Patch Tuesday May 2021
Microsoft released patches for 55 CVEs in Microsoft Windows, .NET Core and Visual Studio, Internet Explorer (IE), Microsoft Office, SharePoint Server, Open-Source Software, Hyper-V, Skype for Business and Microsoft Lync, and Exchange Server.
A total of 13 of these bugs came through the ZDI program. Of these 55 bugs, four are rated as Critical, 50 are rated as Important, and one is listed as Moderate in severity. According to Microsoft, three of these bugs are publicly known but none are listed as under active exploit at the time of release.
- 18 Patches involve Remote Code Execution
- 11 Patches involve Elevation of Privilege
- 10 Patches involve Information Disclosure bug
CVE-2021-31181 – SharePoint Remote Code Execution Vulnerability
Microsoft released patches addressing a critical RCE vulnerability in SharePoint (CVE-2021-31181). This CVE has a high likelihood of exploitability and is assigned a CVSSv3 base score of 8.8 by the vendor.
CVE-2021-31166 – HTTP Protocol Stack Remote Code Execution Vulnerability
Microsoft released patches addressing a critical RCE vulnerability in Windows. This vulnerability allows an unauthenticated attacker to remotely execute code as kernel. This is a wormable vulnerability where an attacker can simply send a malicious crafted packet to the target impacted web server. This CVE has a high likelihood of exploitability and is assigned a CVSSv3 base score of 7.8 by the vendor.
Three Zero-Days Patched
Microsoft also addressed the following 0-days with patches. Although they are not exploited in the wild, they should be prioritized for patching.
- VCVE-2021-31204 – .NET and Visual Studio Elevation of Privilege Vulnerability
- CVE-2021-31207 – Microsoft Exchange Server Security Feature Bypass Vulnerability
- CVE-2021-31200 – Common Utilities Remote Code Execution Vulnerability
The servicing stack advisory (ADV990001) was revised for all versions of Windows. No new advisories were released this month.