-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
**************************************************************************************
Title: Microsoft Security Update Releases
Issued: March 16, 2021
**************************************************************************************
Summary
=======
The following CVEs have undergone a major revision increment:
Critical CVEs
============================
* CVE-2021-26855 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26855
* CVE-2021-27065 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27065
* CVE-2021-26857 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26857
Important CVEs
============================
* CVE-2021-26858 - https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26858
Publication information
===========================
- Microsoft Exchange Server Remote Code Execution Vulnerability
- See preceding list for links
- Version 5.0
- Reason for Revision: Microsoft is releasing a security update for CVE-2021-27065,
CVE-2021-26855, CVE-2021-26857, and CVE-2021-26858 for Microsoft Exchange Server
2013 Service Pack 1. This update addresses only those CVEs. Customers who want to be
protected from these vulnerabilities can apply this update if they are not on a
supported cumulative update. Microsoft strongly recommends that customers update to
the latest supported cumulative updates.
- Originally posted: March 2, 2021
- Updated: March 16, 2021
=======================================================================================
The following Chrome CVEs have been released on March 15, 2021.
These CVE were assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses these vulnerabilities. Please see Google Chrome Releases
(https://chromereleases.googleblog.com/2021) for more information.
See
for more information about third-party CVEs in the Security Update Guide.
*CVE-2021-21191
*CVE-2021-21192
*CVE-2021-21193
Revision Information:
=====================
- Version 1.0
- Reason for Revision: Information published.
- Originally posted: March 15, 2021
=======================================================================================
The following CVEs have undergone revision increments:
*CVE-2021-27054
*CVE-2021-27057
*CVE-2021-26701
*CVE-2020-16996
*CVE-2020-17163
*CVE-2021-26887
*CVE-2021-27084
- CVE-2021-27054 | Microsoft Excel Remote Code Execution Vulnerability
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27054
- Version 2.0
- Reason for Revision: Microsoft is announcing the availability of the security updates
for Microsoft Office for Mac. Customers running affected Mac software should install
the update for their product to be protected from this vulnerability. Customers
running other Microsoft Office software do not need to take any action. See the
[Release Notes](https://go.microsoft.com/fwlink/p/?linkid=831049) for more information
and download links.
- Originally posted: March 9, 2021
- Updated: March 16, 2021
- Aggregate CVE Severity Rating: Important
- CVE-2021-27057 | Microsoft Office Remote Code Execution Vulnerability
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27057
- Version 2.0
- Reason for Revision: Microsoft is announcing the availability of the security updates
for Microsoft Office for Mac. Customers running affected Mac software should install
the update for their product to be protected from this vulnerability. Customers
running other Microsoft Office software do not need to take any action. See the
[Release Notes](https://go.microsoft.com/fwlink/p/?linkid=831049) for more information
and download links.
- Originally posted: March 9, 2021
- Updated: March 16, 2021
- Aggregate CVE Severity Rating: Important
- CVE-2021-26701 | .NET Core Remote Code Execution Vulnerability
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26701
- Version 3.0
- Reason for Revision: Revised the Security Updates table to include PowerShell Core 7.0
and PowerShell Core 7.1 because these versions of PowerShell Core are also affected by
this vulnerability. See https://github.com/PowerShell/Announcements-Internal/issues/23
for more information. Added Visual Studio 2019 for Mac to the Security Updates table
as it is also affected by this vulnerability.
- Originally posted: February 9, 2021
- Updated: March 12, 2021
- Aggregate CVE Severity Rating: Critical
- CVE-2020-16996 | Kerberos Security Feature Bypass Vulnerability
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-16996
- Version 2.0
- Reason for Revision: Microsoft is announcing the release of the second phase of the
Windows security updates to address this vulnerability. March 9, 2021 and
superseding Windows updates enable enforcement mode on all Active Directory domain
controllers (DCs). These DCs will now be in Enforcement mode unless the enforcement
mode registry key is set to 1 (Disabled). If the Enforcement mode registry key is set,
the setting will be honored. Going to Enforcement mode requires that all Active
Directory domain controllers have the December 8, 2020 update or a later update installed.
Microsoft strongly recommends that customers install the March 9. 2021 updates to be
fully protected from this vulnerability. Customers whose Windows devices are configured
to receive automatic updates do not need to take any further action.
- Originally posted: December 8, 2020
- Updated: March 12, 2021
- Aggregate CVE Severity Rating: Important
- CVE-2020-17163 | Visual Studio Code Python Extension Remote Code Execution Vulnerability
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27084
- Version 1.0
- Reason for Revision: Information published.
- Originally posted: March 16, 2021
- Updated: N/A
- Aggregate CVE Severity Rating: Important
- CVE-2021-26887 | Microsoft Windows Folder Redirection Elevation of Privilege
Vulnerability
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-26887
- Version 1.1
- Reason for Revision: The instructions in the article,
have been updated since this CVE was released on March 9, 2021. Microsoft recommends
that customers re-visit the article ensure their systems are properly configured to be
protected against this vulnerability. This elevation of privilege vulnerability can only
be addressed by reconfiguring Folder Redirection with Offline files and restricting
permissions, and NOT via a security update for affected Windows Servers.
- Originally posted: March 9, 2021
- Updated: March 15, 2021
- Aggregate CVE Severity Rating: Important
- CVE-2021-27084 | Visual Studio Code Java Extension Pack Remote Code Execution
Vulnerability
- https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27084
- Version 1.1
- Reason for Revision: Corrected Download and Article links in the Security Updates
table. This is an informational change only.
- Originally posted: March 9, 2021
- Updated: March 12, 2021
- Aggregate CVE Severity Rating: Important
**************************************************************************************
Other Information
=================
Recognize and avoid fraudulent email to Microsoft customers:
======================================================================================
If you receive an email message that claims to be distributing a Microsoft security update, it is a hoax that may contain malware or pointers to malicious websites.
Microsoft does not distribute security updates via email.
