In a lighter than usual Patch Tuesday drop, Microsoft has fixed a total of 55 common vulnerabilities and exposures (CVEs), four of them rated critical by Microsoft, and including three as yet unexploited zero days.
However, it is practically a certainty that malicious actors will be paying close attention to the new disclosures and that in-the-wild exploitation will follow in short order, so applying the patches should be prioritised.
Nicholas Colyer, senior product marketing manager at patch automation specialist Automox, summed up the May release: “Microsoft’s May Patch Tuesday saw 55 security fixes compared to 108 tallied in the month of April. We are currently tracking four critical vulnerabilities, none of which are being exploited in the wild to the best of our knowledge and vendor communications.
“While that may be true for Microsoft, multiple browser related vulnerabilities exist that should be addressed immediately with Chrome and Firefox. In the news, attacks by the DarkSide hacker group on commercial pipeline infrastructure demonstrate the vitality of cyber security hygiene by virtue of the fact that the assault disrupted 46% of the East Coast fuel supply chain.”
The four critical CVEs to which attention should be paid are all remote code execution (RCE) vulnerabilities that could enable malicious actors to gain persistence on victim networks. These are CVE-2021-26419, CVE-2021-31166, CVE-2021-31194, and CVE-2021-28476.
The first of these is a scripting engine memory corruption vulnerability that impacts versions 11 and 9 of Internet Explorer running on several versions of Microsoft Windows and Windows Server. It is exploitable by luring the victim to a specially crafted website.
The second is a wormable HTTP protocol stack RCE vulnerability affecting Windows 10 32- and 64-bit and some editions of Windows Server, which can be exploited to send a specially crafted packet to the victim server using the HTTP protocol stack (http.sys) to take control of the system.
The third, a Microsoft Windows Object Linking and Embedding (OLE) automation vulnerability, is also exploitable via a specially-crafted website designed to invoke OLE automation through a web browser.
The fourth critical CVE exists in Microsoft Windows Hyper-V, and is exploitable by running a specially crafted application on a Hyper-V guest that causes the Hyper-V host operating system to execute arbitrary code when it fails to validate vSMB packet data properly. It affects a long list of Windows and Windows Server versions.
The release also contained patches for four new vulnerabilities in Microsoft Exchange Server, which has been under near-constant attack from various groups since the issue of an emergency out-of-band patch in March 2021.
Regarding the latest Exchange Server CVEs, Tenable staff research engineer Satnam Narang said: “The flaws, which include CVE-2021-31198, CVE-2021-31207, CVE-2021-31209 and CVE-2021-31195, are all rated Important or Moderate. CVE-2021-31195 is attributed to Orange Tsai of the DEVCORE research team, who was responsible for disclosing the ProxyLogon Exchange Server vulnerability that was patched in an out-of-band release back in March.
“While none of these flaws are deemed critical in nature, it is a reminder that researchers and attackers are still looking closely at Exchange Server for additional vulnerabilities, so organisations that have yet to update their systems should do so as soon as possible,” said Narang.
Concerning the Exchange bugs, Recorded Future’s Allan Liska specifically noted the CVE-2021-31207, a security bypass vulnerability in Microsoft Exchange versions 2013 through 2019, as one to watch.
“Microsoft rates this vulnerability as Moderate, so it is not critical, but this same vulnerability was exploited in the recent Pwn2Own hack competition, so it is worth patching immediately and keeping an eye out for it to be exploited in the wild. That said, no proof-of-concept exploit code was released by Pwn2Own participants,” said Liska.
Liska also noted some other curiosities in the May drop, including three information disclosure or spoofing vulnerabilities against Windows Wireless Networking, CVE-2020-26144, CVE-2020-24588, and CVE-2020-24587 respectively. They are all rated important by Microsoft and affect Windows 7 through 10, and Windows Server 2008 through 2019.
“These are not the biggest threats this month, but they are interesting. Microsoft has not seen a spoofing or information disclosure vulnerability in its wireless networking stack in years. It will be interesting to see if these vulnerabilities are ultimately exploited,” he said.