News

Microsoft's Security Patches for May Address 55 Vulnerabilities

• By Kurt Mackie
• 05/11/2021

Microsoft on Tuesday released its May bundle of security patches, as listed in its voluminous "Security Update Guide."

The patches address 55 common vulnerabilities and exposures (CVEs) in Microsoft's software products, according to counts tallied by security researchers, such as this one by Dustin Childs of Trend Micro's Zero Day Initiative. Just four CVEs this month were described as "Critical" in severity. Also included in the May bunch were patches for 50 "Important" vulnerabilities, plus one deemed "Moderate."

Rather than use those adjectives, though, Microsoft typically just provides a Common Vulnerability Scoring System (CVSS) number, ranging from 1 to 10 in severity. Microsoft's security bulletins also now typically just include boilerplate generic descriptions. Nonetheless, security researchers are still sharing their insights, despite Microsoft's approach.

A list of the affected Microsoft software, plus workarounds and "known issues," can be found in this May "Release Notes" Microsoft publication.

Publicly Known Vulnerabilities
None of the vulnerabilities were deemed to be under active attack. However, three CVEs were described as being publicly known before Microsoft's May patch Tuesday disclosure, according to Childs. These publicly known vulnerabilities include:

• CVE-2021-31204, an Important (CVSS 7.3) elevation of privilege flaw in .NET Core 3.1 and .NET 5.0, plus Visual Studio 2019
• CVE-2021-31200, an Important (CVSS 7.2) remote code execution vulnerability in the open source Neural Network Intelligence toolkit
• CVE-2021-31207, a Moderate (CVSS 6.6) security bypass vulnerability in Exchange Server 2016 and 2019 products, and even Exchange Server 2013 (the flaw was discovered during the 2021 Pwn2Own hacking contest)

Exchange Server has been a high-profile target of late, following the disclosure of so-called "ProxyLogon" vulnerabilities by Microsoft on March 2, which were said to be exploited by a "Hafnium" nation state actor. For this month, the job of patching Exchange Server continues.

This May patch bundle contains four different Exchange Server fixes. One of them is credited to the original ProxyLogon researcher, according to Satnam Narang, a staff research engineer at cybersecurity firm Tenable.

"Microsoft also patched four vulnerabilities in Microsoft Exchange Server," Narang stated regarding the May patches, via e-mail. "The flaws, which include CVE-2021-31198, CVE-2021-31207, CVE-2021-31209 and CVE-2021-31195, are all rated Important or Moderate. CVE-2021-31195 is attributed to Orange Tsai of the DEVCORE research team, who was responsible for disclosing the ProxyLogon Exchange Server vulnerability that was patched in an out-of-band release back in March."

Four 'Critical' Vulnerabilities
Of the four vulnerabilities deemed Critical by security researchers in this month's patch bundle, just two of them are ranked at the top of the CVSS scale.

Here are those four Critical vulnerabilities:

• CVE-2021-28476 (CVSS 9.9), a remote code execution vulnerability in Hyper-V for Windows clients and servers that "allows a guest VM to force the Hyper-V host's kernel to read from an arbitrary, potentially invalid address," potentially leading to denial of service
• CVE-2021-31166 (CVSS 9.8), a remote code execution vulnerability in the Windows 10 and Windows Server HTTP Protocol Stack that can be initiated by sending a "specially crafted packet to a targeted server," enabling "wormable" attacks
• CVE-2021-31194 (CVSS 7.8), a remote code execution vulnerability in Object Linking and Embedding (OLE) automation in Windows 10 and Windows Server
• CVE-2021-26419 (CVSS 6.4), a memory corruption vulnerability in the Internet Explorer 11 browser's scripting engine that can use used to embed an ActiveX control in an application or Microsoft Office document

The Critical Hyper-V vulnerability (CVE-2021-28476) could permit an attacker to run "malicious binaries" in virtual machines or on the host system, according to Justin Knapp, senior product marketing manager at security solutions firm Automox.

"To exploit this vulnerability, an attacker could run a specially crafted application on a Hyper-V guest that could cause the Hyper-V host operating system to execute arbitrary code when it fails to properly validate vSMB packet data," Knapp noted in Automox's patch Tuesday comments.

Microsoft internally discovered the Critical HTTP Protocol Stack vulnerability (CVE-2021-31166), Narang noted. Its wormable character means that an attack "can self-replicate on its own without human intervention," something that was seen during the infamous "WannaCry" attacks of 2017, he added.

The Critical OLE automation vulnerability (CVE-2021-31194) requires getting someone to visit a maliciously crafted Web site, Knapp noted. However, exploiting OLE is old territory for attackers.

"OLE technology has frequently been utilized in the past by hackers for multiple reasons, including masking malicious code within documents and linking to external files that infect systems with malware," Knapp stated. "In 2020, the CISA released an alert detailing the top 10 routinely exploited vulnerabilities, which identified Microsoft's OLE as the most commonly exploited technology by state-sponsored cyber actors."

Consequently, Knapp advised organizations to "immediately prioritize patching all outstanding OLE vulnerabilities."