Experts Insight On Critical Remote Code Execution Flaws, IE Zero-Day Fixed In Microsoft’s March Patch Tuesday
ByISBuzz Team Writer , Information Security Buzz | Mar 10, 2021 05:56 am PST
Microsoft has released 89 security fixes for software including the Edge browser, Office, and Azure that patch critical issues including vectors for the remote execution of arbitrary code. Experts below provide an insight on these critical patches.
Tim Mackey , Principal Security Strategist, Synopsys CyRC (Cybersecurity Research Center)
March 10, 2021 1:57 pm
<p>While most IT teams are accustomed to regular patch updates and patch cycles, the current set of Microsoft Exchange Server updates include another important step – checking for signs of compromise. The four Exchange Server vulnerabilities contained in this month’s patch update are being actively exploited to form part of a cyber kill chain. This kill chain allows attackers to leave behind web shells that can then be used to further their attack. Since a web shell is nothing more than a piece of malicious code that looks like a web interface and behaves like one, hiding malicious traffic flowing from one web interface is easy to accomplish on production servers like Microsoft Exchange. Of course, since the attackers define the rules of their engagement, what that web shell does is up to them. That means they could try anything from siphoning data from the server to using the server resources to run cryptomining software. In the case of these Exchange Server patches, simply patching the Exchange Server isn’t sufficient as if there are signs of compromise, you’ll need to trigger your incident response plan and perform some forensic analysis to determine the extent of any damage done.</p>
<p>While most IT teams are accustomed to regular patch updates and patch cycles, the current set of Microsoft Exchange Server updates include another important step – checking for signs of compromise. The four Exchange Server vulnerabilities contained in this month’s patch update are being actively exploited to form part of a cyber kill chain. This kill chain allows attackers to leave behind web shells that can then be used to further their attack. Since a web shell is nothing more than a piece of malicious code that looks like a web interface and behaves like one, hiding malicious traffic flowing from one web interface is easy to accomplish on production servers like Microsoft Exchange. Of course, since the attackers define the rules of their engagement, what that web shell does is up to them. That means they could try anything from siphoning data from the server to using the server resources to run cryptomining software. In the case of these Exchange Server patches, simply patching the Exchange Server isn’t sufficient as if there are signs of compromise, you’ll need to trigger your incident response plan and perform some forensic analysis to determine the extent of any damage done.</p>