Microsoft has released the May 2021 Security updates that includes patches for 55 vulnerabilities, 4 of those rated Critical. The updates also include fixes for 3 zero-day flaws.
A remote attacker could exploit some of these vulnerabilities to take control of unpatched systems.
In all, the Microsoft security updates address vulnerabilities in the following products:
- .NET Core & Visual Studio
- Internet Explorer
- Microsoft Accessibility Insights for Web
- Microsoft Bluetooth Driver
- Microsoft Dynamics Finance & Operations
- Microsoft Exchange Server
- Microsoft Graphics Component
- Microsoft Office
- Microsoft Office Access
- Microsoft Office Excel
- Microsoft Office SharePoint
- Microsoft Office Word
- Microsoft Windows Codecs Library
- Microsoft Windows IrDA
- Open Source Software
- Role: Hyper-V
- Skype for Business and Microsoft Lync
- Visual Studio
- Visual Studio Code
- Windows Container Isolation FS Filter Driver
- Windows Container Manager Service
- Windows Cryptographic Services
- Windows CSC Service
- Windows Desktop Bridge
- Windows OLE
- Windows Projected File System FS Filter
- Windows RDP Client
- Windows SMB
- Windows SSDP Service
- Windows WalletService
- Windows Wireless Networking.
Critical RCE bugs
Microsoft addressed 4 Critical remote code execution (RCE) vulnerabilities in this month’s updates. The patches cover Internet Explorer 11, Windows Server 2012 R2 (Server Core installation), Windows Server version 20H2 (Server Core Installation) and Windows 10.
The 4 patched RCE vulnerabilities include:
- CVE-2021-26419: Scripting Engine Memory Corruption Vulnerability
- CVE-2021-28476: Hyper-V Remote Code Execution Vulnerability
- CVE-2021-31166: HTTP Protocol Stack Remote Code Execution Vulnerability
- CVE-2021-31194: OLE Automation Remote Code Execution Vulnerability.
The highest rated vulnerability (with CVSS base score of 9.9) is CVE-2021-28476, which could result in denial of service attacks as well as “other side affects” such as remote code execution.
“It is possible to read from a memory mapped device register corresponding to a hardware device attached to the Hyper-V host which may trigger additional, hardware device specific side effects that could compromise the Hyper-V host’s security,” Microsoft said.
On a lighter note, Microsoft said exploitation of these bugs was “less likely.”
The 3 fixed zero-day vulnerabilities include:
- CVE-2021-31204: .NET and Visual Studio Elevation of Privilege Vulnerability
- CVE-2021-31207: Microsoft Exchange Server Security Feature Bypass Vulnerability
- CVE-2021-31200: Common Utilities Remote Code Execution Vulnerability.
All of these flaws are rated Moderate and there were no known public exploits at the time of advisory.
Other security updates
In addition to the Critical RCEs and zero-days, Microsoft also patched 48 other Important or Moderate rated vulnerabilities across multiple products. The tech giant addressed various typed of vulnerabilities, to include Denial of Service, Elevation of Privilege, Information Disclosure, RCE, Security Feature Bypass and Spoofing.
In summary, this month’s patch update was relatively light as compared to previous releases.