NSA helps out Microsoft with critical Exchange Server vulnerability disclosures in an April shower of patches

100+ fixes for the Windows world – plus holes in SAP, Adobe, FreeBSD, etc


Patch Tuesday April showers bring hours of patches as Microsoft delivers its Patch Tuesday fun-fest consisting of over a hundred CVEs, including four Exchange Server vulnerabilities reported to the company by the US National Security Agency (NSA).

Forty-four different products and services are affected, mainly having to do with Azure, Exchange Server, Office, Visual Studio Code, and Windows. Among the vulnerabilities, four have been publicly disclosed and a fifth is being actively exploited. Nineteen of the CVEs have been designated critical.

"This month’s release includes a number of critical vulnerabilities that we recommend you prioritize, including updates to protect against new vulnerabilities in on-premise Exchange Servers," Microsoft said in its blog post.

"These new vulnerabilities were reported by a security partner through standard coordinated vulnerability disclosure and found internally by Microsoft. We have not seen the vulnerabilities used in attacks against our customers.

Clicking through Microsoft's coy links to CVE-2021-28480 (9.8 severity), CVE-2021-28481 (9.8 severity), CVE-2021-28482 (8.8 severity), and CVE-2021-28483 (9.0 severity), you'll find the unspecified security partner is the NSA.

sap hq in dresden

SAP: It takes exploit devs about 72 hours to turn one of our security patches into a weapon against customers

READ MORE

Exchange Server 2013 CU23, Exchange Server 2016 CU19 and CU20, and Exchange Server 2019 CU8 and CU9 are affected by this set of problems.

"NSA urges applying critical Microsoft patches released today, as exploitation of these #vulnerabilities could allow persistent access and control of enterprise networks," the signals intelligence agency said via Twitter.

The NSA assist comes a month after Microsoft fixed four Exchange Server zero-day flaws, claiming that a China-based hacking group, dubbed "Hafnium," exploited the vulnerabilities to steal data from US defense contractors, law firms, and medical researchers.

Pointing to the two 9.8 severity Exchange flaws, Dustin Childs, director of communications for the Zero Day Initiative, in a blog post said, "Both code execution bugs are unauthenticated and require no user interaction. Since the attack vector is listed as 'Network,' it is likely these bugs are wormable – at least between Exchange servers."

Six of the 114 Microsoft CVEs correspond to Microsoft Edge and were inherited via a recent Chromium update. Of the remainder, Childs notes that 27 are identified as "Remote Procedure Call Runtime Remote Code Execution Vulnerability," with 12 of these designated critical and 15 rated important.

"In RPC vulnerabilities seen in the past, an attacker would need to send a specially crafted RPC request to an affected system," he explained. "Successful exploitation results in executing code in the context of another user."

Among the rest, only CVE-2021-28310, identified as a Win32k Elevation of Privilege Vulnerability, is known to be under active exploitation.

And the rest

SAP reported a higher number of security advisories than usual: 23, of which 11 are medium severity, five are high severity, and three are designated "Hot News" because SAP evidently can't bring itself to say "critical."

Among these three, one flaw managed to score a perfect 10 CVSS score. SAP hasn't made the details publicly available but security firm Onapsis explains that it's an update that fixes 62 vulnerabilities in Google's Chromium browser, which is used in SAP Business Client.

The runner-up is a 9.9 severity flaw designated CVE-2021-27602, which SAP describes as a remote code execution vulnerability in Source Rules of SAP Commerce, versions 1808, 1811, 1905, 2005, and 2011.

The last of the top three is a 9.6 severity missing authorization check in SAP NetWeaver AS JAVA (migration service) that earned the CVE-2021-21481.

Adobe meanwhile issued four advisories – APSB21-28 for Photoshop, APSB21-26 for Digital Editions, APSB21-23 for Bridge, and APSB21-20 for RoboHelp – addressing ten CVEs. Four of these are critical – two of these in Photoshop and the other two in Bridge.

Google at the beginning of the month dropped 39 CVEs covering Android and components from MediaTek and Qualcomm. Two were designated critical.

"The most severe of these issues is a critical security vulnerability in the System component that could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process," Google's security bulletin said. ®

Broader topics


Other stories you might like

  • DuckDuckGo tries to explain why its browsers won't block some Microsoft web trackers
    Meanwhile, Tails 5.0 users told to stop what they're doing over Firefox flaw

    DuckDuckGo promises privacy to users of its Android, iOS browsers, and macOS browsers – yet it allows certain data to flow from third-party websites to Microsoft-owned services.

    Security researcher Zach Edwards recently conducted an audit of DuckDuckGo's mobile browsers and found that, contrary to expectations, they do not block Meta's Workplace domain, for example, from sending information to Microsoft's Bing and LinkedIn domains.

    Specifically, DuckDuckGo's software didn't stop Microsoft's trackers on the Workplace page from blabbing information about the user to Bing and LinkedIn for tailored advertising purposes. Other trackers, such as Google's, are blocked.

    Continue reading
  • Despite 'key' partnership with AWS, Meta taps up Microsoft Azure for AI work
    Someone got Zuck'd

    Meta’s AI business unit set up shop in Microsoft Azure this week and announced a strategic partnership it says will advance PyTorch development on the public cloud.

    The deal [PDF] will see Mark Zuckerberg’s umbrella company deploy machine-learning workloads on thousands of Nvidia GPUs running in Azure. While a win for Microsoft, the partnership calls in to question just how strong Meta’s commitment to Amazon Web Services (AWS) really is.

    Back in those long-gone days of December, Meta named AWS as its “key long-term strategic cloud provider." As part of that, Meta promised that if it bought any companies that used AWS, it would continue to support their use of Amazon's cloud, rather than force them off into its own private datacenters. The pact also included a vow to expand Meta’s consumption of Amazon’s cloud-based compute, storage, database, and security services.

    Continue reading
  • Atos pushes out HPC cloud services based on Nimbix tech
    Moore's Law got you down? Throw everything at the problem! Quantum, AI, cloud...

    IT services biz Atos has introduced a suite of cloud-based high-performance computing (HPC) services, based around technology gained from its purchase of cloud provider Nimbix last year.

    The Nimbix Supercomputing Suite is described by Atos as a set of flexible and secure HPC solutions available as a service. It includes access to HPC, AI, and quantum computing resources, according to the services company.

    In addition to the existing Nimbix HPC products, the updated portfolio includes a new federated supercomputing-as-a-service platform and a dedicated bare-metal service based on Atos BullSequana supercomputer hardware.

    Continue reading

Biting the hand that feeds IT © 1998–2022