News

Microsoft Patches 55 Vulnerabilities in May Update

• By Kurt Mackie
• 05/11/2021

The May security patch bundle from Microsoft is out, and researchers have set the tally at 55 common vulnerabilities and exposures (CVEs) being addressed.

Microsoft listed the patches in its voluminous "Security Update Guide." Four CVEs this month were described as "Critical" in severity, 50 were deemed "Important" and one was "Moderate."

Microsoft doesn't use those adjectives, though, instead just providing a Common Vulnerability Scoring System (CVSS) number, ranging from 1 to 10 in severity. Microsoft's security bulletins also now typically just include boilerplate generic descriptions. Despite Microsoft's approach, security researchers -- such as Dustin Childs of Trend Micro's Zero Day Initiative -- are still sharing their insights.

A list of the affected Microsoft software, plus workarounds and "known issues," can be found in this May "Release Notes" Microsoft publication.

Publicly Known Vulnerabilities
None of the vulnerabilities were deemed to be under active attack. However, three CVEs were described as being publicly known before Microsoft's May patch Tuesday disclosure, according to Childs. These publicly known vulnerabilities include:

• CVE-2021-31204, an Important (CVSS 7.3) elevation of privilege flaw in .NET Core 3.1 and .NET 5.0, plus Visual Studio 2019
• CVE-2021-31200, an Important (CVSS 7.2) remote code execution vulnerability in the open source Neural Network Intelligence toolkit
• CVE-2021-31207, a Moderate (CVSS 6.6) security bypass vulnerability in Exchange Server 2016 and 2019 products, and even Exchange Server 2013 (the flaw was discovered during the 2021 Pwn2Own hacking contest)

Exchange Server has been a high-profile target of late, following the disclosure of so-called "ProxyLogon" vulnerabilities by Microsoft on March 2, which were said to be exploited by a "Hafnium" nation state actor. For this month, the job of patching Exchange Server continues.

This May patch bundle contains four different Exchange Server fixes. One of them is credited to the original ProxyLogon researcher, according to Satnam Narang, a staff research engineer at cybersecurity firm Tenable.

"Microsoft also patched four vulnerabilities in Microsoft Exchange Server," Narang stated regarding the May patches, via e-mail. "The flaws, which include CVE-2021-31198, CVE-2021-31207, CVE-2021-31209 and CVE-2021-31195, are all rated Important or Moderate. CVE-2021-31195 is attributed to Orange Tsai of the DEVCORE research team, who was responsible for disclosing the ProxyLogon Exchange Server vulnerability that was patched in an out-of-band release back in March."

Four 'Critical' Vulnerabilities
Of the four vulnerabilities deemed Critical by security researchers in this month's patch bundle, just two of them are ranked at the top of the CVSS scale.

Here are those four Critical vulnerabilities:

• CVE-2021-28476 (CVSS 9.9), a remote code execution vulnerability in Hyper-V for Windows clients and servers that "allows a guest VM to force the Hyper-V host's kernel to read from an arbitrary, potentially invalid address," potentially leading to denial of service
• CVE-2021-31166 (CVSS 9.8), a remote code execution vulnerability in the Windows 10 and Windows Server HTTP Protocol Stack that can be initiated by sending a "specially crafted packet to a targeted server," enabling "wormable" attacks
• CVE-2021-31194 (CVSS 7.8), a remote code execution vulnerability in Object Linking and Embedding (OLE) automation in Windows 10 and Windows Server
• CVE-2021-26419 (CVSS 6.4), a memory corruption vulnerability in the Internet Explorer 11 browser's scripting engine that can use used to embed an ActiveX control in an application or Microsoft Office document

The Critical Hyper-V vulnerability (CVE-2021-28476) could permit an attacker to run "malicious binaries" in virtual machines or on the host system, according to Justin Knapp, senior product marketing manager at security solutions firm Automox.

"To exploit this vulnerability, an attacker could run a specially crafted application on a Hyper-V guest that could cause the Hyper-V host operating system to execute arbitrary code when it fails to properly validate vSMB packet data," Knapp noted in Automox's patch Tuesday comments.

Microsoft internally discovered the Critical HTTP Protocol Stack vulnerability (CVE-2021-31166), Narang noted. Its wormable character means that an attack "can self-replicate on its own without human intervention," something that was seen during the infamous "WannaCry" attacks of 2017, he added.

The Critical OLE automation vulnerability (CVE-2021-31194) requires getting someone to visit a maliciously crafted Web site, Knapp noted. However, exploiting OLE is old territory for attackers.

"OLE technology has frequently been utilized in the past by hackers for multiple reasons, including masking malicious code within documents and linking to external files that infect systems with malware," Knapp stated. "In 2020, the CISA released an alert detailing the top 10 routinely exploited vulnerabilities, which identified Microsoft's OLE as the most commonly exploited technology by state-sponsored cyber actors."

Consequently, Knapp advised organizations to "immediately prioritize patching all outstanding OLE vulnerabilities."