Today, the second Tuesday of May, is Microsoft’s Patch Tuesday. This month’s patch release includes fixes for 55 CVEs — 50 classified as Important, one moderate, and four marked as critical. Microsoft also patched three zero-day vulnerabilities that were publicly disclosed but not yet exploited at the time of this release. The 55 fixes touch on various Microsoft products and services, including Exchange Server, Skype for Business, Visual Studio, MS Office, .NET Core, SharePoint Server, and Hyper-V.
Along with May’s patch cycle, Microsoft also rolled out cumulative updates for all supported versions of Windows. The freshly updated Windows 10 OS builds 19041.895 and 19042.895 mostly feature enhanced security for Windows System Core Components, browsers, and other basic functions, plus a couple of new peripheral drivers and UI elements.
Let’s get back to the security flaws addressed in this month’s patch dump. Here is an overview of the three zero-day vulnerabilities and other noteworthy fixes:
The Three Zero-day Vulnerabilities
This trio was publicly disclosed, but there were no reported cases of any active exploits in the wild.
CVE-2021-31204— NET and Visual Studio Elevation of Privilege Vulnerability
This elevation of privilege bug was also first reported on GitHub. According to the explanation given, the flaw affects .NET 5.0 and .NET Core 3.1 when the user runs a single-file application on Unix-based Operating Systems, including Linux and macOS. Microsoft listed this fix as Important.
CVE-2021-31200— Common Utilities RCE Vulnerability
CVE-2021-31207 is a moderate-severity flaw in Microsoft Exchange Server. It’s not clear how it got discovered, but it was part of the Pwn2Own 2021 hacking challenge organized by ZDI. There were three more patches for Microsoft Exchange Server fixing CVE-2021-31195, CVE-2021-31198, and CVE-2021-31209, related to RCE and spoofing vulnerabilities.
Other Critical and Important Fixes in May’s Patch Bundle
CVE-2021-28476— Hyper-V RCE Vulnerability
With a 9.9 score on the CVSS scale, CVE-2021-28476 topped the severity ranking for all the vulnerabilities addressed this month. However, according to Microsoft, a threat actor might be more inclined to exploit the loophole for a DoS attack rather than an outright RCE attack. Due to the complexity involved in a DoS attack, the severity level drops to 8.5, but the bug remains critically severe for the less sophisticated RCE exploit.
CVE-2021-31166— HTTP Protocol Stack RCE Bug
This HTTP Protocol Stack RCE comes a close second in severity rating at 9.8. The potential exploit has a low complexity rating. An unauthenticated actor could execute code as kernel by simply sending a specially designed packet to the target server. Such an exploit does not require any user interaction, making it potentially wormable. The patch is a top priority for server systems running HTTP protocols, including Windows 10 machines configured as servers.
CVE-2020-24587— Windows Wireless Networking Information Disclosure Flaw
This month’s patch release fixes a bug in Windows Wireless Networking that could allow an attacker to disclose the encrypted information in wireless packets on a vulnerable system. CVE-2020-24587 only scores a 6.5 CVSS, but little is known about its possible exploits. Since the flaw was first listed in 2020 — as two other CVEs in today’s release — it’s clear that Microsoft took some time to develop the fix.
CVE-2021-27068— Visual Studio RCE Vulnerability
The new patch fixes a remote code execution bug in Visual Studio 2009. The exploit does not seem to need user interaction, so it’s still unclear how an attacker would utilize this flaw. And even though the attack may not require authentication to execute the remote code, the exploit’s complexity is ranked as Low. But it’s still an essential patch for Visual Studio users, particularly VB programmers.
As usual, Microsoft recommends that users immediately install the new patches and updates on the vulnerable systems. Although none of the security bugs listed today have been exploited so far, the threat of potential exploits still stands. Keep your Windows systems updated to seal off any known and unknown security vulnerabilities. Click here to view the complete list of CVEs for May Patch Tuesday, showing the affected Windows systems, workarounds, and other useful notes.
Stay tuned for more on Windows updates and fixes in next month’s Patch Tuesday on June 8.
Never Miss an Update With Action1 Patch Management
New patches and features updates present opportunities to improve your IT performance and safeguard your digital assets against internal and external threats. It’s up to you to ensure that these patches are installed correctly and promptly to avoid compromising your IT security posture and efficiency.
With the Action1 patch management solution, you never have to worry about patches or other updates on your Windows systems. Action1 enables automated patching on Windows OS and features while allowing real-time control and visibility into the updates already installed and those that are missing. Our patch manager reinforces your endpoint security by automatically scanning and deploying all the necessary Windows updates as soon as they’re released.
Start your Action1 free trial today and sample the freedom, peace of mind, convenience, and reassurance of protecting your software infrastructure using the most robust and dependable automated patch management solution.