Another Patch Tuesday (2021-Mar) is upon us and with this month comes a whopping 122 CVEs.  As usual Windows tops the list of the most patched product. However, this month it’s browser vulnerabilities taking the second place, outnumbering Office vulnerabilities 3:1! Lastly, the Exchange Server vulnerabilities this month are not to be ignored as more than half of them have been seen exploited in the wild.

Vulnerability Breakdown by Software Family

Family Vulnerability Count
Windows 59
Browser 35
ESU 24
Microsoft Office 11
Exchange Server 7
Developer Tools 6
Azure 3
SQL Server 1

Exchange Server Vulnerabilities

Earlier this month Microsoft released out of band updates for Exchange Server. These critical updates fixed a number of publicly exploited vulnerabilities, but not before attackers were able to compromise over 30,000 internet facing instances.

Yesterday, Microsoft issued an additional set of patches for older, unsupported versions of Exchange Server. This allows customers who have not been able to update to the most recent version of Exchange the ability to defend against these widespread exploit attempts.

If you administer an Exchange Server, stop reading this blog and go patch these systems! For more information please see our blog post on the topic.

Patch those Windows systems!

Almost half of the newly announced vulnerabilities this month affect components of Windows itself. Some major highlights include:

Browser Vulnerabilities

Since going end-of-life in November 2020, we haven't seen any Internet Explorer patches from Microsoft. However, this month Microsoft has made two new updates available: CVE-2021-27085 and CVE-2021-26411. CVE-2021-26411 has been exploited in the wild, so don't delay applying patches if IE is still in your environment.

The majority of the browser vulnerabilities announced this month affect Microsoft Edge on Chromium. These patches are courtesy of vulnerabilities being fixed upstream in the Chromium project.

Summary Tables

Here are this month's patched vulnerabilities split by the product family.

Azure Vulnerabilities

CVE Vulnerability Title Exploited Disclosed CVSS3 FAQ
CVE-2021-27075 Azure Virtual Machine Information Disclosure Vulnerability No No 6.8 Yes
CVE-2021-27080 Azure Sphere Unsigned Code Execution Vulnerability No No 9.3 Yes
CVE-2021-27074 Azure Sphere Unsigned Code Execution Vulnerability No No 6.2 Yes

Browser Vulnerabilities

CVE Vulnerability Title Exploited Disclosed CVSS3 FAQ
CVE-2021-27085 Internet Explorer Remote Code Execution Vulnerability No No 8.8 No
CVE-2021-21190 Chromium CVE-2021-21190 : Uninitialized Use in PDFium No No N/A Yes
CVE-2021-21189 Chromium CVE-2021-21189: Insufficient policy enforcement in payments No No N/A Yes
CVE-2021-21188 Chromium CVE-2021-21188: Use after free in Blink No No N/A Yes
CVE-2021-21187 Chromium CVE-2021-21187: Insufficient data validation in URL formatting No No N/A Yes
CVE-2021-21186 Chromium CVE-2021-21186: Insufficient policy enforcement in QR scanning No No N/A Yes
CVE-2021-21185 Chromium CVE-2021-21185: Insufficient policy enforcement in extensions No No N/A Yes
CVE-2021-21184 Chromium CVE-2021-21184: Inappropriate implementation in performance APIs No No N/A Yes
CVE-2021-21183 Chromium CVE-2021-21183: Inappropriate implementation in performance APIs No No N/A Yes
CVE-2021-21182 Chromium CVE-2021-21182: Insufficient policy enforcement in navigations No No N/A Yes
CVE-2021-21181 Chromium CVE-2021-21181: Side-channel information leakage in autofill No No N/A Yes
CVE-2021-21180 Chromium CVE-2021-21180: Use after free in tab search No No N/A Yes
CVE-2021-21179 Chromium CVE-2021-21179: Use after free in Network Internals No No N/A Yes
CVE-2021-21178 Chromium CVE-2021-21178 : Inappropriate implementation in Compositing No No N/A Yes
CVE-2021-21177 Chromium CVE-2021-21177: Insufficient policy enforcement in Autofill No No N/A Yes
CVE-2021-21176 Chromium CVE-2021-21176: Inappropriate implementation in full screen mode No No N/A Yes
CVE-2021-21175 Chromium CVE-2021-21175: Inappropriate implementation in Site isolation No No N/A Yes
CVE-2021-21174 Chromium CVE-2021-21174: Inappropriate implementation in Referrer No No N/A Yes
CVE-2021-21173 Chromium CVE-2021-21173: Side-channel information leakage in Network Internals No No N/A Yes
CVE-2021-21172 Chromium CVE-2021-21172: Insufficient policy enforcement in File System API No No N/A Yes
CVE-2021-21171 Chromium CVE-2021-21171: Incorrect security UI in TabStrip and Navigation No No N/A Yes
CVE-2021-21170 Chromium CVE-2021-21170: Incorrect security UI in Loader No No N/A Yes
CVE-2021-21169 Chromium CVE-2021-21169: Out of bounds memory access in V8 No No N/A Yes
CVE-2021-21168 Chromium CVE-2021-21168: Insufficient policy enforcement in appcache No No N/A Yes
CVE-2021-21167 Chromium CVE-2021-21167: Use after free in bookmarks No No N/A Yes
CVE-2021-21166 Chromium CVE-2021-21166: Object lifecycle issue in audio No No N/A Yes
CVE-2021-21165 Chromium CVE-2021-21165: Object lifecycle issue in audio No No N/A Yes
CVE-2021-21164 Chromium CVE-2021-21164: Insufficient data validation in Chrome for iOS No No N/A Yes
CVE-2021-21163 Chromium CVE-2021-21163: Insufficient data validation in Reader Mode No No N/A Yes
CVE-2021-21162 Chromium CVE-2021-21162: Use after free in WebRTC No No N/A Yes
CVE-2021-21161 Chromium CVE-2021-21161: Heap buffer overflow in TabStrip No No N/A Yes
CVE-2021-21160 Chromium CVE-2021-21160: Heap buffer overflow in WebAudio No No N/A Yes
CVE-2021-21159 Chromium CVE-2021-21159: Heap buffer overflow in TabStrip No No N/A Yes
CVE-2020-27844 Chromium CVE-2020-27844: Heap buffer overflow in OpenJPEG No No N/A Yes

