This week Microsoft published security updates intended to fix more than 80 vulnerabilities across a wide range of its products, including multiple Windows OS components, Microsoft Office, SharePoint Server, Visual Studio, Azure and Azure Sphere. The March Patch Tuesday release also includes fixes for a zero-day vulnerability in Internet Explorer that had been exploited in attacks against some researchers in the white-hat community earlier this year.
The IE zero-day, tracked as CVE-2021-26411, is a double free flaw that exists due to a boundary error when processing ".mht" files. Using this bug a remote attacker can execute arbitrary code on the target system by tricking a user into visiting a malicious web site. Earlier this year, CVE-2021-26411 was observed being exploited in attacks against security researchers in South Korea. Kaspersky linked these attacks to North-Korea state-backed hacker group known as Lazarus APT.
The security updates for Internet Explorer also include a fix for CVE-2021-27085, which is described as an input validation error that could be used for remote code execution.
In addition to the above described vulnerabilities, Microsoft addressed numerous high-risk flaws affecting Microsoft Visual Studio Code, HEVC Video Extensions, PowerPoint, OpenType Font Parsing, Excel, Office, Windows Graphics Component, vulnerability summary march
