By Jon Munshaw, with contributions from Nick Biasini.
Microsoft released its monthly security update Tuesday, disclosing 89 vulnerabilities across its suite of products, the most in any month so far this year.
There are 14 critical vulnerabilities as part of this release and one considered of “low” severity. The remainder are all “important.” Three of the critical vulnerabilities are the ones Microsoft disclosed last week in Exchange Server that the company said state-sponsored actors exploited in the wild to steal emails. Microsoft also announced Monday they were releasing patches for older versions of Exchange Server.
All organizations using the affected software should prevent external access to port 443 on Exchange Servers, or set up a VPN to provide external access to port 443. This will ensure that only authenticated and authorized users can connect to this service. However, this action will only protect against the initial step of the attack.
Administrators should also immediately apply the published patches to vulnerable Exchange Servers. Outside of Exchange Server, this month’s security update provides patches for several other pieces of software, including Azure Sphere, the SharePoint file-sharing service and the .hevc video file extension.
Talos also released a new set of SNORTⓇ rules that provide coverage for some of these vulnerabilities. For complete details, check out the latest Snort advisory here.
The Internet Explorer web browser contains two critical vulnerabilities — one that could allow an attacker to corrupt memory on the victim and another that could lead to remote code execution. CVE-2021-26411 is triggered when a user opens an attacker-controlled website that contains malicious code. Microsoft states that this vulnerability has already been exploited in the wild.
The other vulnerability, CVE-2021-27085, has not been exploited in the wild, but could still allow an adversary to execute code. Both Explorer vulnerabilities have a severity score of 8.8 out of 10.
Another critical vulnerability exists in Git for Visual Studio that could allow an adversary to execute remote code. CVE-2021-21300 could compromise development environments. An attacker would not need credentials to exploit this vulnerability, though it does require user interaction.
Windows DNS servers also contain several remote code execution vulnerabilities, though they are considered “important.” A DNS server is only vulnerable to exploitation is if it has dynamic updates enabled. Users can enable Secure Zone Updates to limit potential sources of an attack, but this does not completely prevent exploitation. Users should instead rely on installing Microsoft’s patch for complete protection.
The remote code execution vulnerabilities in DNS servers are CVE-2021-26877, CVE-2021-26893, CVE-2021-26894, CVE-2021-26895 and CVE-2021-26897. Two other vulnerabilities — CVE-2021-27063 and CVE-2021-26896 — are of the same nature but can only lead to a denial of service rather than code execution.
For a complete list of all the vulnerabilities Microsoft disclosed this month, check out its update page.
In response to these vulnerability disclosures, Talos is releasing a new SNORTⓇ rule set that detects attempts to exploit some of them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
The rules included in this release that protect against the exploitation of many of these vulnerabilities are 54518, 57233, 57234, 57241 - 57246, 57252, 57253, 57259 - 57268, 57269 and 57274 - 57276.