Action1 5 Blog 5 Microsoft Patch Tuesday, May 2021 Review

Microsoft Patch Tuesday, May 2021 Review

May 12, 2021

By Peter Barnett

Today, the second Tuesday of May, is Microsoft’s Patch Tuesday. This month’s patch release includes fixes for 55 CVEs  50 classified as Important, one moderate, and four marked as critical. Microsoft also patched three zero-day vulnerabilities that were publicly disclosed but not yet exploited at the time of this release. The 55 fixes touch on various Microsoft products and services, including Exchange Server, Skype for Business, Visual Studio, MS Office, .NET Core, SharePoint Server, and Hyper-V.

Along with May’s patch cycle, Microsoft also rolled out cumulative updates for all supported versions of Windows. The freshly updated Windows 10 OS builds 19041.895 and 19042.895 mostly feature enhanced security for Windows System Core Components, browsers, and other basic functions, plus a couple of new peripheral drivers and UI elements.

Let’s get back to the security flaws addressed in this month’s patch dump. Here is an overview of the three zero-day vulnerabilities and other noteworthy fixes:

The Three Zero-day Vulnerabilities

This trio was publicly disclosed, but there were no reported cases of any active exploits in the wild.

CVE-2021-31204 NET and Visual Studio Elevation of Privilege Vulnerability

This elevation of privilege bug was also first reported on GitHub. According to the explanation given, the flaw affects .NET 5.0 and .NET Core 3.1 when the user runs a single-file application on Unix-based Operating Systems, including Linux and macOS. Microsoft listed this fix as Important.

CVE-2021-31200 Common Utilities RCE Vulnerability

CVE-2021-31207 is a moderate-severity flaw in Microsoft Exchange Server. It’s not clear how it got discovered, but it was part of the Pwn2Own 2021 hacking challenge organized by ZDI. There were three more patches for Microsoft Exchange Server fixing CVE-2021-31195CVE-2021-31198, and CVE-2021-31209, related to RCE and spoofing vulnerabilities.

Other Critical and Important Fixes in May’s Patch Bundle

CVE-2021-28476 Hyper-V RCE Vulnerability

With a 9.9 score on the CVSS scale, CVE-2021-28476 topped the severity ranking for all the vulnerabilities addressed this month. However, according to Microsoft, a threat actor might be more inclined to exploit the loophole for a DoS attack rather than an outright RCE attack. Due to the complexity involved in a DoS attack, the severity level drops to 8.5, but the bug remains critically severe for the less sophisticated RCE exploit.

CVE-2021-31166 HTTP Protocol Stack RCE Bug

This HTTP Protocol Stack RCE comes a close second in severity rating at 9.8. The potential exploit has a low complexity rating. An unauthenticated actor could execute code as kernel by simply sending a specially designed packet to the target server. Such an exploit does not require any user interaction, making it potentially wormable. The patch is a top priority for server systems running HTTP protocols, including Windows 10 machines configured as servers.

CVE-2020-24587 Windows Wireless Networking Information Disclosure Flaw

This month’s patch release fixes a bug in Windows Wireless Networking that could allow an attacker to disclose the encrypted information in wireless packets on a vulnerable system. CVE-2020-24587 only scores a 6.5 CVSS, but little is known about its possible exploits. Since the flaw was first listed in 2020 as two other CVEs in today’s release it’s clear that Microsoft took some time to develop the fix.

CVE-2021-27068 Visual Studio RCE Vulnerability

The new patch fixes a remote code execution bug in Visual Studio 2009. The exploit does not seem to need user interaction, so it’s still unclear how an attacker would utilize this flaw. And even though the attack may not require authentication to execute the remote code, the exploit’s complexity is ranked as Low. But it’s still an essential patch for Visual Studio users, particularly VB programmers.

Recommended Action

As usual, Microsoft recommends that users immediately install the new patches and updates on the vulnerable systems. Although none of the security bugs listed today have been exploited so far, the threat of potential exploits still stands. Keep your Windows systems updated to seal off any known and unknown security vulnerabilities. Click here to view the complete list of CVEs for May Patch Tuesday, showing the affected Windows systems, workarounds, and other useful notes.

Stay tuned for more on Windows updates and fixes in next month’s Patch Tuesday on June 8.

Never Miss an Update With Action1 Patch Management

New patches and features updates present opportunities to improve your IT performance and safeguard your digital assets against internal and external threats. It’s up to you to ensure that these patches are installed correctly and promptly to avoid compromising your IT security posture and efficiency.

With the Action1 patch management solution, you never have to worry about patches or other updates on your Windows systems. Action1 enables automated patching on Windows OS and features while allowing real-time control and visibility into the updates already installed and those that are missing. Our patch manager reinforces your endpoint security by automatically scanning and deploying all the necessary Windows updates as soon as they’re released.

Start your Action1 free trial today and sample the freedom, peace of mind, convenience, and reassurance of protecting your software infrastructure using the most robust and dependable automated patch management solution.

See What You Can Do with Action1 RMM

 

Join our weekly LIVE webinar “Patching and remote management” to learn more

about Action1 RMM features and use cases for your IT needs.

 

Related Posts

6-Step Patch Management Process

Patch management is often a complicated process because many organizations use proprietary software. The lack of enough staff members and strict legal requirements also...

read more