Microsoft Patches Four More Critical Exchange Server Bugs
Microsoft released patches for over 100 flaws for the first time this year yesterday, including one being actively exploited in the wild and four new critical Exchange Server bugs reported by the NSA.
The haul of 110 CVEs will keep sysadmins busy, with experts highlighting the zero-day elevation of privilege flaw in Win32k (CVE-2021-28310) as worthy of attention.
Although only rated as important, it may have been exploited in attacks for over a month already, according to Ivanti senior director of product management, Chris Goettl.
“This is a good example of the importance of using a risk-based prioritization approach. If you are basing your prioritization off vendor severity and looking at just the critical CVEs, you may have missed this one,” he explained.
“Fortunately for those organizations, this is part of the Windows 10 cumulative this month — which also includes Critical CVEs — but broadening your prioritization metrics to include risk metadata like exploited, publicly disclosed, and other indicators will help to ensure you prioritize the best possible set of updates to remediate in a timely fashion.”
The four critical Exchange Server flaws should also be a priority for sysadmins. CVE-2021-28480, CVE-2021-28481, CVE-2021-28482, and CVE-2021-28483 are remote code execution bugs that all affect Microsoft Exchange Server versions 2013 to 2019.