Microsoft April 2021 Patch Tuesday fixes 108 flaws, 5 zero-days

Today is Microsoft's April 2021 Patch Tuesday, and with it comes five zero-day vulnerabilities and more Critical Microsoft Exchange vulnerabilities. It has been a tough couple of months for Windows and Microsoft Exchange admins, and it looks like April won't be any easier, so please be nice to your IT staff today.

With today's update, Microsoft has fixed 108 vulnerabilities, with 19 classified as Critical and 89 as Important. These numbers do not include the 6 Chromium Edge vulnerabilities released earlier this month.

There are also five zero-day vulnerabilities patched today that were publicly disclosed, with one known to be used in attacks.

To make matters worse, Microsoft fixed four critical Microsoft Exchange vulnerabilities that the NSA discovered.

For information about the non-security Windows updates, you can read about today's Windows 10 KB5001330 & KB5001337 cumulative updates.

Five zero-day vulnerabilities fixed

As part of today's Patch Tuesday, Microsoft has fixed four publicly disclosed vulnerabilities and one actively exploited vulnerability.

The following four vulnerabilities Microsoft states were publicly exposed but not exploited:

• CVE-2021-27091 - RPC Endpoint Mapper Service Elevation of Privilege Vulnerability
• CVE-2021-28312 - Windows NTFS Denial of Service Vulnerability
• CVE-2021-28437 - Windows Installer Information Disclosure Vulnerability - PolarBear
• CVE-2021-28458 - Azure ms-rest-nodeauth Library Elevation of Privilege Vulnerability

The following vulnerability discovered by Kaspersky researcher Boris Larin was found exploited in the wild.

• CVE-2021-28310 - Win32k Elevation of Privilege Vulnerability

Kaspersky believes the CVE-2021-28310 exploited was utilized by the BITTER APT group.

"We believe this exploit is used in the wild, potentially by several threat actors. It is an escalation of privilege (EoP) exploit that is likely used together with other browser exploits to escape sandboxes or get system privileges for further access. "

"Unfortunately, we weren’t able to capture a full chain, so we don’t know if the exploit is used with another browser zero-day, or coupled with known, patched vulnerabilities," Kaspersky explained in new blog post.

NSA discovers Microsoft Exchange vulnerabilities

Microsoft Exchange admins are not getting any rest as four more Critical remote code execution vulnerabilities discovered by the NSA were fixed in Microsoft Exchange today. Two of these vulnerabilities are pre-authentication, which means they do not require attackers to log in to the server first.

None of these vulnerabilities are known to have been actively exploited and are tracked with the following CVEs:

• CVE-2021-28480 - Microsoft Exchange Server Remote Code Execution Vulnerability
• CVE-2021-28481 - Microsoft Exchange Server Remote Code Execution Vulnerability
• CVE-2021-28482 - Microsoft Exchange Server Remote Code Execution Vulnerability
• CVE-2021-28483 - Microsoft Exchange Server Remote Code Execution Vulnerability

Admins can find more information about these vulnerabilities here.

Recent updates from other companies

Other vendors who released updates in April include:

• Adobe released security updates for Adobe Creative Cloud Desktop, Framemaker, and Connect.
• Android's April security updates were released last week.
• Apple released GarageBand securty updates but has not provided details as to what has been fixed.
• Cisco released security updates for numerous products this month.
• SAP released its April 2021 security updates.

The April 2021 Patch Tuesday Security Updates

Below is the full list of resolved vulnerabilities and released advisories in the April 2021 Patch Tuesday updates. To access the full description of each vulnerability and the systems that it affects, you can view the full report here.