Two of the vulnerabilities were reported by the NSA, with the agency saying in a tweet that it "urges applying critical Microsoft patches released today, as exploitation of these #vulnerabilities could allow persistent access and control of enterprise networks".
All four of these vulnerabilities do not need elevated privileges to exploit and two — CVE-2021-28480 and CVE-2021- 28481 — are believed to be wormable between Exchange Servers, according to a write-up by Trend Micro's Zero Day Initiative.
Apart from these critical vulnerabilities, Kaspersky researchers Boris Larin, Costin Raiu and Brian Bartholomew reported they had found a zero-day exploit in the Desktop Window Manager which was also patched in the April updates, part of Microsoft's monthly patch Tuesday when a truckload of bugs are usually disclosed.
"Unfortunately, we weren’t able to capture a full chain, so we don’t know if the exploit is used with another browser zero-day, or coupled with known, patched vulnerabilities."
In all, Microsoft documented 114 vulnerabilities which it patched, 19 of which were classed as critical, 88 as important, and one as moderate.
This is a real story ? https://t.co/3E8QCS7Hw4— Ryan Naraine (@ryanaraine) April 13, 2021
"This is the largest number of CVEs addressed in a month by Microsoft this year, and it is slightly higher than April of last year," ZDI's Dustin Childs said in a blog post.
"...five of these bugs came through the ZDI program. None of the bugs being addressed this month were disclosed at the recent Pwn2Own contest."
Childs said six other bugs affected the Edge browser, which is based on Google's open-source Chromium browser, and were ingested from a recent Chromium update. "According to Microsoft, one bug is currently being exploited while four others are publicly known at the time of release," he added.
The US Gov have issued an emergency directive, saying to patch Exchange by Friday or disconnect the device.— Kevin Beaumont (@GossiTheDog) April 13, 2021
Note you need to be on a supported Cumulative Update to get the Security Update, and there is no mitigation to apply this time instead. https://t.co/UmhK5ZER8N pic.twitter.com/k8Y2XWTjEw
Commenting on the vulnerabilities, Satnam Narang, staff research engineer with security shop Tenable, said the four vulnerabilities had been rated 'Exploitation More Likely' using Microsoft's Exploitability Index.
"Two of the four vulnerabilities (CVE-2021-28480, CVE-2021-28481) are pre-authentication, meaning an attacker does not need to authenticate to the vulnerable Exchange server to exploit the flaw," he explained.
Microsoft also patched CVE-2021-28310, a Win32k Elevation of Privilege vulnerability that was exploited in the wild as a zero-day.
Narang said exploitation of this vulnerability would give an attacker elevated privileges on a vulnerable system. "This would allow an attacker to execute arbitrary code, create new accounts with full privileges, access and/or delete data and install programs," he warned.
"Elevation of Privilege vulnerabilities are leveraged by attackers post-compromise, once they've managed to gain access to a system in order to execute code on their target systems with elevated privileges."