Patch Tuesday on March 10th 2021 saw the release of altogether 122 vulnerabilities. The collection includes several zero-day vulnerabilities and vulnerabilities that very public knowledge. This month’s number is well above hundred, but that’s partially explained by Edge Chromium that has its own update schedule. Out of the 122 vulnerabilities, 33 were Edge Chromium -specific. We recommend to always update the Edge Chromium according to its own update schedule, as just during this month there were 4 security patches released for it.
The below table shows the vulnerabilities in each Microsoft product family.
Microsoft gives the most critical vulnerability, CVE-2021-26867 , a CVSS value of 9.9. The vulnerability is related to Windows Hyper-V. In addition, CVE-2021-26895, CVE-2021-26893, CVE-2021-26894, and CVE-2021-26897, meaning the vulnerabilities in Windows DNS-server, receive a CVSS value of 9.8. The DNS-server is vulnerable if it’s using dynamic updates. In addition to these critical vulnerabilities, the release includes patches for several zero-day vulnerabilities: CVE-2021-26411, CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065. The first one on the list, CVE-2021-26411 (Internet Explorer 11 and EdgeHTML), is also a vulnerability that was public knowledge.
The patch for the other four zero-day vulnerabilities was released already earlier in March, on March 2nd, 2021. These four vulnerabilities were all related to the Microsoft Exchange Server product. In addition to these, there is one vulnerability that’s public knowledge and related to older versions of Windows, CVE-2021-26877.
Active and known issues in Windows operating systems
|Operating System||Active known issues (previous month)|
|Windows 10, version 20H2 and Windows Server, version 20H2||3 (3)|
|Windows 10, version 2004 and Windows Server, version 2004||3 (3)|
|Windows 10, version 1909 and 1903* and Windows Server, version 1903||0 (2)|
|Windows 10, version 1809** and Windows Server 2019||1 (1)|
|Windows 10, version 1803**||1 (0)|
|Windows 10, version 1709*** and Windows Server, version 1709||Support has ended.|
|Windows 10, version 1703***||Support has ended.|
|Windows 10, version 1607 LTSC*** and Windows Server 20162||2 (1)|
|Windows 8.1**** and Windows Server 2012 R2||1 (1)|
|Windows Server 2012||1 (1)|
|Windows 7**** and Windows Server 2008 R2 SP1||1 (2)|
* 1909 has the same operating system core and identical system files as its predecessor, 1903.
** The support for Windows 10’s build in question has ended for versions Home, Pro, and Enterprise.
*** The support for Windows 10’s build in question has ended for all versions
**** The Mainstream support period for the Windows version has ended. Extended support periods end: For Windows 8.1, on Jan 10th 2023, and for Windows 7, on Jan 14th 2020.
You should update your Windows workstations rapidly, especially if you are actively using Hyper-V. On the server side you should prioritize updating the Exchange Server and the DNS-servers. When it comes to the DNS-vulnerabilities, you should also look into other possible means of mitigation, listed in Microsoft’s MSRC support article . The zero-day vulnerabilities for Exchange Server should be patched right away. When prioritizing this, you should check the detailed consequences on each version from this MSRC support article. Microsoft MSRC has also published a blog related to the Exchange Server vulnerabilities.
There is a zero-day vulnerability for the old EdgeHTML and Internet Exploere 11 browsers. You should immediately stop using these browsers and replace them with modern ones. This means you should either install the updates right away, or uninstall the browsers for good.
The critical, zero-day, and public knowledge vulnerabilities mentioned in the beginning should be patched as soon as possible. However, Centero recommends testing the updates carefully before migrating them into production. In addition, you should go through any known issues before deploying the updates.
Microsoft’s documentation on the subject
Microsoft maintains a list of Windows updates and their known issues on the following page. You can find additional information on Windows-versions’ lifecycle behind the last link.
- Known issues and notifications
- Windows 10 update history
- Update history for Windows 8.1 and Windows Server 2012 R2
- Windows Server 2012 update history
- Update history for Windows 7 SP1 and Windows Server 2008 R2 SP1
- Windows lifecycle fact sheet
With Centero Software Manager Cloud and CSM Cloud for Servers, your devices get these and other updates in a managed way, according to the configuration you have selected. Read more on Centero Software Manager here.