Microsoft patches five zero-day bugs in April 2021 Patch Tuesday update

In total, 110 bugs have been fixed

Microsoft has released its April 2021 Patch Tuesday update, addressing a total of 110 security vulnerabilities across various products/platforms, including Windows 10, Microsoft Office, Edge (Chromium based), Azure, SharePoint Server and Exchange Server.

Of all the security flaws fixed by the company this month, 19 are rated as 'critical', meaning that they could enable threat actors to seize remote control over vulnerable Windows machines without requiring any user interaction.

The rest of the patched vulnerabilities are 'important' in severity.

As part of the April Patch Tuesday update, Microsoft has addressed five zero-day flaws that were previously unknown to the company. Of them, one is actively under attack from threat groups.

Indexed as CVE-2021-28310, this Win32k Elevation of Privilege vulnerability gives a local user more privileges over the Window 10 system than the user is supposed to have.

The vulnerability was discovered by Boris Larin of Kaspersky, who stated in a blog post that it was likely used in combination with other browser exploits "to escape sandboxes or get system privileges for further access."

"Unfortunately, we weren't able to capture a full chain, so we don't know if the exploit is used with another browser zero-day, or coupled with known, patched vulnerabilities," Kaspersky explained in a blog post.

According to Chris Goettl, Senior Director of Product Management at Ivanti, the details from "open source exploits site attackerkb[.]com shows the CVE as reserved and last updated on March 12, 2021, so this may have been exploited by threat actors for a month or more at this point".

"This is a good example of the importance of using a risk-based prioritization approach."

The other four zero-day bugs patched by Microsoft were "publicly exposed" but not "exploited" by cyber actors. They are:

• CVE-2021-27091 - RPC Endpoint Mapper Service elevation of privilege flaw
• CVE-2021-28312 - Windows NTFS denial of service flaw
• CVE-2021-28437 - Windows Installer information disclosure bug
• CVE-2021-28458 - Azure ms-rest-nodeauth Library elevation of privilege bug

All these flaws are rated as "Moderate" or "Important," meaning that there is little risk of remote code execution attacks over the internet.

In addition, the company has also issued patches to address four more bugs - CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, CVE-2021-28483 - that affect Exchange Server versions 2013-2019.

Microsoft credited the US National Security Agency (NSA) for the discovery of two remote code execution bugs, CVE-2021-28480 and CVE-2021-28481, and stated that the other two were found internally.

Both vulnerabilities discovered by the NSA carry a CVSS score of 9.8 due to the risks of attacks without requiring user interaction.

Microsoft and the NSA are advising users to install the updates as early as possible to ensure that their systems remain protected from cyber attacks by threat actors.

Last month, Microsoft also released out-of-band security updates to address four zero-day bugs (CVE-2021-26855, CVE-2021-26857, CVE-2021-26858 and CVE-2021-27065) that were being actively exploited by hackers to compromise Exchange Server.

The flaws affected Exchange Server 2013, Exchange Server 2016 and Exchange Server 2019, and Microsoft said that a state-sponsored threat actor, called Hafnium, was exploiting the flaws to attack vulnerable systems.