This week Microsoft released its security updates for May 2021, which has fixes for 55 vulnerabilities in Microsoft products. Every month we will post our vulnerability risk and tips around each patch released, to provide advice for IT professionals and businesses. This month Ben Gates has provided our FIT score and tips.
Out of the 55 patches; 4 are classed as critical, 50 as important and 1 moderate. There were also 3 Zero-Days vulnerabilities publicly disclosed but not known to be used in attacks.
Zero-day vulnerabilities discovered this month:
CVE-2021-31204: .NET and Visual Studio Elevation of Privilege Vulnerability.
CVE-2021-31207: Microsoft Exchange Server Security Feature Bypass Vulnerability.
CVE-2021-31200: Common Utilities Remote Code Execution Vulnerability.
It is expected that threat actors will analyze the patches to create exploits for the vulnerabilities, especially the one for Microsoft Exchange. Therefore it is vital to apply the security updates as soon as possible.
Other companies who have released security updates this week:
Adobe: released security updates for Adobe Creative Cloud Desktop, FrameMaker and Connect.
Android: May security updates were released last week.
Apple: released security updates for iOS, macOS, iPadOS, watchOS and Safari that fixed actively exploited Webkit vulnerabilities.
Cisco: released security updates for numerous products this month.
SAP: released its May 2021 security updates.
VMWare: released security updates in May.
All the patches can be found in the table below or alternatively downloaded here.
We have also curated a downloadable Patching Best Practice Guide.
Category |
CVE IDs |
CVE Title |
Severity |
FIT Score & Tip |
.NET Core & Visual Studio |
CVE-2021-31204 |
.NET and Visual Studio Elevation of Privilege Vulnerability |
Important |
4/5 - This vulnerability impacts .NET and Visual studio and could allow a successful attacker to elevate their permissions. This also releases patches for .NET 5.0 and .NET 3.1. This has been rated as Exploitation Less likely on Microsofts exploitability index |
HTTP.sys |
CVE-2021-31166 |
HTTP Protocol Stack Remote Code Execution Vulnerability |
Critical |
5/5 - This code vulnerability in the HTTP Protocol stack of HTTP.sys was discovered internally by Microsoft. This affects the most recent releases of Windows 10 and Windows Server (2004 & 20H2). Microsoft has labelled this as wormable. For this reason, this should be patched ASAP. |
Internet Explorer |
CVE-2021-26419 |
Scripting Engine Memory Corruption Vulnerability |
Critical |
5/5 - This is the second critical update this month, which affects Internet Explorer. This allows Remote code execution on the clients PC through Internet Explorer to view a website, which could have embedded ActiveX control marked as safe or using a Microsoft Office document that uses the IE rendering engine. For this reason, this should be patched ASAP. |
Jet Red and Access Connectivity |
CVE-2021-28455 |
Microsoft Jet Red Database Engine and Access Connectivity Engine Remote Code Execution Vulnerability |
Important |
3/5 - This vulnerability allows remote attacker to execute code due to improper input validation in Microsoft Jet Red Database Engine and Access Connectivity. This should be patch if you're a regular user of Microsoft access |
Microsoft Accessibility Insights for Web |
CVE-2021-31936 |
Microsoft Accessibility Insights for Web Information Disclosure Vulnerability |
Important |
3/5 - This relates to Microsoft Accessibility insights, this is a medium risk and should be patched as regular patching activity |
Microsoft Bluetooth Driver |
CVE-2021-31182 |
Microsoft Bluetooth Driver Spoofing Vulnerability |
Important |
2/5 - The bluetooth spoofing attack may only be executed whilst the attacker is on the same physical or logical network. Should be patched during regular activity |
Microsoft Dynamics Finance & Operations |
CVE-2021-28461 |
Dynamics Finance and Operations Cross-site Scripting Vulnerability |
Important |
3/5 - This should be deployed to all users who are dynamics Finance and Operation users. |
Microsoft Exchange Server |
CVE-2021-31195 |
Microsoft Exchange Server Remote Code Execution Vulnerability Microsoft Exchange Server Spoofing Vulnerability Microsoft Exchange Server Security Feature Bypass Vulnerability |
Important |
3/5 - This follows on from last months vulnerability patching, the patch is a security feature bypass. This has been rated by Microsoft as Exploitation Less likely but should be patched as a higher priority. |
Microsoft Graphics Component |
CVE-2021-31170 |
Windows Graphics Component Elevation of Privilege Vulnerability |
Important |
4/5 - High severity, exists in the Graphics component. Worth adding in to your next monthly cycle |
Microsoft Office |
CVE-2021-31176 |
Microsoft Office Remote Code Execution Vulnerability |
Important |
3/5 - This vulnerability is resolved within your normal routine monthly updates. |
Microsoft Office Excel |
CVE-2021-31175 |
Microsoft Office Remote Code Execution Vulnerability Microsoft Office Information Disclosure Vulnerability Microsoft Excel Information Disclosure Vulnerability |
