Microsoft Patch Tuesday April 2021 fixes 108 vulnerabilities, including 5 zero-days

By Gokila Kumar

Yet another month, yet another Patch Tuesday. With the never-ending cybersecurity threats brought on by the pandemic, it’s essential to understand the importance of Patch Tuesday releases and find ways to efficiently deploy the new updates to remote endpoints.

This Patch Tuesday, Microsoft has released fixes for 108 vulnerabilities, among which 19 are classified as Critical and 89 as Important. Along with these vulnerabilities, Microsoft also released fixes for four publicly disclosed zero-day vulnerabilities and one actively exploited zero-day. Apart from this plethora of vulnerabilities, there were six other Chromium Edge vulnerabilities disclosed earlier this month.

A lineup of significant updates

Microsoft security updates have been released for:

    • Microsoft Windows
    • Microsoft Office
    • Microsoft Windows Codecs Library
    • Visual Studio
    • Microsoft Edge on Chromium
    • Microsoft Exchange Server
    • Microsoft Graphics Component

April’s zero-day vulnerabilities: 4 publicly disclosed, 1 actively exploited

This month, Microsoft fixed the zero-day vulnerabilities below:

  • CVE-2021-27091: RPC Endpoint Mapper Service Elevation of Privilege Vulnerability – Publicly disclosed
  • CVE-2021-28312: Windows NTFS Denial of Service Vulnerability – Publicly disclosed
  • CVE-2021-28437: Windows Installer Information Disclosure Vulnerability – PolarBear – Publicly disclosed
  • CVE-2021-28458: Azure ms-rest-node authorization Library Elevation of Privilege Vulnerability – Publicly disclosed
  • CVE-2021-28310: Win32k Elevation of Privilege Vulnerability – Actively exploited

Shedding some light on this month’s critical updates

Listed below are the Critical vulnerabilities reported in this month’s Patch Tuesday:

Product

CVE Title

CVE ID

Azure SphereAzure Sphere Unsigned Code Execution VulnerabilityCVE-2021-28460
Microsoft Exchange ServerMicrosoft Exchange Server Remote Code Execution VulnerabilityCVE-2021-28480
Microsoft Exchange ServerMicrosoft Exchange Server Remote Code Execution VulnerabilityCVE-2021-28481
Microsoft Exchange ServerMicrosoft Exchange Server Remote Code Execution VulnerabilityCVE-2021-28482
Microsoft Exchange ServerMicrosoft Exchange Server Remote Code Execution VulnerabilityCVE-2021-28483
Windows Media PlayerWindows Media Video Decoder Remote Code Execution VulnerabilityCVE-2021-28315
Windows Media PlayerWindows Media Video Decoder Remote Code Execution VulnerabilityCVE-2021-28336
Windows Remote Procedure Call RuntimeRemote Procedure Call Runtime Remote Code Execution VulnerabilityCVE-2021-28335
Windows Remote Procedure Call RuntimeRemote Procedure Call Runtime Remote Code Execution VulnerabilityCVE-2021-28334
Windows Remote Procedure Call RuntimeRemote Procedure Call Runtime Remote Code Execution VulnerabilityCVE-2021-28338
Windows Remote Procedure Call RuntimeRemote Procedure Call Runtime Remote Code Execution VulnerabilityCVE-2021-28337
Windows Remote Procedure Call RuntimeRemote Procedure Call Runtime Remote Code Execution VulnerabilityCVE-2021-28333
Windows Remote Procedure Call RuntimeRemote Procedure Call Runtime Remote Code Execution VulnerabilityCVE-2021-28329
Windows Remote Procedure Call RuntimeRemote Procedure Call Runtime Remote Code Execution VulnerabilityCVE-2021-28330
Windows Remote Procedure Call RuntimeRemote Procedure Call Runtime Remote Code Execution VulnerabilityCVE-2021-28332
Windows Remote Procedure Call RuntimeRemote Procedure Call Runtime Remote Code Execution VulnerabilityCVE-2021-28331
Windows Remote Procedure Call RuntimeRemote Procedure Call Runtime Remote Code Execution VulnerabilityCVE-2021-28339

Third-party updates released this month

Coinciding with this month’s Patch Tuesday, Adobe has also released security updates. There are also notable updates from Android, Apple, SAP, and Cisco.

Here are a few best practices for remote patch management that you can follow in your organization:

  • Prioritize security updates over non-security and optional updates.
  • Download patches directly to endpoints rather than saving them on your server and distributing them to remote locations.
  • Schedule automation tasks specifically for deploying critical patches for timely updates.
  • Plan to set broad deployment windows so critical updates aren’t missed due to unavoidable hindrances.
  • Allow end users to skip deployments to avoid disrupting their productivity.
  • Ensure the machines under your scope aren’t running any end-of-life OSs or applications.
  • Ensure you use a secure gateway server to establish safe connections between your remote endpoints.

With Desktop Central or Patch Manager Plus, you can completely automate the entire process of patch management, from testing patches to deploying them. You can also tailor the patch tasks according to your current situation. For hands-on experience with either of these products, start a 30-day free trial and keep thousands of applications patched and secure.

** Optrics Inc. is a ManageEngine partner


The original article can be found here:

https://blogs.manageengine.com/desktop-mobile/patch-manager-plus/2021/03/10/microsoft-patch-tuesday-march-2021-fixes-82-vulnerabilities-including-2-zero-days.html

About the Author: Shannon Lewis

Leave a Reply