March Patch Tuesday (and the week leading up to it) was dominated with the continually evolving news around the Microsoft Exchange attacks orchestrated by the APT (advance persistent threat) group known as Hafnium.

While those attacks certainly were the headline event, a few other zero-day exploits and publicly disclosed vulnerabilities has ensured that March is a month you’ll want to make sure your endpoints are patched and up to date. Here’s our callout of security updates and issues we think you’ll want to be aware of.

Newsworthy Events

• The Microsoft Exchange attacks dominated the news for the last several weeks. With tens of thousands of reported breaches, Microsoft released patches for both currently supported and no longer supported versions. The ZENworks Patch Management feed includes all of these released patches. Here’s some articles that might be of help as you address this issue:
  • A Basic Timeline of the Exchange Mass-Hack
  • Microsoft Threat Intelligence Center: HAFNIUM targeting Exchange Servers with 0-day exploits
  • Microsoft Exchange attacks: Now Microsoft rushes out a patch for older versions of Exchange
  • Emergency Directive 21-02: Mitigate Microsoft Exchange On-Premises Product Vulnerabilities
  • CISA: Remediating Microsoft Exchange Vulnerabilities
• March Patch Tuesday was the last patch release for the legacy Microsoft Edge web browser. Starting March 10, Microsoft started prompting users of Microsoft Edge Legacy to update from that no longer supported version to the new Microsoft Edge Chromium version. There is some ability to suppress the notifications if you want. Here’s a good reference article.

Quick Take

• Microsoft released fixes for approximately 50 vulnerabilities.
• Two publicly disclosed vulnerabilities:
  •  CVE-2021-27077 Windows Win32k Elevation of Privilege Vulnerability: 7.8 CVSS that affects all Windows operating systems in current support and extended support.
  • CVE-2021-26701 .NET Core Remote Code Execution Vulnerability: 8.1 CVSS that was identified last month. Revised this month to include PowerShell Core 7.0 and 7.1 as affected products but not an issue if you already applied the remediating patches.
• One known exploited and disclosed vulnerability: CVE-2021-26411 Internet Explorer Memory Corruption Vulnerability. 8.8 CVSS that exploits Internet Explorer 9, Internet Explorer 11, and Microsoft Edge (HTML-based)
• Combined Servicing Stack Update and Latest Cumulative Update this month: Windows 10 2004 and newer. For these OS versions, the LCU includes the SSU.
• Separate Servicing Stack Update this month: Windows 10 1809/Server 2019 and Windows 10 1909/Server 1909. For these OS versions, the SSU and LCU are separate updates.

Windows Server 2019 Updates

• There is a new Servicing Stack Update (KB5000859). It is not a prerequisite for March updates but we recommend that you install it this month in case it is required for April updates.
• CRITICAL Severity: The cumulative update (KB5000822) resolves 45 new CVEs, including publicly disclosed CVE-2021-27077 and publicly disclosed/known exploited CVE-2021-26411.

Windows Server 2016 Updates

• CRITICAL Severity: The cumulative update (KB5000803) resolves 35 new CVEs, including publicly disclosed CVE-2021-27077 and publicly disclosed/known exploited CVE-2021-26411.

Windows 10 Updates

• There is a new Servicing Stack Update for versions 1809 (KB5000859) and 1909 (KB5000908). It is not a prerequisite for March updates but we recommend that you install it this month in case it is required for April updates.
• CRITICAL Severity: The cumulative update (KB number varies by version) resolves up to 50 new CVEs, including publicly disclosed CVE-2021-27077 and publicly disclosed/known exploited CVE-2021-26411.

Windows 8.1 / Windows Server 2012 R2 Updates

• CRITICAL Severity: The Security Monthly Quality Rollup (KB5000848) resolves 29 new CVEs, including publicly disclosed CVE-2021-27077 and publicly disclosed/known exploited CVE-2021-26411.
• CRITICAL Severity: The Security Only Quality Update (KB5000853) resolves 27 new CVEs, including publicly disclosed CVE-2021-27077.
• CRITICAL Severity: The Cumulative Security Update for Internet Explorer 11 (KB5000800) resolves 2 new critical CVEs - publicly disclosed/known exploited CVE-2021-26411 and known exploited CVE-2021-27085. Apply it with the Security Only Quality Update (KB5000853). It is not needed with the Security Monthly Quality Rollup (KB5000848).