Important |
3/5 - This vulnerability is resolved within your normal routine monthly updates. |
Microsoft Office Word |
CVE-2021-31180 |
Microsoft Office Graphics Remote Code Execution Vulnerability |
Important |
3/5 - This vulnerability is resolved within your normal routine monthly updates. |
Microsoft Office SharePoint |
CVE-2021-28478 |
Microsoft SharePoint Spoofing Vulnerability Microsoft SharePoint Remote Code Execution Vulnerability Microsoft SharePoint Server Remote Code Execution Vulnerability Microsoft SharePoint Information Disclosure Vulnerability Microsoft SharePoint Server Information Disclosure Vulnerability |
Important |
4/5 - Most, if not all users, will often use the Office suite, so it's recommended to update these as soon as possible. The main reason is your weakest vector is your end-users. |
Microsoft Windows Codecs Library |
CVE-2021-31192 |
Windows Media Foundation Core Remote Code Execution Vulnerability Web Media Extensions Remote Code Execution Vulnerability |
Important |
3/5 - Worth having a look into this one. This should be automatically downloaded from Microsoft Store |
Microsoft Windows IrDA |
CVE-2021-31184 |
Microsoft Windows Infrared Data Association (IrDA) Information Disclosure Vulnerability |
Important |
3/5 - This vulnerability is resolved within your normal routine monthly updates. |
Open Source Software |
CVE-2021-31200 |
Common Utilities Remote Code Execution Vulnerability |
Important |
3/5 - Low risk with this patch, if you use common utilities it's worth installing |
Role: Hyper-V |
CVE-2021-28476 |
Hyper-V Remote Code Execution Vulnerability |
Critical |
4/5 - This will be included with your monthly patching cycle |
Skype for Business and Microsoft Lync |
CVE-2021-26422 |
Skype for Business and Lync Remote Code Execution Vulnerability Skype for Business and Lync Spoofing Vulnerability |
Important |
3/5 - Low risk but worth installing if you're still using on-prem Skype for Business |
Visual Studio |
CVE-2021-27068 |
Visual Studio Remote Code Execution Vulnerability |
Important |
3/5 - Worth installing if you're using Visual studio to avoid this risk. Note this is marked as Exploitation Less Likely |
Visual Studio Code |
CVE-2021-31214 |
Visual Studio Code Remote Code Execution Vulnerability Visual Studio Code Remote Containers Extension Remote Code Execution Vulnerability |
Important |
3/5 - Marked again as Exploitation less likely, this should be installed if you're using Visual studio code. |
Windows Container Isolation FS Filter Driver |
CVE-2021-31190 |
Windows Container Isolation FS Filter Driver Elevation of Privilege Vulnerability |
Important |
3/5 - This vulnerability is resolved within your normal routine monthly updates. |
Windows Container Manager Service |
CVE-2021-31168 |
Windows Container Manager Service Elevation of Privilege Vulnerability |
Important |
3/5 - This should be installed if you're using Windows Containers, this looks like this could be an easy attack if this isn't patched. |
Windows CSC Service |
CVE-2021-28479 |
Windows CSC Service Information Disclosure Vulnerability |
Important |
3/5 - This vulnerability is resolved within your normal routine monthly updates. |
Windows Desktop Bridge |
CVE-2021-31185 |
Windows Desktop Bridge Denial of Service Vulnerability |
Important |
3/5 - This vulnerability is resolved within your normal routine monthly updates. |
Windows OLE |
CVE-2021-31194 |
OLE Automation Remote Code Execution Vulnerability |
Critical |
4/5 - Although this is rated as Exploitation Less Likely this is a high security patch. This vulnerability is resolved within your normal routine monthly updates. |
Windows Projected File System FS Filter |
CVE-2021-31191 |
Windows Projected File System FS Filter Driver Information Disclosure Vulnerability |
Important |
3/5 - Low priority update, install this if any users are using the Project File system for programming. |
Windows RDP Client |
CVE-2021-31186 |
Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability |
Important |
3/5 - This vulnerability is resolved within your normal routine monthly updates. |
Windows SMB |
CVE-2021-31205 |
Windows SMB Client Security Feature Bypass Vulnerability |
Important |
3/5 - The vulnerability exists due to security feature bypass issue in Windows SMB Client, this is a low priority update. |
Windows SSDP Service |
CVE-2021-31193 |
Windows SSDP Service Elevation of Privilege Vulnerability |
Important |
3/5 - This vulnerability is resolved within your normal routine monthly updates. |
Windows WalletService |
CVE-2021-31187 |
Windows WalletService Elevation of Privilege Vulnerability |
Important |
4/5 - Marked as 7.8 in the exploit rating. This is a must for anyone using Microsoft Pay in the Windows store. |
Windows Wireless Networking |
CVE-2021-24588 |
Windows Wireless Networking Spoofing Vulnerability Windows Wireless Networking Information Disclosure Vulnerability |
Important |
4/5 - This should be installed as a priority to ensure your Wireless is not compromised. |
Hope this table with helpful!