Patch Tuesday Addresses 55 New Flaws, Including Public Aware Threats

There are 2 Critical, 50 Important and 1 Moderate fixes this month for Microsoft Windows, .NET Core and Visual Studio, Internet Explorer (IE), Microsoft Office, SharePoint Server, Open-Source Software, Hyper-V, Skype for Business and Microsoft Lync, and Exchange Server.

Year 2 Extended Support – Windows 7 and Windows Server 2008 (including R2) have received some updates this month, a shadow of what was released last month.

1. Windows 7 – 1 Critical and 10 Important vulnerabilities fixed
2. Windows 2008 R2 – 1 Critical and 9 Important vulnerabilities fixed

Robert Brown, Head of Customer Success for Syxsense said, “May sees almost half the updates fixed over April. This is great news as deployment payload could be as low as 1GB per device (or less). Adobe released just 10 fixes less than Microsoft this month, so this is the month to ensure you are prioritizing both Microsoft and Adobe to protect your devices. This month also sees the last supported patches for Feature Update 1809.”

Top May 2021 Patches and Vulnerabilities

Based on the Vendor Severity and CVSS Score, we have made a few recommendations below. As usual, we recommend entering the CVE numbers below into your patch management solution and deploying as soon as possible.

1. CVE-2021-31166: HTTP Protocol Stack Remote Code Execution Vulnerability

The vulnerability exists due to improper input validation in HTTP Protocol Stack. A remote attacker can execute arbitrary code on the target system. Microsoft recommends prioritizing this patch because it could become wormable.

Syxscore

• Vendor Severity: Critical
• CVSS: 9.8
• Weaponised: No
• Public Aware: No
• Countermeasure: No

Syxscore Risk Alert

• Attack Vector: Network
• Attack Complexity: Low
• Privileges: None
• User Interaction: None
• Scope (Jump Point): No

2. CVE-2021-28476: Hyper-V Remote Code Execution Vulnerability

The vulnerability exists due to improper input validation in the Hyper-V on most Microsoft operating systems. A remote authenticated attacker can execute arbitrary code on the target system. This is particularly dangerous as an exploit may compromise the entire system, and with a Scope (Jump Point) of yes, it is possible to jump from Hyper-V to another technology on the system.

Syxscore

• Vendor Severity: Critical
• CVSS: 9.9
• Weaponized: No
• Public Aware: No
• Countermeasure: No 

Syxscore Risk Alert

• Attack Vector: Network
• Attack Complexity: Low
• Privileges: Low
• User Interaction: None
• Scope (Jump Point): Yes

3. CVE-2021-31204: .NET Core and Visual Studio Elevation of Privilege Vulnerability

With many staff around the world still working from home, it is likely they have a Visual Studio system on their home system. The vulnerability exists due to application does not properly impose security restrictions in .NET and Visual Studio, which leads to security restrictions bypass and privilege escalation.

Although this vulnerability requires local access and user interaction, a user can become a victim if they access a specially designed website which tricks the end user into clicking the link.

Syxscore

• Vendor Severity: Important
• CVSS: 7.3
• Weaponized: No
• Public Aware: Yes
• Countermeasure: No

Syxscore Risk Alert

• Attack Vector: Local
• Attack Complexity: Low
• Privileges: Low
• User Interaction: Required
• Scope (Jump Point): No

Syxsense Recommendations

Based on the vendor severity and CVSS Score, we have made a few recommendations below which you should prioritize this month. Please pay close attention to any of these which are publicly aware or weaponized.

