Microsoft’s security patches for May fix 55 vulnerabilities – Redmondmag.com
Microsoft’s May Security Patches Fix 55 Vulnerabilities
Microsoft released its May security patch on Tuesday, as outlined in its extensive “Security Update Guide.”
The patches fix 55 common vulnerabilities and exposures (CVEs) in Microsoft software products, according to counts from security researchers, like this one by Dustin Childs of Trend Micro’s Zero Day Initiative. Only four CVEs this month were described as “critical” in terms of severity. Fixes for 50 “significant” vulnerabilities, plus one rated “moderate” were also included in the May bundle.
Rather than using these adjectives, however, Microsoft typically simply provides a Common Vulnerability Scoring System (CVSS) number, which ranges in severity from 1 to 10. Microsoft’s security bulletins now include only standard generic descriptions. Nevertheless, security researchers still share their ideas, despite Microsoft’s approach.
A list of affected Microsoft software, along with workarounds and “known issues”, are available in this May Microsoft publication “Release Notes.”
Publicly Known Vulnerabilities
None of the vulnerabilities were considered to be under active attack. However, three CVEs were described as being known to the public before Microsoft’s May patch was released on Tuesday, according to Childs. These publicly known vulnerabilities include:
- CVE-2021-31204, a significant elevation of privilege (CVSS 7.3) vulnerability in .NET Core 3.1 and .NET 5.0, plus Visual Studio 2019
- CVE-2021-31200, a significant remote code execution vulnerability (CVSS 7.2) in the open source Neural Network Intelligence toolkit
- CVE-2021-31207, a moderate security bypass vulnerability (CVSS 6.6) in Exchange Server 2016 and 2019 products, and even Exchange Server 2013 (the flaw was discovered during the Pwn2Own 2021 hacking competition)
Exchange Server has been a major target in recent times, following Microsoft’s disclosure of the so-called “ProxyLogon” vulnerabilities on March 2, allegedly exploited by a nation-state actor “Hafnium”. For this month, the Exchange Server remediation work continues.
This patch pack may contain four different Exchange Server fixes. One of them is credited to the original ProxyLogon researcher, according to Satnam Narang, a research engineer at cybersecurity firm Tenable.
“Microsoft has also fixed four vulnerabilities in Microsoft Exchange Server,” Narang said of the May fixes, via email. “The flaws, which include CVE-2021-31198, CVE-2021-31207, CVE-2021-31209, and CVE-2021-31195, are all rated significant or moderate. CVE-2021-31195 is attributed to Orange Tsai of DEVCORE l ‘research team, which was responsible for the disclosure of the ProxyLogon Exchange Server vulnerability which was patched in an out-of-band version in March. “
Four “ critical ” vulnerabilities
Of the four vulnerabilities deemed critical by security researchers in this month’s patch bundle, only two are ranked high on the CVSS scale.
Here are these four critical vulnerabilities:
- CVE-2021-28476 (CVSS 9.9), a remote code execution vulnerability in Hyper-V for Windows clients and servers that “allows a guest virtual machine to force the Hyper-V host kernel to read from an arbitrary and potentially invalid address “, potentially leading to a denial of service
- CVE-2021-31166 (CVSS 9.8), a remote code execution vulnerability in the Windows 10 and Windows Server HTTP protocol stack that can be initiated by sending a “specially crafted packet to a targeted server”, allowing attacks “Dewormers”
- CVE-2021-31194 (CVSS 7.8), a remote code execution vulnerability in Object Linking and Embedding (OLE) automation in Windows 10 and Windows Server
- CVE-2021-26419 (CVSS 6.4), a memory corruption vulnerability in the Internet Explorer 11 browser scripting engine that can be used to embed an ActiveX control in a Microsoft Office application or document
Critical Hyper-V vulnerability (CVE-2021-28476) could allow an attacker to run “malicious binaries” in virtual machines or on the host system, according to Justin Knapp, senior director of product marketing at the company of Automox security solutions.
“To exploit this vulnerability, an attacker could run a specially crafted application on a Hyper-V guest that could cause the Hyper-V host operating system to execute arbitrary code if it fails to properly validate packet data vSMB, “Knapp noted in the Automox Comments patch on Tuesday.
Microsoft has internally discovered the Critical HTTP Protocol Stack vulnerability (CVE-2021-31166), Narang noted. Its deworming character means that an attack “can replicate itself without human intervention,” which was observed during the infamous “WannaCry” attacks of 2017, he added.
The OLE Critical Automation Vulnerability (CVE-2021-31194) requires someone to visit a maliciously crafted website, Knapp noted. However, the exploitation of OLE is old territory for attackers.
“OLE technology has often been used in the past by hackers for a variety of reasons, including to hide malicious code in documents and to link to external files that infect systems with malware,” Knapp said. “In 2020, the CISA issued an alert detailing the top 10 regularly exploited vulnerabilities, which identified Microsoft’s OLE as the technology most commonly exploited by state-sponsored cyber actors.”
Therefore, Knapp advised organizations to “immediately prioritize the remediation of all outstanding OLE vulnerabilities.”
Kurt Mackie is Senior News Producer for 1105 Media’s Converge360 Group.