantum Development Kit for Visual Studio Code Remote Code Execution Vulnerability
No
No
7.8
No
CVE-2021-21300
Git for Visual Studio Remote Code Execution Vulnerability
No
No
8.8
No
Exchange Server Vulnerabilities
CVE
Vulnerability Title
Exploited
Disclosed
CVSS3
FAQ
CVE-2021-26412
Microsoft Exchange Server Remote Code Execution Vulnerability
No
No
9.1
No
CVE-2021-26855
Microsoft Exchange Server Remote Code Execution Vulnerability
Yes
No
9.1
Yes
CVE-2021-27078
Microsoft Exchange Server Remote Code Execution Vulnerability
No
No
9.1
No
CVE-2021-26857
Microsoft Exchange Server Remote Code Execution Vulnerability
Yes
No
7.8
Yes
CVE-2021-27065
Microsoft Exchange Server Remote Code Execution Vulnerability
Yes
No
7.8
Yes
CVE-2021-26858
Microsoft Exchange Server Remote Code Execution Vulnerability
Yes
No
7.8
Yes
CVE-2021-26854
Microsoft Exchange Server Remote Code Execution Vulnerability
No
No
6.6
No
Microsoft Office Vulnerabilities
CVE
Vulnerability Title
Exploited
Disclosed
CVSS3
FAQ
CVE-2021-27055
Microsoft Visio Security Feature Bypass Vulnerability
No
No
7
Yes
CVE-2021-24104
Microsoft SharePoint Spoofing Vulnerability
No
No
4.6
Yes
CVE-2021-27076
Microsoft SharePoint Server Remote Code Execution Vulnerability
No
No
8.8
Yes
CVE-2021-27052
Microsoft SharePoint Server Information Disclosure Vulnerability
No
No
5.3
Yes
CVE-2021-27056
Microsoft PowerPoint Remote Code Execution Vulnerability
No
No
7.8
Yes
CVE-2021-24108
Microsoft Office Remote Code Execution Vulnerability
No
No
7.8
Yes
CVE-2021-27057
Microsoft Office Remote Code Execution Vulnerability
No
No
7.8
Yes
CVE-2021-27059
Microsoft Office Remote Code Execution Vulnerability
No
No
7.6
Yes
CVE-2021-27058
Microsoft Office ClickToRun Remote Code Execution Vulnerability
No
No
7.8
Yes
CVE-2021-27053
Microsoft Excel Remote Code Execution Vulnerability
No
No
7.8
Yes
CVE-2021-27054
Microsoft Excel Remote Code Execution Vulnerability
No
No
7.8
Yes
SQL Server Vulnerabilities
CVE
Vulnerability Title
Exploited
Disclosed
CVSS3
FAQ
CVE-2021-26859
Microsoft Power BI Information Disclosure Vulnerability
No
No
7.7
Yes
Windows Vulnerabilities
CVE
Vulnerability Title
Exploited
Disclosed
CVSS3
FAQ
CVE-2021-26900
Windows Win32k Elevation of Privilege Vulnerability
No
No
7.8
No
CVE-2021-26863
Windows Win32k Elevation of Privilege Vulnerability
No
No
7
No
CVE-2021-26871
Windows WalletService Elevation of Privilege Vulnerability
No
No
7.8
No
CVE-2021-26885
Windows WalletService Elevation of Privilege Vulnerability
No
No
7.8
No
CVE-2021-26864
Windows Virtual Registry Provider Elevation of Privilege Vulnerability
No
No
8.4
No
CVE-2021-1729
Windows Update Stack Setup Elevation of Privilege Vulnerability
No
No
7.1
No
CVE-2021-26889
Windows Update Stack Elevation of Privilege Vulnerability
No
No
7.1
No
CVE-2021-26866
Windows Update Service Elevation of Privilege Vulnerability
No
No
7.1
No
CVE-2021-26870
Windows Projected File System Elevation of Privilege Vulnerability
No
No
7.8
No
CVE-2021-26874
Windows Overlay Filter Elevation of Privilege Vulnerability
No
No
7.8
No
CVE-2021-26879
Windows NAT Denial of Service Vulnerability
No
No
7.5
No
CVE-2021-26884
Windows Media Photo Codec Information Disclosure Vulnerability
No
No
5.5
Yes
CVE-2021-26867
Windows Hyper-V Remote Code Execution Vulnerability
No
No
9.9
Yes
CVE-2021-26868
Windows Graphics Component Elevation of Privilege Vulnerability
No
No
7.8
No
CVE-2021-26892
Windows Extensible Firmware Interface Security Feature Bypass Vulnerability
No
No
6.2
No
CVE-2021-24090
Windows Error Reporting Elevation of Privilege Vulnerability
No
No
7.8
No
CVE-2021-26865
Windows Container Execution Agent Elevation of Privilege Vulnerability
No
No
8.8
No
CVE-2021-26891
Windows Container Execution Agent Elevation of Privilege Vulnerability
No
No
7.8
No
CVE-2021-26860
