IaaS, Azure & IT News | Foundation IT

Patch Tuesday Update - May 2021 | Foundation IT

Written by Lizzie Arcari | May 13, 2021 2:02:37 PM

This week Microsoft released its security updates for May 2021, which has fixes for 55 vulnerabilities in Microsoft products. Every month we will post our vulnerability risk and tips around each patch released, to provide advice for IT professionals and businesses. This month Ben Gates has provided our FIT score and tips.

Out of the 55 patches; 4 are classed as critical, 50 as important and 1 moderate. There were also 3 Zero-Days vulnerabilities publicly disclosed but not known to be used in attacks. 

Zero-day vulnerabilities discovered this month:

  • CVE-2021-31204: .NET and Visual Studio Elevation of Privilege Vulnerability.

  • CVE-2021-31207: Microsoft Exchange Server Security Feature Bypass Vulnerability.

  • CVE-2021-31200: Common Utilities Remote Code Execution Vulnerability.

It is expected that threat actors will analyze the patches to create exploits for the vulnerabilities, especially the one for Microsoft Exchange. Therefore it is vital to apply the security updates as soon as possible.

Other companies who have released security updates this week:

  • Adobe: released security updates for Adobe Creative Cloud Desktop, FrameMaker and Connect.

  • Android: May security updates were released last week.

  • Apple: released security updates for iOS, macOS, iPadOS, watchOS and Safari that fixed actively exploited Webkit vulnerabilities.

  • Cisco: released security updates for numerous products this month.

  • SAP: released its May 2021 security updates.

  • VMWare: released security updates in May.

 

All the patches can be found in the table below or alternatively downloaded here.

We have also curated a downloadable Patching Best Practice Guide.

 

Category

CVE IDs

CVE Title 

Severity

FIT Score & Tip

.NET Core & Visual Studio
1

CVE-2021-31204

.NET and Visual Studio Elevation of Privilege Vulnerability

Important

4/5 - This vulnerability impacts .NET and Visual studio and could allow a successful attacker to elevate their permissions. This also releases patches for .NET 5.0 and .NET 3.1. This has been rated as Exploitation Less likely on Microsofts exploitability index

HTTP.sys
1

CVE-2021-31166

HTTP Protocol Stack Remote Code Execution Vulnerability

Critical

5/5 - This code vulnerability in the HTTP Protocol stack of HTTP.sys was discovered internally by Microsoft. This affects the most recent releases of Windows 10 and Windows Server (2004 & 20H2). Microsoft has labelled this as wormable. For this reason, this should be patched ASAP.

Internet Explorer
1

CVE-2021-26419

Scripting Engine Memory Corruption Vulnerability

Critical

5/5 - This is the second critical update this month, which affects Internet Explorer. This allows Remote code execution on the clients PC through Internet Explorer to view a website, which could have embedded ActiveX control marked as safe or using a Microsoft Office document that uses the IE rendering engine. For this reason, this should be patched ASAP.

Jet Red and Access Connectivity
1

CVE-2021-28455

Microsoft Jet Red Database Engine and Access Connectivity Engine Remote Code Execution Vulnerability

Important

3/5 - This vulnerability allows remote attacker to execute code due to improper input validation in Microsoft Jet Red Database Engine and Access Connectivity. This should be patch if you're a regular user of Microsoft access

Microsoft Accessibility Insights for Web
1

CVE-2021-31936

Microsoft Accessibility Insights for Web Information Disclosure Vulnerability

Important

3/5 - This relates to Microsoft Accessibility insights, this is a medium risk and should be patched as regular patching activity

Microsoft Bluetooth Driver
1

CVE-2021-31182

Microsoft Bluetooth Driver Spoofing Vulnerability

Important

2/5 - The bluetooth spoofing attack may only be executed whilst the attacker is on the same physical or logical network. Should be patched during regular activity

Microsoft Dynamics Finance & Operations
1

CVE-2021-28461

Dynamics Finance and Operations Cross-site Scripting Vulnerability

Important

3/5 - This should be deployed to all users who are dynamics Finance and Operation users.

Microsoft Exchange Server
4

CVE-2021-31195
CVE-2021-31209
CVE-2021-31207
CVE-2021-31198

Microsoft Exchange Server Remote Code Execution Vulnerability

Microsoft Exchange Server Spoofing Vulnerability

Microsoft Exchange Server Security Feature Bypass Vulnerability

Important

3/5 - This follows on from last months vulnerability patching, the patch is a security feature bypass. This has been rated by Microsoft as Exploitation Less likely but should be patched as a higher priority.

Microsoft Graphics Component
2

CVE-2021-31170
CVE-2021-31188

Windows Graphics Component Elevation of Privilege Vulnerability

Important

4/5 - High severity, exists in the Graphics component. Worth adding in to your next monthly cycle

Microsoft Office
1

CVE-2021-31176

Microsoft Office Remote Code Execution Vulnerability

Important

3/5 - This vulnerability is resolved within your normal routine monthly updates.

Microsoft Office Excel
5

CVE-2021-31175
CVE-2021-31177
CVE-2021-31179
CVE-2021-31178
CVE-2021-31174

Microsoft Office Remote Code Execution Vulnerability

Microsoft Office Information Disclosure Vulnerability

Microsoft Excel Information Disclosure Vulnerability

Important

3/5 - This vulnerability is resolved within your normal routine monthly updates.

