Security News > 2021 > April > Microsoft Has Busy April Patch Tuesday with Zero-Days, Exchange Fixes

Microsoft had its hands full Tuesday snuffing out five zero-day vulnerabilities, a flaw under active attack and applying more patches to its problem-plagued Microsoft Exchange Server software.

Of note, the U.S. National Security Agency released information on four critical Exchange Server vulnerabilities impacting versions released between 2013 and 2019.

"These vulnerabilities have been rated 'exploitation more likely' using Microsoft's Exploitability Index. Two of the four vulnerabilities are pre-authentication, meaning an attacker does not need to authenticate to the vulnerable Exchange server to exploit the flaw. With the intense interest in Exchange Server since last month, it is crucial that organizations apply these Exchange Server patches immediately," wrote Satnam Narang, staff research engineer with Tenable in commentary shared with Threatpost.

Troublesome given the ubiquitous nature of the Microsoft Office are four remote code execution vulnerabilities patched this month within the productivity suite.

Microsoft marks the vulnerability type as "Exploitation less likely," however, it's highly recommended to quickly patch and remediate any RCE vulnerabilities on systems, Goodman said: "Leaving latent vulnerabilities with RCE exploits can easily lead to a faster-spreading attack."

Microsoft's April Patch Tuesday update was complemented by Adobe's monthly slew of patches, which addressed 10 security bugs, seven of them critical.

News URL

https://threatpost.com/microsoft-april-patch-tuesday-zero-days/165393/