The fourth Patch Tuesday of 2021 is another big one. Today, Microsoft revealed 114 vulnerabilities fixed in the monthly security, over half of which could potentially be exploited for remote code execution by attackers. Of the 55 remote execution bugs, over half were tied to Windows’ Remote Procedure Call (RPC) interface. Four more were Microsoft Exchange bugs (all urgent fixes) reported to Micrsoft by the National Security Agency (CVE-2021-28480, 28481, 28482, and 28483). In addition, six Chrome vulnerabilities that were previously addressed by Google are included in the roll-up.

All 20 of the bugs rated as critical to patch by Microsoft in April were remote code execution bugs. A total of 87 were rated as important, and only one was given moderate importance: CVE-2021-28312, a Windows NTFS denial of service vulnerability that is less likely to be exploited.

As with all Patch Tuesdays, Microsoft has published analysis of the major fixes on their Security Updates page. But the release doesn’t ensure that the updates you need will automatically deploy quickly enough to your systems to shut down potential risks. To find and download this month’s Cumulative Update patch yourself, search for the term “2021-04” at the Microsoft Update Catalog website, and select the monthly security rollup that matches your computer’s CPU architecture and build of Windows. You can also read the full technical details about each patch in April’s Security Updates Guide.

Sophos for Microsoft SharePoint release notes Version 2 Version 2 can be used to protect Microsoft SharePoint 2007 and 2010. Microsoft’s April update patches 114 bugs—half of which allow remote code execution. SophosLabs Uncut. Start a Sophos demo in less than a minute.

RPC RCE OMG

A quarter of the vulnerabilities called out this month (28 of them) were in a single Windows component: the Windows RPC interface. Of those, 27 are associated with the RPC runtime itself, and are all potentially exploitable for remote code execution:

The remaining vulnerability, CVE-2021-27091, is an elevation of privileges vulnerability in the RPC Endpoint Mapper Service, rated by Microsoft as important.

Visual Studio Code, Microsoft’s free developer tool, has eight associated remote code execution vulnerabilities patched this month. Five are in Code itself (CVE-2021-28457, CVE-2021-28469,CVE-2021-28473, CVE-2021-28475,and CVE-2021-28477). The remaining three are in extensions—CVE-2021-28470 is a vulnerability in Code’s GitHub Pull Request and Issues extension, CVE-2021-28471 is in Code’s Remote Development Extension, and CVE-2021-28472 is in Code’s Maven for Java extension. There’s also an RCE bug in Visual Studio’s Kubernetes Tools patched in this round (CVE-2021-28448).

Also of note are five remote code execution vulnerabilities patched in Office and its components this month: In the overall Office suite (CVE-2021-28449); in Microsoft Excel (CVE-2021-28451 and CVE-2021-28454); a memory corruption bug in Outlook (CVE-2021-28452) that is remotely exploitable; and in Microsoft Word (CVE-2021-28453). Excel also has an information disclosure vulnerability patched (CVE-2021-28456). And Windows’ Network File System, which has had several bugs over the past few months, has another RCE vulnerability patched in April’s rollup (CVE-2021-28445).

Rounding out the remote code execution vulnerability parade are a number of graphics, image and video related bugs: Windows Media Video Decoder has two critical RCE bugs (CVE-2021-27095 and CVE-2021-28315). Windows’ Raw Image Extension has two RCEs rated by Microsoft as “important” (CVE-2021-28466 and CVE-2021-28468), and there’s; another similarly-rated vulnerability in the VP9 Video Extensions (CVE-2021-28464).

Other bugs of interest

One of the most unusual bugs patched is CVE-2021-27090, an elevation of privilege vulnerability in Windows Secure Kernel Mode. This component is part of Windows’ virtualization-based security (VBS) technology, and has a very small attack surface as it’s strictly isolated by the Hyper-V hypervisor from the rest of the operating system.

