Patch Tuesday – May 2021

This month Microsoft has released quite a low number of security patches for Windows. But there are still some nasty bugs that need your attention. Including a wormable bug in http.sys, a vulnerability in IE11, and a wireless networking flaw that could let an attacker disclose encrypted information.

Windows and Windows Server

This month’s cumulative update (CU) for Windows 10 includes a patch for an HTTP protocol stack remote code execution vulnerability (CVE-2021-31166). It could let an unauthenticated user remotely run malicious code with SYSTEM privileges. Because an attacker could send a specially crafted packet over the network to an unpatched computer, this flaw is wormable.

Microsoft says that CVE-2021-31166 affects servers utilizing the HTTP (http.sys) protocol stack. Assumedly that means CVE-2021-31166 could also affect Windows 10 devices running a webserver. The patch for CVE-2021-31166 is included in CUs this month for Windows Server version 2004 Server Core, Windows Server version 20H2 Server Core, and the equivalent Windows 10 products.

There’s also an important patch for a vulnerability in Internet Explorer 11 (IE11). Although for an attacker to exploit the bug, a user would have to visit a site controlled by the attacker. Alternatively, a hack could be triggered by embedding ActiveX controls in Office Documents. You can help protect against the attack by blocking ActiveX in Office and restricting IE11 to domains that are under your control, like legacy business applications for example. Or better still, remove IE from your devices.

There’s also a patch for a networking vulnerability that’s been around since 2020 (CVE-2020-24587). It’s an information disclosure vulnerability in wireless networking that could let an attacker see the contents of encrypted wireless traffic.

Hyper-V gets a patch for a critical remote code execution vulnerability (CVE-2021-28476) that allows a guest virtual machine (VM) to force the Hyper-V host’s kernel to read from an arbitrary memory address. The contents of the address cannot be returned to the guest VM, but it could be used to start a denial-of-service attack on the Hyper-V host.

There’s also a patch for a zero-day elevation of privilege vulnerability in .NET and Visual Studio that applies to users of Visual Studio 2019 (macoS and Windows), .NET 5.0, and .NET Core 3.1.

Exchange, SQL, and SharePoint Server

There are four patches for Exchange Server this month. None of them are rated critical but there are patches for two important remote code execution flaws and a security feature bypass vulnerability. Considering the attacks on unpatched Exchange Servers in recent months, it’s worth making sure that you update your on-premises Exchange Servers as quickly as possible.

SharePoint Server 2016, 2019, and 2013 also get a few security fixes rated important. Including two remote code execution, three spoofing, and two information disclosure flaws. There are no updates for SQL Server.

Microsoft Office

There don’t appear to be any security fixes in the update for Microsoft 365 apps this month. But Microsoft Office 2019, 2016, and 2013 get some security updates rated important. Including six remote code execution vulnerabilities.

Adobe software

Adobe released a patch for CVE-2021-28550, which is apparently being exploited in limited attacks against Adobe Reader users on Windows.

Enterprises should evaluate the patches released by Microsoft and other vendors, deploying them as quickly as practical. While it is important to deploy security patches for Windows and installed applications, testing is also critical to ensure that systems aren’t impacted by the updated code. Before installing patches, make sure that you have a backup of each system and important data.