Patch Tuesday Highlights - April 2021

0 Likes
1 month ago

Microsoft provided fixes for 110 vulnerabilities with its April Patch Tuesday updates, including fixes for four publicly disclosed vulnerabilities and one known exploited (Zero Day) vulnerability. Three of the four publicly disclosed and the one known exploited are all in the operating system, so you’ll want to apply your Windows operating system updates as soon as possible. Here’s our callout of security updates and issues we think you’ll want to be aware of.

Newsworthy Events

  • Pwn2Own 2021 took place earlier this month. The 3-day event featured 23 separate entries attempting to exploit 10 different products. If you’ve haven’t heard about it, check out the ZDI results article. And, of course, you can expect to see patches from various vendors over the next several months that resolve the exploited vulnerabilities.
  • The FBI got involved with removing web shells from still vulnerable Exchange servers in the US. This ZDNet article talks about it.
  • Next month (May 2021), several Windows OS versions reach their End of Support date, which means that their security updates end. These are the versions: Windows 10 versions 1803|1809 (Enterprise and Education) and Windows Server version 1909.

Quick Take

  • Microsoft released fixes for 110 vulnerabilities.

Windows Server 2019 Updates

  • There is a new Servicing Stack Update (KB5001404). It is not a prerequisite for April updates but we recommend that you install it this month in case it is required for May updates.
  • CRITICAL Severity: The cumulative update (KB5000822) resolves 45 new CVEs, including publicly disclosed CVE-2021-27077 and publicly disclosed/known exploited CVE-2021-26411.

Windows Server 2016 Updates

  • There is a new Servicing Stack Update (KB5001402). It is not a prerequisite for April updates but we recommend that you install it this month in case it is required for May updates.
  • CRITICAL Severity: The cumulative update (KB5000803) resolves 35 new CVEs, including publicly disclosed CVE-2021-27077 and publicly disclosed/known exploited CVE-2021-26411.

Windows 10 Updates

  • There are new Servicing Stack Update for versions 1507 (KB5001399), 1607 (KB5001402), 1803 (KB5001400), 1809 (KB5001404) and 1909 (KB5001406). It is not a prerequisite for April updates but we recommend that you install it this month in case it is required for May updates.
  • CRITICAL Severity: The cumulative update (KB number varies by version) resolves up to 79 new CVEs, including publicly disclosed CVE-2021-28312 and CVE-2021-28437 as well as known exploited CVE-2021-28310.

Windows 8.1 / Windows Server 2012 R2 Updates

  • There is a new Servicing Stack Update (KB5001403). It is not a prerequisite for April updates but we recommend that you install it this month in case it is required for May updates.
  • CRITICAL Severity: The Security Monthly Quality Rollup (KB5001382) resolves 55 new CVEs, including publicly disclosed CVE-2021-28437.
  • CRITICAL Severity: The Security Only Quality Update (KB5001393) resolves 55 new CVEs, including publicly disclosed CVE-2021-28437.

Windows Server 2012 Updates

  • There is a new Servicing Stack Update (KB5001401). It is not a prerequisite for April updates but we recommend that you install it this month in case it is required for May updates.

Windows 7 / Windows Server 2008 R2 Extended Security Updates

  • These updates can only be installed on devices that have an active ESU MAK license.
  • In ZENworks Patch Management, these updates only show up in the feed if you have purchased the ZENworks Patch Management Add-On Subscription for Windows 7 / Windows Server 2008 Extended Security Updates. Otherwise, you must download them from the Microsoft Update Catalog and use the Custom Patch feature to create the patch. For more details, see Installing Windows 7 / Windows Server 2008 Extended Security Updates with ZENworks Patch Management.

Windows Server 2008 Extended Security Updates

  • These updates can only be installed on devices that have an active ESU MAK license.
  • In ZENworks Patch Management, these updates only show up in the feed if you have purchased the ZENworks Patch Management Add-On Subscription for Windows 7 / Windows Server 2008 Extended Security Updates. Otherwise, you must download them from the Microsoft Update Catalog and use the Custom Patch feature to create the patch. For more details, see Installing Windows 7 / Windows Server 2008 Extended Security Updates with ZENworks Patch Management.
  • CRITICAL Severity: The Security Monthly Quality Rollup (KB5001389) resolves 47 new CVEs including publicly disclosed CVE-2021-28437.
  • CRITICAL Severity: The Security Only Quality Update (KB5001332) resolves 47 new CVEs including publicly disclosed CVE-2021-28437.

Microsoft Exchange Server

Microsoft SharePoint Server

  • IMPORTANT Severity: The monthly Security Update resolves 2 CVEs (CVE-2021-28450CVE-2021-28453) across Microsoft SharePoint Server 2010, Microsoft SharePoint Foundation Server 2013, Microsoft SharePoint Enterprise Server 2016, and Microsoft SharePoint Server 2019. None have public disclosures or known exploits.

Microsoft Office 2010–2016 (Windows) and 2016-2019 (Mac)

Microsoft 365 Apps (formerly Office 365 ProPlus) and Office 2019

Third-Party Security Updates

  • Google Chrome 89.0.4389.138 (resolves 2 CVEs)
  • Firefox 87.0 (resolves 8 CVEs)
  • Firefox 78.9.0 ESR (resolves 4 CVEs)
  • SeaMonkey 2.53.7 (resolves 14 CVEs)
  • Thunderbird 78.9.1 (resolves 2 CVEs)
  • Wireshark 3.2.12 (resolves 1 CVE)
  • Wireshark 3.4.4 (resolves 1 CVE)
Comment List
Anonymous
Related Discussions
Recommended