Microsoft Tuesday Patch, March 2021 Edition – Krebs on Security

[ad_1]

In case you are looking for more security tasks Microsoft today… the company has released software updates to correct more than 82 security vulnerabilities in Windows and other supported software. Ten of them have received a “critical” rating from Microsoft, which means they can be exploited by malware or thieves with little or no user assistance.

Topping the list this month (aside from the current and overall Exchange Server mass tradeoff) is a fix for a Internet Explorer bug that sees active exploitation. The weakness of IE – CVE-2021-26411 – affects both IE11 and newer versions based on EdgeHTML, and it allows attackers to execute a file of their choice leading you to view a hacked or malicious website in IE.

The IE flaw is linked to a vulnerability that was publicly disclosed in early February by ENKI researchers who claim it was one used in a recent campaign by nation state actors to target security researchers. In the ENKI blog post, researchers said they will post proof of concept (PoC) details once the bug is corrected.

“As we have seen in the past, once the details of PoCs are made public, attackers quickly integrate these PoCs into their attack toolkits,” said Satnam narang, personal research engineer at Defensible. “We strongly encourage all organizations that rely on Internet Explorer and Microsoft Edge (based on EdgeHTML) to apply these fixes as soon as possible.”

That’s probably a good place to quote Martin Brinkman from Ghacks.net: This is the latest hurray patch for the old Microsoft Edge web browser, which is being retired by Microsoft.

For the second month in a row, Microsoft has fixed frightening flaws in DNS servers on Windows Server 2008 by 2019 the versions that could be used to remotely install the software chosen by the attacker. All five DNS bugs rolled back in today’s patch bundle had a CVSS (Danger Metric) score of 9.8 – almost as bad as it gets.

“There is an outside chance that it could be worming between DNS servers,” Trend Micro warned. Dustin Childs.

As mentioned above, hundreds of thousands of organizations are facing a security nightmare after they hack their Exchange and Outlook Web Access (OWA) server and upgrade with a backdoor. If an organization you know has been affected by this attack, have them check with the new victim notification website mentioned in today’s story.

Susan bradley on Askwoody.com says that “Nothing in the March security updates (other than those for Exchange released last week) makes me want to urge you to run your machines and make fixes right now.” I agree, unless of course you are browsing the web with older Microsoft browsers.

It’s a good idea for Windows users to get into the habit of updating at least once a month, but for regular users (read: not businesses) it’s usually safe to wait a few days afterward. the release of the fixes, so that Microsoft has time. to smooth out any creases in the new weave.

But before updating, please make sure you have backed up your system and / or important files. It is not uncommon for a Windows update package to water its system or prevent it from starting properly, and some updates are known to erase or corrupt files.

So do yourself a favor and back up before you install any fixes. Windows 10 even has built-in tools to help you do this, either by file / folder or by making a full, bootable copy of your hard drive at the same time.

And if you want to make sure that Windows has been configured to pause updating so that you can back up your files and / or your system before the operating system decides to restart and install the fixes on its own schedule, check out this guide.

As always, if you have any issues or issues installing any of these fixes this month, consider leaving a comment about it below; there is a better chance that even other readers have been through the same thing and can provide some useful advice here.