Browser ESU Vulnerabilities

CVE Vulnerability Title Exploited Disclosed CVSS3 FAQ
CVE-2021-26411 Internet Explorer Memory Corruption Vulnerability Yes Yes 8.8 Yes

Developer Tools Vulnerabilities

CVE Vulnerability Title Exploited Disclosed CVSS3 FAQ
CVE-2021-27060 Visual Studio Code Remote Code Execution Vulnerability No No 7.8 No
CVE-2021-27084 Visual Studio Code Java Extension Pack Remote Code Execution Vulnerability No No N/A No
CVE-2021-27081 Visual Studio Code ESLint Extension Remote Code Execution Vulnerability No No 7.8 No
CVE-2021-27083 Remote Development Extension for Visual Studio Code Remote Code Execution Vulnerability No No 7.8 No
CVE-2021-27082 Quantum Development Kit for Visual Studio Code Remote Code Execution Vulnerability No No 7.8 No
CVE-2021-21300 Git for Visual Studio Remote Code Execution Vulnerability No No 8.8 No

Exchange Server Vulnerabilities

CVE Vulnerability Title Exploited Disclosed CVSS3 FAQ
CVE-2021-26412 Microsoft Exchange Server Remote Code Execution Vulnerability No No 9.1 No
CVE-2021-26855 Microsoft Exchange Server Remote Code Execution Vulnerability Yes No 9.1 Yes
CVE-2021-27078 Microsoft Exchange Server Remote Code Execution Vulnerability No No 9.1 No
CVE-2021-26857 Microsoft Exchange Server Remote Code Execution Vulnerability Yes No 7.8 Yes
CVE-2021-27065 Microsoft Exchange Server Remote Code Execution Vulnerability Yes No 7.8 Yes
CVE-2021-26858 Microsoft Exchange Server Remote Code Execution Vulnerability Yes No 7.8 Yes
CVE-2021-26854 Microsoft Exchange Server Remote Code Execution Vulnerability No No 6.6 No

Microsoft Office Vulnerabilities

CVE Vulnerability Title Exploited Disclosed CVSS3 FAQ
CVE-2021-27055 Microsoft Visio Security Feature Bypass Vulnerability No No 7 Yes
CVE-2021-24104 Microsoft SharePoint Spoofing Vulnerability No No 4.6 Yes
CVE-2021-27076 Microsoft SharePoint Server Remote Code Execution Vulnerability No No 8.8 Yes
CVE-2021-27052 Microsoft SharePoint Server Information Disclosure Vulnerability No No 5.3 Yes
CVE-2021-27056 Microsoft PowerPoint Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-24108 Microsoft Office Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-27057 Microsoft Office Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-27059 Microsoft Office Remote Code Execution Vulnerability No No 7.6 Yes
CVE-2021-27058 Microsoft Office ClickToRun Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-27053 Microsoft Excel Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-27054 Microsoft Excel Remote Code Execution Vulnerability No No 7.8 Yes

