Patch Tuesday Highlights - March 2021

3 Likes
7 months ago

March Patch Tuesday (and the week leading up to it) was dominated with the continually evolving news around the Microsoft Exchange attacks orchestrated by the APT (advance persistent threat) group known as Hafnium.

While those attacks certainly were the headline event, a few other zero-day exploits and publicly disclosed vulnerabilities has ensured that March is a month you’ll want to make sure your endpoints are patched and up to date. Here’s our callout of security updates and issues we think you’ll want to be aware of.

Newsworthy Events

Quick Take

  • Microsoft released fixes for approximately 50 vulnerabilities.
  • Two publicly disclosed vulnerabilities:
  • One known exploited and disclosed vulnerability: CVE-2021-26411 Internet Explorer Memory Corruption Vulnerability. 8.8 CVSS that exploits Internet Explorer 9, Internet Explorer 11, and Microsoft Edge (HTML-based)
  • Combined Servicing Stack Update and Latest Cumulative Update this month: Windows 10 2004 and newer. For these OS versions, the LCU includes the SSU.
  • Separate Servicing Stack Update this month: Windows 10 1809/Server 2019 and Windows 10 1909/Server 1909. For these OS versions, the SSU and LCU are separate updates.

Windows Server 2019 Updates

  • There is a new Servicing Stack Update (KB5000859). It is not a prerequisite for March updates but we recommend that you install it this month in case it is required for April updates.
  • CRITICAL Severity: The cumulative update (KB5000822) resolves 45 new CVEs, including publicly disclosed CVE-2021-27077 and publicly disclosed/known exploited CVE-2021-26411.

Windows Server 2016 Updates

Windows 10 Updates

  • There is a new Servicing Stack Update for versions 1809 (KB5000859) and 1909 (KB5000908). It is not a prerequisite for March updates but we recommend that you install it this month in case it is required for April updates.
  • CRITICAL Severity: The cumulative update (KB number varies by version) resolves up to 50 new CVEs, including publicly disclosed CVE-2021-27077 and publicly disclosed/known exploited CVE-2021-26411.

Windows 8.1 / Windows Server 2012 R2 Updates

  • CRITICAL Severity: The Security Monthly Quality Rollup (KB5000848) resolves 29 new CVEs, including publicly disclosed CVE-2021-27077 and publicly disclosed/known exploited CVE-2021-26411.
  • CRITICAL Severity: The Security Only Quality Update (KB5000853) resolves 27 new CVEs, including publicly disclosed CVE-2021-27077.
  • CRITICAL Severity: The Cumulative Security Update for Internet Explorer 11 (KB5000800) resolves 2 new critical CVEs - publicly disclosed/known exploited CVE-2021-26411 and known exploited CVE-2021-27085. Apply it with the Security Only Quality Update (KB5000853). It is not needed with the Security Monthly Quality Rollup (KB5000848).

Windows Server 2012 Updates

  • CRITICAL Severity: The Security Monthly Quality Rollup (KB5000847) resolves 28 new CVEs, including publicly disclosed CVE-2021-27077 and publicly disclosed/known exploited CVE-2021-26411.
  • CRITICAL Severity: The Security Only Quality Update (KB5000840) resolves 26 new CVEs, including publicly disclosed CVE-2021-27077.
  • CRITICAL Severity: The Cumulative Security Update for Internet Explorer 11 (KB5000800) resolves 2 new critical CVEs - publicly disclosed/known exploited CVE-2021-26411 and known exploited CVE-2021-27085. Apply it with the Security Only Quality Update (KB5000840). It is not needed with the Security Monthly Quality Rollup (KB5000847).

Windows 7 / Windows Server 2008 R2 Extended Security Updates

  • These updates can only be installed on devices that have an active ESU MAK license.
  • In ZENworks Patch Management, these updates only show up in the feed if you have purchased the ZENworks Patch Management Add-On Subscription for Windows 7 / Windows Server 2008 Extended Security Updates. Otherwise, you must download them from the Microsoft Update Catalog and use the Custom Patch feature to create the patch. For more details, see Installing Windows 7 / Windows Server 2008 Extended Security Updates with ZENworks Patch Management.
  • CRITICAL Severity: The Security Monthly Quality Rollup (KB5000841) resolves 25 new CVEs including publicly disclosed CVE-2021-27077 and publicly disclosed/known exploited CVE-2021-26411.
  • CRITICAL Severity: The Security Only Quality Update (KB45000851) resolves 23 new CVEs including publicly disclosed CVE-2021-27077.
  • CRITICAL Severity: The Cumulative Security Update for Internet Explorer 11 (KB5000800) resolves 2 new critical CVEs - publicly disclosed/known exploited CVE-2021-26411 and known exploited CVE-2021-27085. Apply it with the Security Only Quality Update (KB5000851). It is not needed with the Security Monthly Quality Rollup (KB5000841).

Windows Server 2008 Extended Security Updates

  • These updates can only be installed on devices that have an active ESU MAK license.
  • In ZENworks Patch Management, these updates only show up in the feed if you have purchased the ZENworks Patch Management Add-On Subscription for Windows 7 / Windows Server 2008 Extended Security Updates. Otherwise, you must download them from the Microsoft Update Catalog and use the Custom Patch feature to create the patch. For more details, see Installing Windows 7 / Windows Server 2008 Extended Security Updates with ZENworks Patch Management.
  • CRITICAL Severity: The Security Monthly Quality Rollup (KB5000844) resolves 22 new CVEs including publicly disclosed CVE-2021-27077 and publicly disclosed/known exploited CVE-2021-26411.
  • CRITICAL Severity: The Security Only Quality Update (KB5000856) resolves 21 new CVEs including publicly disclosed CVE-2021-27077.
  • CRITICAL Severity: The Cumulative Security Update for Internet Explorer 9 (KB5000800) resolves 1 new critical CVE - publicly disclosed/known exploited CVE-2021-26411. Apply it with the Security Only Quality Update (KB5000856). It is not needed with the Security Monthly Quality Rollup (KB5000844).

Microsoft SharePoint Server

  • IMPORTANT Severity: The monthly Security Update resolves 3 CVEs (CVE-2021-24104CVE-2021-27052CVE-2021-27076) across Enterprise Server 2016, Foundation Server 2013, and SharePoint Server 2019. None have public disclosures or known exploits.

Microsoft Office 2010–2016 (Windows) and 2016-2019 (Mac)

Microsoft 365 Apps (formerly Office 365 ProPlus) and Office 2019

Third-Party Security Updates

  • Google Chrome 88.0.4324.182 (resolves 9 CVEs)
  • Google Chrome 89.0.4389.72 (resolves 34 CVEs)
  • Firefox 86.0 (resolves 13 CVEs)
  • Firefox 78.8.0 ESR (resolves 4 CVEs)
  • Thunderbird 78.8.0 (resolves 4 CVEs)

Labels:

Patch Management
Configuration Management
Comment List
Anonymous
Related Discussions
Recommended