You are currently viewing Patch Tuesday: Microsoft Security Updates for May 2021

Patch Tuesday: Microsoft Security Updates for May 2021

Microsoft has released May 2021 Patch Tuesday security updates with a total of 55 vulnerabilities in the family of Windows and Mac operating systems and related products. In the release by Microsoft, 4 vulnerabilities were rated as Critical, 50 as Important, and 1 as Moderate.

There were three zero-day reported this month with Patch Tuesday updates publicly disclosed, but none of them are known to be used in active attacks.


Zero-day vulnerabilities

CVE-2021-31204 impacts .NET and Visual Studio and could allow an authenticated user to escalate privilege in the system.

CVE-2021-31207 affects Microsoft Exchange Server bypassing its security feature. This flaw has been disclosed in PWN2OWN 2021 competition.

CVE-2021-31200 is found in Common Utilities leads to Remote Code Execution. The exploitation needs successive levels of authentication.

Although the above zero-day vulnerabilities are not known to be inactive exploitation, they should be patched earlier.


Critical vulnerabilities

CVE-2021-31166HTTP Protocol Stack Remote Code Execution Vulnerability. An unauthenticated attacker could send a specially crafted packet to a targeted server utilizing the HTTP Protocol Stack to exploit this vulnerability.

CVE-2021-26419Scripting Engine Memory Corruption Vulnerability. A remote attacker can trick a victim into visiting a malicious website, triggering memory corruption and executing arbitrary code on the target system. Successful exploitation of the vulnerability could allow an attacker to take complete control of the system.

CVE-2021-28476Remote Code Execution in Microsoft Hyper-V. The flaw exists due to improper input validation in the Microsoft Hyper-V. An attacker can get complete access to the vulnerable system on successful exploitation of the vulnerability.

CVE-2021-31194Remote Code Execution in Microsoft OLE Automation. The vulnerability exists because OLE Automation is using improper input validation. Once a malicious user exploits this vulnerability, he can completely compromise the affected system.


Microsoft security bulletin summary for May 2021

  • Internet Explorer
  • Microsoft Exchange Server
  • Microsoft Graphics Component
  • Microsoft Office
  • Microsoft Office Excel
  • Microsoft Office SharePoint
  • Microsoft Office Word
  • Microsoft Office Access
  • Visual Studio
  • Visual Studio Code
  • .NET Core & Visual Studio
  • Microsoft Dynamics Finance & Operations
  • Microsoft Windows Codecs Library
  • Skype for Business and Microsoft Lync
  • Windows SMB
  • Windows SSDP Service

Product: Internet Explorer

CVEs/Advisory: CVE-2021-26419

Impact: Remote Code Execution

Severity: Critical

KBs: 5003165, 5003169, 5003171, 5003172, 5003173, 5003174, 5003197, 5003208, 5003209, 5003233, 5003165, 5003210


Product: Microsoft Exchange Server

CVEs/Advisory: CVE-2021-31195, CVE-2021-31198, CVE-2021-31207, CVE-2021-31209

Impact: Remote Code Execution, Security Feature Bypass, Spoofing

Severity: Important

KBs: 5003435


Product: Microsoft Office

CVEs/Advisory: CVE-2021-28455, CVE-2021-31174, CVE-2021-31175, CVE-2021-31176, CVE-2021-31177, CVE-2021-31178, CVE-2021-31179, CVE-2021-31180

Impact: Remote Code Execution, Information Disclosure

Severity: Important

KBs: 4493206, 4493197, 5001927, 5001923, 5001914, 5001928, 5001925, 5001920, 4464542


Product: Microsoft Excel

CVEs/Advisory: CVE-2021-31174, CVE-2021-31175, CVE-2021-31177, CVE-2021-31178, CVE-2021-31179

Impact: Remote Code Execution, Information Disclosure

Severity: Important

KBs: 5001936, 5001918


Product: Microsoft SharePoint

CVEs/Advisory: CVE-2021-26418, CVE-2021-28474, CVE-2021-28478, CVE-2021-31171, CVE-2021-31172, CVE-2021-31173, CVE-2021-31181

Impact: Remote Code Execution, Information Disclosure, Spoofing

Severity: Important

KBs: 5001917, 5001935, 5001916


Product: Microsoft Word

CVEs/Advisory: CVE-2021-31180

Impact: Remote Code Execution

Severity: Important

KBs: 5001931, 5001919


Product: Visual Studio and Visual Studio Code

CVEs/Advisory: CVE-2021-27068, CVE-2021-31204, CVE-2021-31211, CVE-2021-31213, CVE-2021-31214

Impact: Remote Code Execution, Elevation of Privilege

Severity: Important


Product: Microsoft Dynamics Finance & Operations

CVEs/Advisory: CVE-2021-28461

Impact: Spoofing

Severity: Important


Product: Skype for Business and Microsoft Lync

CVEs/Advisory: CVE-2021-26421, CVE-2021-26422

Impact: Remote Code Execution, Spoofing

Severity: Important

KBs: 5003729


SanerNow VM and SanerNow PM detect these vulnerabilities and automatically fix them by applying security updates. Use SanerNow and keep your systems updated and secure.

Subscribe For More Posts Like This

Get the latest research, best practices, industry trends and cybersecurity blogs from SecPod security experts

Invalid email address
We promise not to spam you. You can unsubscribe at any time.
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x