Windows App-V Overlay Filter Elevation of Privilege Vulnerability
No
No
7.8
No
CVE-2021-27066
Windows Admin Center Security Feature Bypass Vulnerability
No
No
4.3
No
CVE-2021-27070
Windows 10 Update Assistant Elevation of Privilege Vulnerability
No
No
7.3
No
CVE-2021-26886
User Profile Service Denial of Service Vulnerability
No
No
5.5
No
CVE-2021-26880
Storage Spaces Controller Elevation of Privilege Vulnerability
No
No
7.8
No
CVE-2021-26876
OpenType Font Parsing Remote Code Execution Vulnerability
No
No
8.8
No
CVE-2021-24089
HEVC Video Extensions Remote Code Execution Vulnerability
No
No
7.8
Yes
CVE-2021-26902
HEVC Video Extensions Remote Code Execution Vulnerability
No
No
7.8
Yes
CVE-2021-27061
HEVC Video Extensions Remote Code Execution Vulnerability
No
No
7.8
Yes
CVE-2021-24110
HEVC Video Extensions Remote Code Execution Vulnerability
No
No
7.8
Yes
CVE-2021-27047
HEVC Video Extensions Remote Code Execution Vulnerability
No
No
7.8
Yes
CVE-2021-27048
HEVC Video Extensions Remote Code Execution Vulnerability
No
No
7.8
Yes
CVE-2021-27049
HEVC Video Extensions Remote Code Execution Vulnerability
No
No
7.8
Yes
CVE-2021-27050
HEVC Video Extensions Remote Code Execution Vulnerability
No
No
7.8
Yes
CVE-2021-27051
HEVC Video Extensions Remote Code Execution Vulnerability
No
No
7.8
Yes
CVE-2021-27062
HEVC Video Extensions Remote Code Execution Vulnerability
No
No
7.8
Yes
CVE-2021-24095
DirectX Elevation of Privilege Vulnerability
No
No
7
No
CVE-2021-26890
Application Virtualization Remote Code Execution Vulnerability
No
No
7.8
No
Windows ESU Vulnerabilities
CVE
Vulnerability Title
Exploited
Disclosed
CVSS3
FAQ
CVE-2021-27077
Windows Win32k Elevation of Privilege Vulnerability
No
Yes
7.8
No
CVE-2021-26875
Windows Win32k Elevation of Privilege Vulnerability
No
No
7.8
No
CVE-2021-26873
Windows User Profile Service Elevation of Privilege Vulnerability
No
No
7
No
CVE-2021-26899
Windows UPnP Device Host Elevation of Privilege Vulnerability
No
No
7.8
No
CVE-2021-1640
Windows Print Spooler Elevation of Privilege Vulnerability
No
No
7.8
Yes
CVE-2021-26878
Windows Print Spooler Elevation of Privilege Vulnerability
No
No
7.8
No
CVE-2021-26862
Windows Installer Elevation of Privilege Vulnerability
No
No
6.3
No
CVE-2021-26861
Windows Graphics Component Remote Code Execution Vulnerability
No
No
7.8
No
CVE-2021-24107
Windows Event Tracing Information Disclosure Vulnerability
No
No
5.5
Yes
CVE-2021-26872
Windows Event Tracing Elevation of Privilege Vulnerability
No
No
7.8
No
CVE-2021-26898
Windows Event Tracing Elevation of Privilege Vulnerability
No
No
7.8
No
CVE-2021-26901
Windows Event Tracing Elevation of Privilege Vulnerability
No
No
7.8
No
CVE-2021-26897
Windows DNS Server Remote Code Execution Vulnerability
No
No
9.8
Yes
CVE-2021-26877
Windows DNS Server Remote Code Execution Vulnerability
No
No
9.8
Yes
CVE-2021-26893
Windows DNS Server Remote Code Execution Vulnerability
No
No
9.8
Yes
CVE-2021-26894
Windows DNS Server Remote Code Execution Vulnerability
No
No
9.8
Yes
CVE-2021-26895
Windows DNS Server Remote Code Execution Vulnerability
No
No
9.8
Yes
CVE-2021-26896
Windows DNS Server Denial of Service Vulnerability
No
No
7.5
Yes
CVE-2021-27063
Windows DNS Server Denial of Service Vulnerability
No
No
7.5
Yes
CVE-2021-26869
Windows ActiveX Installer Service Information Disclosure Vulnerability
No
No
5.5
Yes
CVE-2021-26882
Remote Access API Elevation of Privilege Vulnerability
No
No
7.8
No
CVE-2021-26881
Microsoft Windows Media Foundation Remote Code Execution Vulnerability
No
No
7.5
No
CVE-2021-26887
Microsoft Windows Folder Redirection Elevation of Privilege Vulnerability
No
No
7.8
Yes
Summary Graphs
If you like the site, please consider joining the telegram channel or supporting us on Patreon using the button below.
Post Navigation