If it weren't for the serious security issues surrounding on-premises Microsoft Exchange servers (CVE-2021-2685, CVE-2021-27065, CVE-2021-26857 and CVE-2021-26858), I would say things look pretty good for this month's Patch Tuesday. There are still things to test on the desktop, including printing, remote desktop connections via VPNs, and graphically intensive operations. And while the other lower-rated Microsoft Office and Development platform updates require attention, they don’t require a rapid response and can be added to the regular testing regime and deployment cadence.

I've included a helpful infographic that this month looks a little lopsided (again) as all of the attention should be on the Windows and Office components.

There are two updates to the Microsoft Windows platforms this month that look high-risk, including:

Both of these significant changes affect all supported Microsoft Windows desktop and server platforms. Working with Microsoft, we've developed a system that combs through Microsoft updates and matches any file changes (deltas) released each month against our testing library. The result is a “hot-spot” testing matrix that helps drive our portfolio testing process.

This month, our analysis of this Patch Tuesday release generated the following testing scenarios:

Lower on the priority list, we suggest testing VPN connections, JPEG image file rendering, and streaming audio (to make sure it still functions as expected).

Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update cycle. I've referenced a few key issues that relate to the latest builds from Microsoft including:

You can also find Microsoft’s summary of Known Issues for this release in a single page.

There were a number of mid-month updates and revisions to documentation and published information for several CVE releases, including: CVE-2021-24094 and CVE-2021-24086 (both addressing a common Windows TCP/IP Remote Code Execution Vulnerability). These revisions only included minor documentation updates to the CVE entries — no further action is required.

Very much like the mid-month revisions posted during February from Microsoft, there is a short list of updates with mitigation or published work-arounds:

If you dealt with these suggested actions in February, no further action is required for this month's release.

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

This month is the first where Microsoft has started differentiating the open-source Chromium updates from standard browser patches in update release documentation. With only a single (important) update to Microsoft Internet Explorer (CVE-2021-27085) the vast majority of updates this month (33) are attached to the Chromium project. Given how Microsoft's Edge is not as integrated in the desktop (and to a much lesser degre,e server platforms) we don't see as many upgrade or peer-level compatibility issues when updating its binaries.

Microsoft Edge is pretty much designed to be upgraded or updated without causing integration issues. Given the other low impact updates to Internet Explorer, we suggest that you add these updates to your standard update schedule.

Unusually, we find that the Windows updates for this month are not the center of attention. This is still a big update to the Windows ecosystem, with a publicly reported exploit (CVE-2021-27077) in the GDI graphics subsystem, six updates rated as critical and a remaining 45 patches rated as important. We also see a lot of "areas" covered, including core kernel and GDI components that have historically caused compatibility issues.

Here's a short list of the critical updates and the features affected:

I recommend that you look at the following CVEs (all rated as important by Microsoft) for potential app compatibility and/or integration issues:

Some (potential) troublemakers include CVE-2021-1640 and CVE-2021-26878, both of which update the printing subsystem. Add this month's Windows Patch Tuesday updates to your "Test before Deploy" update release schedule.

Microsoft has released 11 updates, all rated important, to the Microsoft Office and SharePoint platforms, covering the following application or feature groupings: SharePoint, Excel, Visio, and PowerPoint.

All 11 of these reported Microsoft Office vulnerabilities require local access and user interaction (no worms this month). Usually, the Excel security issues are a concern, but not this month. And if it weren't for the Exchange issues this month, I would say these updates could be added to your standard Office update schedule without much concern. However, we have (now) four very serious Microsoft Exchange issues that require immediate attention for all locally installed Exchange Servers (CVE-2021-2685, CVE-2021-27065, CVE-2021-26857, and CVE-2021-26858).

Microsoft has been updating these four super-urgent-critical issues throughout the week, each change adding to the potential scope of concern. I think the advice from CISA to "patch or unplug your servers from the internet" probably says enough about these serious reported vulnerabilities in locally installed, on-premise Microsoft Exchange Servers. Office 365, anyone?

Patch your Exchange Servers before your morning cup of tea, and then add the remaining Office updates to your regular update schedule.

Microsoft has released six updates to the Microsoft development platforms, one rated critical and the remaining five rated important. This single critical update relates to the local GIT components for Visual Studio and all the remaining important updates pertain to Visual Studio as well. We walked through each of these updates; the integration impact is marginal and without a compelling event to drive a rapid response, we suggest you add these to your regular update schedule.

Will this be the last we hear from Flash? I have said so before, and have been (sadly) corrected. Nothing to report from Microsoft for March. Let's see if we can retire this section in April.