Tim Lovegrove
Security Analyst
Welcome to the April Patch Roundup blog, where we cover the latest in patch releases and vulnerability information from Microsoft, Adobe, VMware and the other major vendors.
Microsoft Patch Tuesday
The big news for April is another round of critical Exchange vulnerabilities affecting all supported versions of the on-premise platform from 2013 through to 2019. Comprising four separate bugs and with CVSS scores ranging from 8.8 to 9.8, the worst of these enable attackers to send crafted traffic over the network to a target server in order to compromise it without needing to have authenticated to the server first. This enables attackers to scan the internet for vulnerable servers and fire malicious network packets at them without needing access to the target’s network, similar to the ProxyLogon attack reported earlier in the year.
For a long time, Exchange admins have been able to maintain their platforms with only periodic cumulative updates, sometimes only running updates every 6 or 12 months. With heightened interest in Exchange vulnerabilities overt the last 6 months, attackers are using it as an easy target to gain access to corporate networks, meaning it now requires a much more proactive, monthly patching cycle in line with other critical business assets. With many mail systems now running in a hybrid mode with Office365, it’s important to ensure access to the Exchange servers from the Internet, such as for on-prem hosted Outlook Web Access, has been properly decommissioned.
Aside from Exchange, Microsoft patched a total of 110 vulnerabilities this month, including one being actively targeted by malicious hackers. Exploit code for CVE-2021-28310 has been detected in the wild, however the nature of the vulnerability requires the attacker to be authenticated on the target machine to elevate their privileges, making it a prime candidate for chaining with other sandbox-escape bugs.
Both the Windows OS and the Office suite gets fixes for a number of RPC (remote procedure call) vulnerabilities. Present across all version of Windows, plus Excel, Word and underlying components of the Office suite, these 27 individual bugs can be triggered across the network and Microsoft have provided fixes for Server OSes back to Server 2008 as a result.
Browsers
On the 13th April a security researcher dropped details of a zero-day Remote Code Execution vulnerability for Google’s Chromium browser framework, which is used by a range of browsers including Chrome itself, Microsoft Edge, Opera and others. Google have yet to patch this bug, with the latest release of Chrome being version 89.0.4389.114 released on the 30th March. Chrome is generally good at updating itself automatically, but network administrators who manage updates for end-user devices will want to monitor and push the fixed version once it arrives.