SQL Server Vulnerabilities

CVE Vulnerability Title Exploited Disclosed CVSS3 FAQ
CVE-2021-26859 Microsoft Power BI Information Disclosure Vulnerability No No 7.7 Yes

Windows Vulnerabilities

CVE Vulnerability Title Exploited Disclosed CVSS3 FAQ
CVE-2021-26900 Windows Win32k Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-26863 Windows Win32k Elevation of Privilege Vulnerability No No 7 No
CVE-2021-26871 Windows WalletService Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-26885 Windows WalletService Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-26864 Windows Virtual Registry Provider Elevation of Privilege Vulnerability No No 8.4 No
CVE-2021-1729 Windows Update Stack Setup Elevation of Privilege Vulnerability No No 7.1 No
CVE-2021-26889 Windows Update Stack Elevation of Privilege Vulnerability No No 7.1 No
CVE-2021-26866 Windows Update Service Elevation of Privilege Vulnerability No No 7.1 No
CVE-2021-26870 Windows Projected File System Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-26874 Windows Overlay Filter Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-26879 Windows NAT Denial of Service Vulnerability No No 7.5 No
CVE-2021-26884 Windows Media Photo Codec Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-26867 Windows Hyper-V Remote Code Execution Vulnerability No No 9.9 Yes
CVE-2021-26868 Windows Graphics Component Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-26892 Windows Extensible Firmware Interface Security Feature Bypass Vulnerability No No 6.2 No
CVE-2021-24090 Windows Error Reporting Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-26865 Windows Container Execution Agent Elevation of Privilege Vulnerability No No 8.8 No
CVE-2021-26891 Windows Container Execution Agent Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-26860 Windows App-V Overlay Filter Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-27066 Windows Admin Center Security Feature Bypass Vulnerability No No 4.3 No
CVE-2021-27070 Windows 10 Update Assistant Elevation of Privilege Vulnerability No No 7.3 No
CVE-2021-26886 User Profile Service Denial of Service Vulnerability No No 5.5 No
CVE-2021-26880 Storage Spaces Controller Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-26876 OpenType Font Parsing Remote Code Execution Vulnerability No No 8.8 No
CVE-2021-24089 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-26902 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-27061 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-24110 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-27047 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-27048 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-27049 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-27050 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-27051 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-27062 HEVC Video Extensions Remote Code Execution Vulnerability No No 7.8 Yes
CVE-2021-24095 DirectX Elevation of Privilege Vulnerability No No 7 No
CVE-2021-26890 Application Virtualization Remote Code Execution Vulnerability No No 7.8 No

Windows ESU Vulnerabilities

CVE Vulnerability Title Exploited Disclosed CVSS3 FAQ
CVE-2021-27077 Windows Win32k Elevation of Privilege Vulnerability No Yes 7.8 No
CVE-2021-26875 Windows Win32k Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-26873 Windows User Profile Service Elevation of Privilege Vulnerability No No 7 No
CVE-2021-26899 Windows UPnP Device Host Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-1640 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.8 Yes
CVE-2021-26878 Windows Print Spooler Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-26862 Windows Installer Elevation of Privilege Vulnerability No No 6.3 No
CVE-2021-26861 Windows Graphics Component Remote Code Execution Vulnerability No No 7.8 No
CVE-2021-24107 Windows Event Tracing Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-26872 Windows Event Tracing Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-26898 Windows Event Tracing Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-26901 Windows Event Tracing Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-26897 Windows DNS Server Remote Code Execution Vulnerability No No 9.8 Yes
CVE-2021-26877 Windows DNS Server Remote Code Execution Vulnerability No No 9.8 Yes
CVE-2021-26893 Windows DNS Server Remote Code Execution Vulnerability No No 9.8 Yes
CVE-2021-26894 Windows DNS Server Remote Code Execution Vulnerability No No 9.8 Yes
CVE-2021-26895 Windows DNS Server Remote Code Execution Vulnerability No No 9.8 Yes
CVE-2021-26896 Windows DNS Server Denial of Service Vulnerability No No 7.5 Yes
CVE-2021-27063 Windows DNS Server Denial of Service Vulnerability No No 7.5 Yes
CVE-2021-26869 Windows ActiveX Installer Service Information Disclosure Vulnerability No No 5.5 Yes
CVE-2021-26882 Remote Access API Elevation of Privilege Vulnerability No No 7.8 No
CVE-2021-26881 Microsoft Windows Media Foundation Remote Code Execution Vulnerability No No 7.5 No
CVE-2021-26887 Microsoft Windows Folder Redirection Elevation of Privilege Vulnerability No No 7.8 Yes

Summary Graphs