This Tuesday, Microsoft has released its Patch Tuesday updates for May 2021. This one is a relatively shorter update bundle as it includes fixes for 55 security vulnerabilities. Though, these include some publicly disclosed bugs too.
Critical Vulnerabilities Receiving Fixes This Month
The May Patch Tuesday update bundle released by Microsoft includes fixes for four critical vulnerabilities. Exploiting these bugs could allow remote code execution attacks.
One of these, CVE-2021-28476, affected the Hyper-V systems. This bug has achieved a CVSS score of 9.9 – the highest among all bugs in the update.
According to ZDI, this vulnerability should have a CVSS of 8.5 due to the attack complexity. Microsoft believes it to be more likely exploitable for denial of service instead of RCE attacks. Even then, it would be a serious security threat.
Another noteworthy security flaw that achieved a CVSS of 9.8, CVE-2021-31166, affected the HTTP Protocol Stack (http.sys). Microsoft considers it a wormable flaw and urges patching the vulnerable servers.
Explaining this bug, Microsoft stated in its advisory,
“In most situations, an unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack (http.sys) to process packets.
The other two critical vulnerabilities include CVE-2021-31194 – OLE automation remote code execution vulnerability – and CVE-2021-26419 – a scripting engine memory corruption vulnerability. For the latter, Microsoft explains that exploiting the bug required user interaction.
In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerability through Internet Explorer and then convince a user to view the website. An attacker could also embed an ActiveX control marked “safe for initialization” in an application or Microsoft Office document that hosts the IE rendering engine.
The attacker could also take advantage of compromised websites and websites that accept or host user-provided content or advertisements. These websites could contain specially crafted content that could exploit the vulnerability.
Other Microsoft Patch Tuesday May Updates
Apart from the 4 critical bugs, Microsoft has addressed 50 important severity vulnerabilities and a moderately severe flaw.
Although, Microsoft has confirmed none of these bugs as under attack. However, given the severity of the bugs, users should ensure updating their systems at the earliest.