Windows Server 2012 Updates

• CRITICAL Severity: The Security Monthly Quality Rollup (KB5000847) resolves 28 new CVEs, including publicly disclosed CVE-2021-27077 and publicly disclosed/known exploited CVE-2021-26411.
• CRITICAL Severity: The Security Only Quality Update (KB5000840) resolves 26 new CVEs, including publicly disclosed CVE-2021-27077.
• CRITICAL Severity: The Cumulative Security Update for Internet Explorer 11 (KB5000800) resolves 2 new critical CVEs - publicly disclosed/known exploited CVE-2021-26411 and known exploited CVE-2021-27085. Apply it with the Security Only Quality Update (KB5000840). It is not needed with the Security Monthly Quality Rollup (KB5000847).

Windows 7 / Windows Server 2008 R2 Extended Security Updates

• These updates can only be installed on devices that have an active ESU MAK license.
• In ZENworks Patch Management, these updates only show up in the feed if you have purchased the ZENworks Patch Management Add-On Subscription for Windows 7 / Windows Server 2008 Extended Security Updates. Otherwise, you must download them from the Microsoft Update Catalog and use the Custom Patch feature to create the patch. For more details, see Installing Windows 7 / Windows Server 2008 Extended Security Updates with ZENworks Patch Management.

• CRITICAL Severity: The Security Monthly Quality Rollup (KB5000841) resolves 25 new CVEs including publicly disclosed CVE-2021-27077 and publicly disclosed/known exploited CVE-2021-26411.
• CRITICAL Severity: The Security Only Quality Update (KB45000851) resolves 23 new CVEs including publicly disclosed CVE-2021-27077.
• CRITICAL Severity: The Cumulative Security Update for Internet Explorer 11 (KB5000800) resolves 2 new critical CVEs - publicly disclosed/known exploited CVE-2021-26411 and known exploited CVE-2021-27085. Apply it with the Security Only Quality Update (KB5000851). It is not needed with the Security Monthly Quality Rollup (KB5000841).

Windows Server 2008 Extended Security Updates

• These updates can only be installed on devices that have an active ESU MAK license.
• In ZENworks Patch Management, these updates only show up in the feed if you have purchased the ZENworks Patch Management Add-On Subscription for Windows 7 / Windows Server 2008 Extended Security Updates. Otherwise, you must download them from the Microsoft Update Catalog and use the Custom Patch feature to create the patch. For more details, see Installing Windows 7 / Windows Server 2008 Extended Security Updates with ZENworks Patch Management.
• CRITICAL Severity: The Security Monthly Quality Rollup (KB5000844) resolves 22 new CVEs including publicly disclosed CVE-2021-27077 and publicly disclosed/known exploited CVE-2021-26411.
• CRITICAL Severity: The Security Only Quality Update (KB5000856) resolves 21 new CVEs including publicly disclosed CVE-2021-27077.
• CRITICAL Severity: The Cumulative Security Update for Internet Explorer 9 (KB5000800) resolves 1 new critical CVE - publicly disclosed/known exploited CVE-2021-26411. Apply it with the Security Only Quality Update (KB5000856). It is not needed with the Security Monthly Quality Rollup (KB5000844).

Microsoft SharePoint Server

• IMPORTANT Severity: The monthly Security Update resolves 3 CVEs (CVE-2021-24104, CVE-2021-27052, CVE-2021-27076) across Enterprise Server 2016, Foundation Server 2013, and SharePoint Server 2019. None have public disclosures or known exploits.

Microsoft Office 2010–2016 (Windows) and 2016-2019 (Mac)

• IMPORTANT Severity: The Security Update resolves up to 7 CVEs (CVE-2021-24108, CVE-2021-27053, CVE-2021-27054, CVE-2021-27055, CVE-2021-27056, CVE-2021-27057, CVE-2021-27058 ) depending on the version. None have public disclosures or known exploits.

Microsoft 365 Apps (formerly Office 365 ProPlus) and Office 2019

• IMPORTANT Severity: Each channel update resolves up to 7 CVEs (CVE-2021-24108, CVE-2021-27053, CVE-2021-27054, CVE-2021-27055, CVE-2021-27056, CVE-2021-27057, CVE-2021-27058 ) depending on the version. None have public disclosures or known exploits.

Third-Party Security Updates

• Google Chrome 88.0.4324.182 (resolves 9 CVEs)
• Google Chrome 89.0.4389.72 (resolves 34 CVEs)
• Firefox 86.0 (resolves 13 CVEs)
• Firefox 78.8.0 ESR (resolves 4 CVEs)
• Thunderbird 78.8.0 (resolves 4 CVEs)