Among the more exploitable bugs in April’s fix list are three related to Windows’ TCP/IP driver—two denial of service vulnerabilities (CVE-2021-28319 and 28439) and an information disclosure bug (CVE-2021-28442). CVE-2021-28319 is another bug that harkens back to the “Ping of Death”—the flaw, in the Network Driver Interface Specification driver (ndis.sys), can be triggered remotely by connections using TCP Fast Open option in the TCP/IP protocol. This bug is relatively easy to trigger, and could be exploited to cause a “Blue Screen of Death.”

The information leak bug in TCP/IP (CVE-2021-28442)is also related to TCP Fast Open, but in the TCP driver itself (tcpip.sys). A packet can leverage an overlap in TCP Fast Open and code that provides Local Area Network Denial (LAND) Attack protection in a way that results in tcpip.sys’ TcpSegmentTcbSend() function sending data from uninitialized memory back to the remote system.

Two new elevation of privilege bugs in win32.sys, the kernel driver for Windows’ Graphic Device Interface, are also patched in April. One of them, CVE-2021-28310, is already being exploited in the wild, raising the urgency of the fix.

Protection

Here is a list of protection released by SophosLabs in response to this advisory to complement any existing protection and generic exploit mitigation:

Sophos aims to add detections for critical issues, based on the type and nature of the vulnerabilities, as soon as possible and where we have been given sufficient information to be able to do so. In many cases, existing detections in endpoint products (such as Intercept X) will catch and block exploit attempts without the need for updates.

Sophos Group plc is a British security software and hardware company. Sophos develops products for communication endpoint, encryption, network security, email security, mobile security and unified threat management. Sophos is primarily focused on providing security software to 100- to 5,000-seat organizations. While not a primary focus, Sophos also protects home users, through free and paid antivirus solutions (Sophos Home/Home Premium) intended to demonstrate product functionality. It was listed on the London Stock Exchange until it was acquired by Thoma Bravo in February 2020.

History[edit]

Sophos was founded by Jan Hruska and Peter Lammer and began producing its first antivirus and encryption products in 1985.^[2] During the late 1980s and into the 1990s, Sophos primarily developed and sold a range of security technologies in the UK, including encryption tools available for most users (private or business). In the late 1990s, Sophos concentrated its efforts on the development and sale of antivirus technology, and embarked on a program of international expansion.^[3]

In 2003, Sophos acquired ActiveState, a North American software company that developed anti-spam software. At that time viruses were being spread primarily through email spam and this allowed Sophos to produce a combined anti-spam and antivirus solution.^[4] In 2006, Peter Gyenes and Steve Munford were named chairman and CEO of Sophos, respectively. Jan Hruska and Peter Lammer remain as members of the board of directors.^[5] In 2010, the majority interest of Sophos was sold to Apax.^[6] In 2010, Nick Bray, formerly Group CFO at Micro Focus International, was named CFO of Sophos.^[7]

In 2011, Utimaco Safeware AG (acquired by Sophos in 2008–9) were accused of supplying data monitoring and tracking software to partners that have sold to governments such as Syria: Sophos issued a statement of apology and confirmed that they had suspended their relationship with the partners in question and launched an investigation.^[8][9] In 2012, Kris Hagerman, formerly CEO at Corel Corporation, was named CEO of Sophos and joined the company's board. Former CEO Steve Munford became non-executive chairman of the board.^[10] In February 2014, Sophos announced that it had acquired Cyberoam Technologies, a provider of network security products.^[11] In June 2015, Sophos announced plans to raise $US100 million on the London Stock Exchange.^[12] Sophos was floated on the FTSE in September 2015.^[13]

On 14 October 2019 Sophos announced that Thoma Bravo, a US-based private equity firm, made an offer to acquire Sophos for US$7.40 per share, representing an enterprise value of approximately $3.9 billion. The board of directors of Sophos stated their intention to unanimously recommend the offer to the company's shareholders.^[14] On 2 March 2020 Sophos announced the completion of the acquisition.^[15]

