Microsoft patches three zero-days in May 2021 Patch Tuesday update
Security update includes patches for Windows, Internet Explorer, Exchange Server, Office, .NET Core, Visual Studio, SharePoint Server, Hyper-V, Skype for Business and Lync
Microsoft has released its May 2021 Patch Tuesday update, addressing a total of 55 security vulnerabilities across various products and platforms.
Of all security flaws fixed this month, four are rated as 'Critical', 50 'Important' while one is 'Moderate' in severity.
Overall, the security update includes patches for Microsoft Windows, Internet Explorer (IE), Microsoft Exchange Server, Microsoft Office, .NET Core and Visual Studio, SharePoint Server, Hyper-V, Open-Source Software, Skype for Business and Microsoft Lync.
This month, Microsoft has issued patches for three zero-days that were publicly disclosed but not known to be actively exploited in the wild.
One of them is CVE-2021-31204, an elevation of privilege vulnerability impacting .NET and Visual Studio.
Another zero-day bug, indexed as CVE-2021-31200, is a common utilities remote code execution vulnerability impacting Microsoft's NNI (Neural Network Intelligence) toolkit. It was discovered and reported by Abhiram V of Resec System.
The third zero-day patched this month is tracked as CVE-2021-31207. It is a Microsoft Exchange Server security feature bypass vulnerability that was found during PWN2OWN 2021.
Among all bugs critical bugs fixed this month, CVE-2021-31166 is flagged as the most pressing priority for admins. This HTTP Protocol Stack RCE bug impacting Windows 10 and some versions of Windows Server could enable an unauthenticated attacker to remotely execute code as kernel.
To exploit the vulnerability, an attacker would just need to send a specially crafted packet of data to an affected server. According to Microsoft, this bug has the potential to be wormable. Hackers could exploit it self-replicate across the internal network and disrupt internal services that may not have been exposed.
Kevin Breen, director of cyber threat research at Immersive Labs, said that the bug's CVSS score of 9.8 should be enough to indicate just how important it is to patch.
"For ransomware operators, this kind of vulnerability is a prime target for exploitation," Breen said.
"As this specific exploit would not require any form of authentication, it's even more appealing for attackers, and any organisation using HTTP.sys protocol stack should prioritize this patch."
CVE-2021-26419 is a scripting engine memory corruption bug impacting IE11. To exploit the bug, a user would have to visit an attacker-controlled website, although it could also be triggered by embedding ActiveX controls in Office Documents, according to Microsoft.
The third critical bug, CVE-2021-31194, exists in the Microsoft Windows OLE Automation.
CVE-2021-28476 is another critical bug that exists in Windows Hyper-V and could allow an attacker to execute arbitrary code. Windows Hyper-V is Microsoft's native hypervisor that can create and run virtual machines on x86-64 systems running Windows.
CVE-2021-31188 and CVE-2021-31170 are local privilege escalation bugs that exist in the Windows Graphics Component. Microsoft considers these two vulnerabilities more likely to be exploited by threat actors. These security flaws were discovered by the ZeroDayInitiative (ZDI) researcher team.
CVE-2021-28474 is a post-authentication flaw that which could allow an authenticated attacker to run arbitrary code on remote SharePoint Servers.
Last month, Microsoft addressed 110 security vulnerabilities, of which 19 were rated as 'critical', while the rest were 'important' in severity. As part of the April Patch Tuesday update, Microsoft also addressed five zero-day flaws that were previously unknown to the company. Of those zero-days, one was actively under attack from threat groups.
In March, Microsoft also released out-of-band security updates to address four zero-day vulnerability that were being actively exploited by hackers to compromise Exchange Server.