Tim Lovegrove
Security Analyst
Welcome to the March Patch Roundup blog, where we cover the latest in patch releases and vulnerability information from Microsoft, Adobe, VMware and the other major vendors.
This month we’re taking a slightly different approach; with multiple out-of-cycle updates and emergency patches released recently by several vendors, we’ll cover everything that’s been going on in the last month as well as yesterday’s Patch Tuesday releases.
MS Exchange Zero Day
On the 2nd of March Microsoft announced patches for four zero-day vulnerabilities in all the supported on-prem versions of Exchange, which were being actively targeted by the “Hafnium” criminal hacking group. Over the following days it was identified that some 30,000 Exchange servers had been targeted, and Microsoft released a further out-of-band update for the otherwise unsupported Exchange 2010. Microsoft advise ensuring all Exchange servers, including any internal-only servers, are fully patched for all relevant Cumulative Updates, and the additional patches released in early March
VMware vCenter Remote Code Execution
VMware vCenter Remote Code Execution VMware have released several advisories through February and March addressing serious vulnerabilities, including a Critical vulnerability in the vSphere client. A malicious actor with network access to port 443 could exploit this issue to execute commands with unrestricted privileges on the underlying vCenter Server.
While vCenter is typically not accessible over the internet, this could be used by an attacker as an escalation point if they already have a foothold in the network.
Apple M1 chip malware
It’s taken only a matter of months for hackers to deliver the first targeted malware for Apple’s new range of ARM-based M1 processor chips, with the “Silver Sparrow” or OSX/Slisp malware arriving on some 40,000 devices in late February.
The background to this malware is still unclear – how it spreads, what it does, why it can self-uninstall – with some researchers believing it is either a proof of concept or paving the way for a later fully-fledged attack. Apple promptly released updates and have bolstered these with further patches around Patch Tuesday.
Microsoft Patch Tuesday
On to the traditional Patch Tuesday itself, where we saw 82 further vulnerabilities addressed with the monthly patch release. One of these bugs – a memory corruption bug in Internet Explorer triggered via malicious code in a compromised website - is also known to be under active attack, adding to the four Exchange vulnerabilities already mentioned.
Other notable vulnerabilities include 5 bugs affecting Windows DNS server. This service has been a rich source of attacks in recent months, and while only one of these bugs obtains a Critical rating for its Remote Code Execution methodology, administrators will want to ensure all these issues are addressed.
The remaining fixes are spread across the usual array of apps and tools, and include a Remote Code Execution bug present in the Office suite, elevation of privilege in Windows Folder Redirection tools, and a Remote Code Execution bug in Sharepoint Server.