Patch Tuesday on March 10th 2021 saw the release of altogether 122 vulnerabilities. The collection includes several zero-day vulnerabilities and vulnerabilities that very public knowledge. This month’s number is well above hundred, but that’s partially explained by Edge Chromium that has its own update schedule. Out of the 122 vulnerabilities, 33 were Edge Chromium -specific. We recommend to always update the Edge Chromium according to its own update schedule, as just during this month there were 4 security patches released for it. 

The below table shows the vulnerabilities in each Microsoft product family.  

Product  Vulnerabilities 
Windows  59 
Browser  35 
ESU  24 
Microsoft Office  11 
Exchange Server  7 
Developer Tools  6 
Azure  3 
SQL Server  1 

 Key points 

Microsoft gives the most critical vulnerability, CVE-2021-26867 , a CVSS value of 9.9. The vulnerability is related to Windows Hyper-V. In addition, CVE-2021-26895, CVE-2021-26893, CVE-2021-26894, andCVE-2021-26897, meaning the vulnerabilities in Windows DNS-server, receive a CVSS value of 9.8. The DNS-server is vulnerable if it’s using dynamic updates. In addition to these critical vulnerabilities, the release includes patches for several zero-day vulnerabilities:CVE-2021-26411, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. The first one on the list, CVE-2021-26411 (Internet Explorer 11 and EdgeHTML), is also a vulnerability that was public knowledge.  

The patch for the other four zero-day vulnerabilities was released already earlier in March, on March 2nd, 2021. These four vulnerabilities were all related to the Microsoft Exchange Server product. In addition to these, there is one vulnerability that’s public knowledge and related to older versions of Windows, CVE-2021-26877.  

Active and known issues in Windows operating systems 

Operating System  Active known issues (previous month) 
Windows 10, version 20H2 and Windows Server, version 20H2  3 (3) 
Windows 10, version 2004 and Windows Server, version 2004  3 (3) 
Windows 10, version 1909 and 1903* and Windows Server, version 1903  0 (2) 
Windows 10, version 1809** and Windows Server 2019  1 (1) 
Windows 10, version 1803**  1 (0) 
Windows 10, version 1709*** and Windows Server, version 1709  Support has ended. 
Windows 10, version 1703***  Support has ended. 
Windows 10, version 1607 LTSC*** and Windows Server 20162  2 (1) 
Windows 8.1**** and Windows Server 2012 R2  1 (1) 
Windows Server 2012  1 (1) 
Windows 7**** and Windows Server 2008 R2 SP1  1 (2) 


* 1909 has the same operating system core and identical system files as its predecessor, 1903. 

** The support for Windows 10’s build in question has ended for versions Home, Pro, and Enterprise. 

*** The support for Windows 10’s build in question has ended for all versions 

**** The Mainstream support period for the Windows version has ended. Extended support periods end: For Windows 8.1, on Jan 10th 2023, and for Windows 7, on Jan 14th 2020.  

Recommended actions 

You should update your Windows workstations rapidly, especially if you are actively using Hyper-V. On the server side you should prioritize updating the Exchange Server and the DNS-servers. When it comes to the DNS-vulnerabilities, you should also look into other possible means of mitigation, listed in Microsoft’s MSRC support article . The zero-day vulnerabilities for Exchange Server should be patched right away. When prioritizing this, you should check the detailed consequences on each version from this MSRC support article. Microsoft MSRC has also published a blog related to the Exchange Server vulnerabilities.  

There is a zero-day vulnerability for the old EdgeHTML and Internet Exploere 11 browsers. You should immediately stop using these browsers and replace them with modern ones. This means you should either install the updates right away, or uninstall the browsers for good.  

The critical, zero-day, and public knowledge vulnerabilities mentioned in the beginning should be patched as soon as possible. However, Centero recommends testing the updates carefully before migrating them into production. In addition, you should go through any known issues before deploying the updates.  

Microsoft’s documentation on the subject  

Microsoft maintains a list of Windows updates and their known issues on the following page. You can find additional information on Windows-versions’ lifecycle behind the last link. 

With Centero Software Manager Cloud and  CSM Cloud for Servers, your devices get these and other updates in a managed way, according to the configuration you have selected. Read more on Centero Software Manager here.

Read more on this topic:

There are many publicly disclosed vulnerabilities in October

76 vulnerabilities for Windows OS, Microsoft browsers and Office have been patched. Silver lining in this month seems to be the lower number of the vulnerabilities. Let’s hope that this is a positive trend which will go on in the following months as well. Nevertheless this month certainly cannot be overlooked. There are critical updates […]

September brings patch tuesday once again

Microsoft released information on 129 vulnerabilities this September. 23 of them are classified as critical. It seems that months with over 100 vulnerabilities is a new normal. Nevertheless, this patch Tuesday is not very special one. Which is a good thing. There are two vulnerabilities CVE-2020-1210 and CVE-2020-1595 with as high as 9.9 CVSS-rating. Both of the vulnerabilities are […]