Reference	Description	Vendor Severity	CVSS Score	Publicly Aware	Weaponised	Countermeasure	Syxsense Recommended
CVE-2021-31204	.NET Core and Visual Studio Elevation of Privilege Vulnerability	Important	7.3	Yes	No	No	Yes
CVE-2021-31200	Common Utilities Remote Code Execution Vulnerability	Important	7.2	Yes	No	No	Yes
CVE-2021-31207	Microsoft Exchange Server Security Feature Bypass Vulnerability	Moderate	6.6	Yes	No	No	Yes
CVE-2021-28476	Hyper-V Remote Code Execution Vulnerability	Critical	9.9	No	No	No	Yes
CVE-2021-31166	HTTP Protocol Stack Remote Code Execution Vulnerability	Critical	9.8	No	No	No	Yes
CVE-2021-31194	OLE Automation Remote Code Execution Vulnerability	Critical	7.8	No	No	No	Yes
CVE-2021-26419	Scripting Engine Memory Corruption Vulnerability	Critical	6.4	No	No	No	Yes
CVE-2021-28455	Microsoft Jet Red Database Engine and Access Connectivity Engine Remote Code Execution Vulnerability	Important	8.8	No	No	No	Yes
CVE-2021-31181	Microsoft SharePoint Remote Code Execution Vulnerability	Important	8.8	No	No	No	Yes
CVE-2021-28474	Microsoft SharePoint Server Remote Code Execution Vulnerability	Important	8.8	No	No	No	Yes
CVE-2021-27068	Visual Studio Remote Code Execution Vulnerability	Important	8.8	No	No	No	Yes
CVE-2021-31198	Microsoft Exchange Server Remote Code Execution Vulnerability	Important	7.8	No	No	No
CVE-2021-31180	Microsoft Office Graphics Remote Code Execution Vulnerability	Important	7.8	No	No	No
CVE-2021-31175	Microsoft Office Remote Code Execution Vulnerability	Important	7.8	No	No	No
CVE-2021-31176	Microsoft Office Remote Code Execution Vulnerability	Important	7.8	No	No	No
CVE-2021-31177	Microsoft Office Remote Code Execution Vulnerability	Important	7.8	No	No	No
CVE-2021-31179	Microsoft Office Remote Code Execution Vulnerability	Important	7.8	No	No	No
CVE-2021-31214	Visual Studio Code Remote Code Execution Vulnerability	Important	7.8	No	No	No
CVE-2021-31211	Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability	Important	7.8	No	No	No
CVE-2021-31213	Visual Studio Code Remote Development Extension Remote Code Execution Vulnerability	Important	7.8	No	No	No
CVE-2021-28465	Web Media Extensions Remote Code Execution Vulnerability	Important	7.8	No	No	No
CVE-2021-31190	Windows Container Isolation FS Filter Driver Elevation of Privilege Vulnerability	Important	7.8	No	No	No
CVE-2021-31165	Windows Container Manager Service Elevation of Privilege Vulnerability	Important	7.8	No	No	No
CVE-2021-31167	Windows Container Manager Service Elevation of Privilege Vulnerability	Important	7.8	No	No	No
CVE-2021-31168	Windows Container Manager Service Elevation of Privilege Vulnerability	Important	7.8	No	No	No
CVE-2021-31169	Windows Container Manager Service Elevation of Privilege Vulnerability	Important	7.8	No	No	No
CVE-2021-31208	Windows Container Manager Service Elevation of Privilege Vulnerability	Important	7.8	No	No	No
CVE-2021-31170	Windows Graphics Component Elevation of Privilege Vulnerability	Important	7.8	No	No	No
CVE-2021-31188	Windows Graphics Component Elevation of Privilege Vulnerability	Important	7.8	No	No	No
CVE-2021-31192	Windows Media Foundation Core Remote Code Execution Vulnerability	Important	7.8	No	No	No
CVE-2021-31193	Windows SSDP Service Elevation of Privilege Vulnerability	Important	7.8	No	No	No
CVE-2021-31187	Windows WalletService Elevation of Privilege Vulnerability	Important	7.8	No	No	No
CVE-2021-28478	Microsoft SharePoint Spoofing Vulnerability	Important	7.6	No	No	No
CVE-2021-31936	Microsoft Accessibility Insights for Web Information Disclosure Vulnerability	Important	7.4	No	No	No
CVE-2021-31186	Windows Remote Desktop Protocol (RDP) Information Disclosure Vulnerability	Important	7.4	No	No	No
CVE-2021-26422	Skype for Business and Lync Remote Code Execution Vulnerability	Important	7.2	No	No	No
CVE-2021-31182	Microsoft Bluetooth Driver Spoofing Vulnerability	Important	7.1	No	No	No
CVE-2021-31172	Microsoft SharePoint Spoofing Vulnerability	Important	7.1	No	No	No
CVE-2021-31195	Microsoft Exchange Server Remote Code Execution Vulnerability	Important	6.5	No	No	No
CVE-2021-31209	Microsoft Exchange Server Spoofing Vulnerability	Important	6.5	No	No	No
CVE-2021-26421	Skype for Business and Lync Spoofing Vulnerability	Important	6.5	No	No	No
CVE-2020-24587	Windows Wireless Networking Information Disclosure Vulnerability	Important	6.5	No	No	No
CVE-2020-24588	Windows Wireless Networking Spoofing Vulnerability	Important	6.5	No	No	No
CVE-2020-26144	Windows Wireless Networking Spoofing Vulnerability	Important	6.5	No	No	No
CVE-2021-28461	Dynamics Finance and Operations Cross-site Scripting Vulnerability	Important	6.1	No	No	No
CVE-2021-31174	Microsoft Excel Information Disclosure Vulnerability	Important	5.5	No	No	No
CVE-2021-31178	Microsoft Office Information Disclosure Vulnerability	Important	5.5	No	No	No
CVE-2021-31184	Microsoft Windows Infrared Data Association (IrDA) Information Disclosure Vulnerability	Important	5.5	No	No	No
CVE-2021-28479	Windows CSC Service Information Disclosure Vulnerability	Important	5.5	No	No	No
CVE-2021-31185	Windows Desktop Bridge Denial of Service Vulnerability	Important	5.5	No	No	No
CVE-2021-31191	Windows Projected File System FS Filter Driver Information Disclosure Vulnerability	Important	5.5	No	No	No
CVE-2021-31173	Microsoft SharePoint Server Information Disclosure Vulnerability	Important	5.3	No	No	No
CVE-2021-26418	Microsoft SharePoint Spoofing Vulnerability	Important	4.6	No	No	No
CVE-2021-31205	Windows SMB Client Security Feature Bypass Vulnerability	Important	4.3	No	No	No
CVE-2021-31171	Microsoft SharePoint Information Disclosure Vulnerability	Important	4.1	No	No	No