Microsoft Issues Security Patches for 82 Flaws — IE 0-Day Under Active Attacks

Microsoft plugged as many as 89 security flaws^[1]
as part of its monthly Patch Tuesday updates released today,
including fixes for an actively exploited zero-day in Internet
Explorer that could permit an attacker to run arbitrary code on
target machines.

Of these flaws, 14 are listed as Critical, and 75 are listed as
Important in severity, out of which two of the bugs are described
as publicly known, while five others have been reported as under
active attack at the time of release.

Among those five security issues are a clutch of vulnerabilities
known as ProxyLogon^[2]
(CVE-2021-26855, 2021-26857, CVE-2021-26858, and CVE-2021-27065)
that allows adversaries to break into Microsoft Exchange Servers in
target environments and subsequently allow the installation of
unauthorized web-based backdoors to facilitate long-term
access.

But in the wake of Exchange servers coming under indiscriminate assault^[3]
toward the end of February by multiple threat groups looking to
exploit the vulnerabilities and plant backdoors on corporate
networks, Microsoft took the unusual step of releasing out-of-band
fixes a week earlier than planned.

The ramping up of mass exploitation^[4]
after Microsoft released its updates on March 2 has led the company
to deploy another series of security
updates^[5] targeting older and unsupported^[6]
cumulative updates that are vulnerable to ProxyLogon attacks.

Also included in the mix is a patch for zero-day in Internet
Explorer (CVE-2021-26411) that was discovered as exploited by North
Korean hackers to compromise security researchers^[7] working on vulnerability
research and development earlier this year.

South Korean cybersecurity firm ENKI, which publicly disclosed^[8]
the flaw early last month, claimed that North Korean nation-state
hackers made an unsuccessful attempt at targeting its security
researchers with malicious MHTML files that, when opened,
downloaded two payloads from a remote server, one of which
contained a zero-day against Internet Explorer.

Aside from these actively exploited vulnerabilities, the update
also corrects a number of remote code execution (RCE) flaws in
Windows DNS Server (CVE-2021-26897, CVSS score 9.8), Hyper-V server
(CVE-2021-26867, CVSS score 9.9), SharePoint Server
(CVE-2021-27076, CVSS score 8.8), and Azure Sphere (CVE-2021-27080,
CVSS score 9.3).

CVE-2021-26897 is notable for a couple of reasons. First off,
the flaw is rated as “exploitation more likely” by Microsoft, and
is categorized as a zero-click vulnerability of low attack
complexity that requires no user interaction.

Furthermore, this is also the second time in a row that
Microsoft has addressed a critical RCE flaw in Windows DNS Server.
Last month, the company rolled out a fix for CVE-2021-24078^[9]
in the same component which, if unpatched, could permit an
unauthorized party to execute arbitrary code and potentially
redirect legitimate traffic to malicious servers.

To install the latest security updates, Windows users can head
to Start > Settings > Update & Security > Windows Update,
or by selecting Check for Windows updates.