Microsoft's March Patch Tuesday: Critical remote code execution flaws, IE zero-day fixed

The fixes follow an unscheduled emergency release for Microsoft Exchange Server.

Microsoft has released 89 security fixes for software including the Edge browser, Office, and Azure that patch critical issues including vectors for the remote execution of arbitrary code. 

During the tech giant's standard monthly patch round, Microsoft released a slew of patches to fix vulnerabilities in software including Azure, Microsoft Office products -- such as PowerPoint, Excel, SharePoint, and Visio -- alongside the Edge browser and Internet Explorer. 

This also includes seven out-of-band fixes for Microsoft Exchange Server which were released last week, four of which are classed as zero-days. 

Security updates have also been issued for features and services including the Microsoft Windows Codecs Library, Windows Admin Center, DirectX, Event Tracing, Registry, Win32K, and Windows Remote Access API. 

In total, 14 are described as critical and the majority lead to Remote Code Execution (RCE), whereas the rest are deemed important.

Among the fixes is the resolution of CVE-2021-26411, a memory corruption vulnerability in Internet Explorer that is being actively exploited in the wild.

"This kind of exploit would give the attacker the same operating system permissions as the user visiting the website," explained Kevin Breen, Director of Cyber Threat Research at Immersive Labs. "So if you're browsing the internet as a standard user, the attacker will get user level access to your filesystem and limited access to the operating system. If you are browsing the internet as an admin, the attackers will get full unrestricted access to your filesystem and the operating system."

Other critical issues of note include CVE-2021-27074 and CVE-2021-27080, unsigned code execution bugs in Azure Sphere, and CVE-2021-26897, a critical RCE flaw in Windows DNS Server.

A total of 15 of the CVEs resolved were reported through the Trend Micro Zero Day Initiative. A separate set of vulnerability fixes was issued for the Chromium version of the Edge browser last week.

The latest round of security fixes follows the early emergency patches issued by Microsoft to resolve four zero-day vulnerabilities in Exchange Server, as well as three additional security flaws. The critical security bugs, used to steal email inbox communication and potentially allow server hijacking, were originally exploited by the Hafnium threat group -- but the problem has now escalated to a worldwide issue believed to have impacted thousands of companies worldwide. 

Today, Microsoft also announced the end of Microsoft Edge Legacy desktop application support. The application will be removed and replaced with the new Microsoft Edge during April's Windows 10 cumulative monthly security update.

See also: Microsoft's Security Update Guide portal

In February's Patch Tuesday, the Redmond giant resolved 56 vulnerabilities including a privilege escalation zero-day flaw in Win32k. 

Microsoft's next Patch Tuesday release will occur on April 13. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0