Acquisitions and partnerships[edit]

Sophos Microsoft Edge

From September 2003 to February 2006, Sophos served as the parent company of ActiveState, a developer of programming tools for dynamic programming languages: in February 2006, ActiveState became an independent company when it was sold to Vancouver-based venture capitalist firm Pender Financial.^[16] In 2007, Sophos acquired ENDFORCE, a company based in Ohio, United States, which developed and sold security policy compliance and Network Access Control (NAC) software.^[17][18] In November 2016, Sophos acquired Barricade, a pioneering start-up with a powerful behavior-based analytics engine built on machine learning techniques,^[19] to strengthen synchronized security capabilities and next-generation network and endpoint protection. In February 2017, Sophos acquired Invincea, a software company that provides malware threat detection, prevention, and pre-breach forensic intelligence.^[20][21][22]

In March 2020, Thoma Bravo acquired Sophos for $3.9 billion.^[23]

See also[edit]

Sophos Microsoft Login

References[edit]

1. ^ ^abcd'Annual Report 2018'(PDF). Sophos. Retrieved 20 March 2019.
2. ^'Sophos: the early years'. Naked Security.
3. ^'Exterminator Tools'. Windows IT Pro. 15 November 1999. Retrieved 24 April 2017.
4. ^'Sophos acquires anti-spam specialist ActiveState'. www.sophos.com. Retrieved 3 January 2016.
5. ^'Sophos Management Team | Global Leaders in IT Security'. sophos.com.
6. ^'Apax Partners to acquire majority stake in Sophos'.
7. ^'Board of Directors'.
8. ^'The Bureau Investigates article'. Archived from the original on 4 December 2011.
9. ^'Statement from Sophos on Recent Media Reports'.
10. ^'Sophos Board of Directors webpage'.
11. ^'Sophos Acquires Cyberoam to Boost Layered Defense Portfolio'. Infosecurity Magazine.
12. ^'Sophos Plans $100 Million London IPO'.
13. ^'Sophos joins the UK's top public companies in the FTSE 250'.
14. ^'Sophos founders exit before Thoma Bravo sale'. Global Capital. 5 December 2019. Retrieved 25 February 2020.
15. ^'Sophos opens new chapter with take-private acquisition'.
16. ^'ActiveState Acquired by Employees and Pender Financial Group; Company Renews Focus on Tools and Solutions for Dynamic Languages'. Business Wire. 22 February 2006. Retrieved 24 April 2017.
17. ^'Sophos buys Endforce for network access control'. Network World. 11 January 2007. Retrieved 24 April 2017.
18. ^Wauters, Robin. 'Sophos beefs up on online security, acquires Dutch security software firm SurfRight for $31.8 million'. Retrieved 2 August 2016.
19. ^https://www.sophos.com/en-us/press-office/press-releases/2016/11/sophos-acquires-security-analytics-start-up-in-ireland.aspx
20. ^'Sophos Adds Advanced Machine Learning to Its Next-Generation Endpoint Protection Portfolio with Acquisition of Invincea'. Sophos. 8 February 2017. Retrieved 11 February 2017.
21. ^'Sophos grows anti-malware ensemble with Invincea'. Sophos. 8 February 2017. Retrieved 11 February 2017. One may ask, if you already have great next-generation technology, why do you need Invincea’s technology?...Think of Invincea as the superhero that takes our ensemble to the next level – the entity that adds neural network-based machine learning to the team.
22. ^'Sophos to Acquire Invincea to Add Industry Leading Machine Learning to its Next Generation Endpoint Protection Portfolio'. Invincea. 8 February 2017. Retrieved 11 February 2017.
23. ^'Thoma Bravo completes $3.9B Sophos acquisition'. TechCrunch. Retrieved 7 April 2020.

External links[edit]