Microsoft’s May 2021 Patch Tuesday: 55 flaws fixed, four critical

Microsoft’s May Patch Tuesday dump included patches for 55 CVEs with four rated critical. There were also three zero-day bugs but none have been exploited.

Products impacted includes Internet Explorer, .NET Core and Visual Studio, Windows 10 and Office to name a few. You can find the updates for May here. 

The fixed zero day bugs include:

• CVE-2021-31204 .NET and Visual Studio Elevation of Privilege Vulnerability
• CVE-2021-31207 Microsoft Exchange Server Security Feature Bypass Vulnerability
• CVE-2021-31200 Common Utilities Remote Code Execution Vulnerability

Zero Day Initiative flagged CVE-2021-31166 as one of the more interesting bugs. ZDI said:

CVE-2021-31166 – HTTP Protocol Stack Remote Code Execution Vulnerability

This patch corrects a bug that could allow an unauthenticated attacker to remotely execute code as kernel. An attacker would simply need to send a specially crafted packet to an affected server. That makes this bug wormable, with even Microsoft calling that out in their write-up. Before you pass this aside, Windows 10 can also be configured as a web server, so it is impacted as well. Definitely put this on the top of your test-and-deploy list.

There’s also a Hyper-V Remote Code Execution Vulnerability flagged by ZDI with a CVSS rating of 9.9.