Hello, welcome to the Wednesday, April 14th, 2021 edition of the Sandcent Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Jacksonville, Florida.

While it's Microsoft's patch Tuesday again, we got patches for 114 vulnerabilities, 19 of which are rated critical.

Four have been previously disclosed and one is currently already being exploited.

Looking at the numbers, to compare them with prior numbers, you also have to take into account

that this now includes Google Chrome vulnerabilities

that have been patched by Google. After all, Edge is now really just a version of Google Chrome.

But probably the most interesting part of this month patch Tuesday is that we have yet another set of four critical exchange

vulnerabilities. The CVSS score of these vulnerabilities is 9.8 and exploitation is likely

according to Microsoft. Given what we just went through with Exchange, I hope everybody kept good notes and can

get those patches quickly rolled out.

No public exploit yet as far as I know.

These vulnerabilities have been reported responsibly to Microsoft, so they're not aware of them already being exploited in the wild.

But again, with all of the extension being spent on exchange lately, I'm pretty sure that we will

have an exploit available shortly. Now, if you are applying these exchange patches, keep in mind you first always

have to update to a supported version of exchange. So you have to first apply a cumulative update

to get to a supported version, then you apply the April patch in order to have a fully patched system.

If you do have one of the supported versions of Microsoft Exchange, and you hadn't yet gotten

around to applying the March patches, which, well, you're really late at this point, but you

only need to apply the April patch.

It does include all the March updates as well.

Then we do also have a surprising large number of vulnerabilities in RPC services that are

...