Microsoft released patches for 55 vulnerabilities - including three publicly known flaws - as part of its regularly-scheduled monthly security release, Tuesday.
Overall, Microsoft’s May Patch Tuesday advisory addressed four critical flaws - all of which can allow for remote code execution - as well as 50 important-severity vulnerabilities and one moderate-severity bug. None of the flaws are listed as being actively exploited, according to Microsoft.
The fixed bugs exist in various Microsoft products, including Microsoft Windows, .NET Core and Visual Studio, Internet Explorer, Microsoft Office, SharePoint Server, Open-Source Software, Hyper-V, Skype for Business and Exchange Server.
The three publicly known flaws include an important-severity elevation of privilege flaw in .NET Core and Visual Studio (CVE-2021-31204), which was previously disclosed on GitHub. According to an explanation of the flaw on GitHub, the flaw "exists in .NET 5.0 and .NET Core 3.1 when a user runs a single file application on Operating Systems based on Linux or macOS.”
Other previously disclosed flaws that were fixed on Tuesday include an important-severity common utilities remote code execution bug (CVE-2021-31200) and a moderate-severity security feature bypass flaw in Microsoft Exchange Server (CVE-2021-31207).
Microsoft additionally patched a slew of critical-severity flaws, including an HTTP protocol stack flaw (CVE-2021-31166) that could enable remote code execution. The flaw ranks 9.8 out of 10 on the CVSS scale. According to Dustin Childs, with Trend Micro’s Zero Day Initiative, an attacker could be unauthenticated to exploit the flaw, and would simply need to send a specially crafted packet to an affected server. Childs stressed that businesses should “definitely put this on the top of your test-and-deploy list.”
“That makes this bug wormable, with even Microsoft calling that out in their write-up,” according to Childs in an analysis. “Before you pass this aside, Windows 10 can also be configured as a web server, so it is impacted as well.”
Also addressed was a remote code execution bug (CVE-2021-28476) in Hyper-V, which has the highest severity rating of all vulnerabilities for this month with a CVSS score of 9.9. The other two critical-severity flaws disclosed by Microsoft include a vulnerability in OLE Automation (CVE-2021-26419) that could enable remote code execution, and a memory corruption bug in Microsoft’s Scripting Engine (CVE-2021-28461) affecting Internet Explorer. Exploitation of this latter flaw, which could allow for remote code execution, is “more likely” according to Microsoft.
Microsoft also patched a remote code execution flaw in Visual Studio (CVE-2021-27068) and an information disclosure vulnerability (CVE-2020-24587) in Windows wireless networking that allows an attacker to disclose the contents of encrypted wireless packets on an affected system.
The May security updates come on the heels of Microsoft’s April fixes, which included four new zero days in Exchange Server that the National Security Agency discovered and disclosed to the company.