Microsoft Office Word
1

CVE-2021-31180

Microsoft Office Graphics Remote Code Execution Vulnerability

Important

3/5 - This vulnerability is resolved within your normal routine monthly updates.

Microsoft Office SharePoint
7

CVE-2021-28478
CVE-2021-31181
CVE-2021-26418
CVE-2021-28474
CVE-2021-31171
CVE-2021-31173
CVE-2021-31172

Microsoft SharePoint Spoofing Vulnerability

Microsoft SharePoint Remote Code Execution Vulnerability

Microsoft SharePoint Server Remote Code Execution Vulnerability

Microsoft SharePoint Information Disclosure Vulnerability

Microsoft SharePoint Server Information Disclosure Vulnerability

Important

4/5 - Most, if not all users, will often use the Office suite, so it's recommended to update these as soon as possible. The main reason is your weakest vector is your end-users.

Microsoft Windows Codecs Library
2

CVE-2021-31192
CVE-2021-28465

Windows Media Foundation Core Remote Code Execution Vulnerability

Web Media Extensions Remote Code Execution Vulnerability

Important

3/5 - Worth having a look into this one. This should be automatically downloaded from Microsoft Store

Microsoft Windows IrDA
1

CVE-2021-31184

Microsoft Windows Infrared Data Association (IrDA) Information Disclosure Vulnerability

Important

3/5 - This vulnerability is resolved within your normal routine monthly updates.

Open Source Software
1

CVE-2021-31200

Common Utilities Remote Code Execution Vulnerability

Important

3/5 - Low risk with this patch, if you use common utilities it's worth installing

Role: Hyper-V
1

CVE-2021-28476

Hyper-V Remote Code Execution Vulnerability

Critical

4/5 - This will be included with your monthly patching cycle

Skype for Business and Microsoft Lync
2

CVE-2021-26422
CVE-2021-26421

Skype for Business and Lync Remote Code Execution Vulnerability

Skype for Business and Lync Spoofing Vulnerability

Important

3/5 - Low risk but worth installing if you're still using on-prem Skype for Business

Visual Studio
1

CVE-2021-27068

Visual Studio Remote Code Execution Vulnerability

Important

3/5 - Worth installing if you're using Visual studio to avoid this risk. Note this is marked as Exploitation Less Likely

Visual Studio Code
3

CVE-2021-31214
CVE-2021-31211
CVE-2021-31213

Visual Studio Code Remote Code Execution Vulnerability

Visual Studio Code Remote Containers Extension Remote Code Execution Vulnerability

Important

3/5 - Marked again as Exploitation less likely, this should be installed if you're using Visual studio code.

Windows Container Isolation FS Filter Driver
1

CVE-2021-31190

Windows Container Isolation FS Filter Driver Elevation of Privilege Vulnerability

Important

3/5 - This vulnerability is resolved within your normal routine monthly updates.

Windows Container Manager Service
5

CVE-2021-31168
CVE-2021-31169
CVE-2021-31208
CVE-2021-31165
CVE-2021-31167

Windows Container Manager Service Elevation of Privilege Vulnerability

Important

3/5 - This should be installed if you're using Windows Containers, this looks like this could be an easy attack if this isn't patched.

Windows CSC Service
1

CVE-2021-28479

Windows CSC Service Information Disclosure Vulnerability

Important

3/5 - This vulnerability is resolved within your normal routine monthly updates.

Windows Desktop Bridge
1

CVE-2021-31185

Windows Desktop Bridge Denial of Service Vulnerability

Important

3/5 - This vulnerability is resolved within your normal routine monthly updates.

Windows OLE
1

CVE-2021-31194

OLE Automation Remote Code Execution Vulnerability

Critical

4/5 - Although this is rated as Exploitation Less Likely this is a high security patch. This vulnerability is resolved within your normal routine monthly updates.

Windows Projected File System FS Filter
1

CVE-2021-31191

Windows Projected File System FS Filter Driver Information Disclosure Vulnerability

Important

3/5 - Low priority update, install this if any users are using the Project File system for programming.

Windows RDP Client
1

CVE-2021-31186

Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability

Important

3/5 - This vulnerability is resolved within your normal routine monthly updates.

Windows SMB
1

CVE-2021-31205

Windows SMB Client Security Feature Bypass Vulnerability

Important

3/5 - The vulnerability exists due to security feature bypass issue in Windows SMB Client, this is a low priority update.

Windows SSDP Service
1

CVE-2021-31193

Windows SSDP Service Elevation of Privilege Vulnerability

Important

3/5 - This vulnerability is resolved within your normal routine monthly updates.

Windows WalletService
1

CVE-2021-31187

Windows WalletService Elevation of Privilege Vulnerability

Important

4/5 - Marked as 7.8 in the exploit rating. This is a must for anyone using Microsoft Pay in the Windows store.

Windows Wireless Networking
3

CVE-2021-24588
CVE-2021-24587
CVE-2021-26144

Windows Wireless Networking Spoofing Vulnerability

Windows Wireless Networking Information Disclosure Vulnerability

Important

4/5 - This should be installed as a priority to ensure your Wireless is not compromised.

 

Hope this table with helpful!