In much of the northern hemisphere, May is the time when the flowers bloom, the trees bud, and spring makes its presence known. In the southern part of the world, summer is ending and the crisp coolness of autumn is in the air. But no matter where you are, the second Tuesday of this month brought you the usual slate of security fixes for your Microsoft software.

May this year is a relatively light patch month, at least in comparison to April when more than 100 vulnerabilities were addressed. On May 11, Microsoft released fixes for around 55 security issues in Windows and other Microsoft products. Windows 10 v20H2 sees 24 vulnerabilities patched and v1903 and 1909 both have 16 vulnerabilities. There are 16 in Windows Server 2019, and 12 in Server 2016 and 2012 R2.

Some of these issues do, however, present significant threats to Windows client and server systems. Four of the vulnerabilities are rated critical and the patches need to be applied as soon as possible to prevent exploits that could take control of the system.

Three of the vulnerabilities being patched this time are classified as zero day issues, which means they were disclosed before a patch was available.

Now let’s take a closer look at some of this month’s critical and important updates.

Overview

As usual, you can download the Excel spreadsheet from the Microsoft Security Update Guide web site for a full list of the May releases. You’ll find that this month’s fixes apply to the following products and features:

.NET Core & Visual Studio, HTTP.sys, Internet Explorer, Microsoft Accessibility Insights for Web, Microsoft Bluetooth Driver, Microsoft Dynamics Finance & Operations, Microsoft Edge (Chromium-based), Microsoft Exchange Server, Microsoft Graphics Component, Microsoft Office, Microsoft Office Access, Microsoft Office Excel, Microsoft Office SharePoint, Microsoft Office Word, Microsoft Windows Codecs Library, Microsoft Windows IrDA, Open Source Software, Role: Hyper-V, Skype for Business and Microsoft Lync, Visual Studio, Visual Studio Code, Windows Container Isolation FS Filter Driver, Windows Container Manager Service, Windows Cryptographic Services, Windows CSC Service, Windows Desktop Bridge, Windows OLE, Windows Projected File System FS Filter, Windows RDP Client, Windows SMB, Windows SSDP Service, Windows WalletService, and Windows Wireless Networking.

If you’re running any of these software products, you might want to check the updates page for more information about each, including mitigations for those who can’t install the updates and any known issues with the patches.

Also be sure to check out the list of vulnerabilities that have mitigations, workarounds, or FAQs, which you can find in the release notes.

And finally, there are the inevitable known issues with some of these patches, affecting various versions of Windows Server and client and Exchange Server:

5003169            Windows 10, Version 1909, Windows Server, Version 1909

5003171            Windows 10, Version 1809, Windows Server 2019

5003173            Windows 10, Version 2004, Windows Server, Version 2004, Windows 10, Version 20H2, Windows Server, Version 20H2

5003197            Windows 10, Version 1607, Windows Server 2016

5003203            Windows Server 2012 (Security-only update)

5003208            Windows Server 2012 (Monthly Rollup)

5003209            Windows 8.1, Windows Server 2012 R2 (Monthly Rollup)

5003210            Windows Server 2008 SP2 (Monthly Rollup)

5003220            Windows 8.1 Windows Server 2012 R2 (Security-only update)

5003225            Windows Server 2008 SP2 (Security-only update)

5003228            Windows 7 SP1, Windows Server 2008 R2 (Security-only update)

5003233            Windows 7 SP1, Windows Server 2008 R2 (Monthly Rollup)

5003435            Exchange Server 2019, 2016, and 2013

Zero day and critical vulnerabilities

We’ll focus on the most serious vulnerabilities that were patched this month: those that were publicly disclosed before the release of their updates (zero day vulnerabilities), and others rated critical.

A critical rating pertains to a vulnerability whose exploitation could allow code execution without user interaction. These scenarios include self-propagating malware (e.g. network worms), or unavoidable common use scenarios where code execution occurs without warnings or prompts. This could mean browsing to a web page or opening email.

Microsoft recommends that customers apply Critical updates immediately.

Zero day vulnerabilities patched

The following three zero-day vulnerabilities, all rated Important, were patched:

CVE-2021-31200 – Common Utilities Remote Code Execution Vulnerability. This vulnerability has been publicly disclosed but had not been exploited. The vulnerable system can be exploited without any interaction from any user. If exploited, the result could be total loss of confidentiality, integrity, and availability. It is a ‘remotely exploitable’ vulnerability that can be thought of as exploitable across one or more routers.

CVE-2021-31204 – .NET and Visual Studio Elevation of Privilege Vulnerability. This vulnerability has been publicly disclosed but had not been exploited. Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited, thus Microsoft’s assessment rated exploitation as less likely. If exploited, however, the result could be total loss of confidentiality, integrity, and availability.

CVE-2021-31207 – Microsoft Exchange Server Security Feature Bypass Vulnerability. This vulnerability has been publicly disclosed but had not been exploited. The vulnerable system can be exploited without any interaction from any user. If exploited, the result could be total loss of confidentiality, integrity, and availability. It is a ‘remotely exploitable’ vulnerability that can be thought of as exploitable across one or more routers.

Critical vulnerabilities patched

The following four critical vulnerabilities were patched:

CVE-2021-26419 – Scripting Engine Memory Corruption Vulnerability. This vulnerability in Internet Explorer 11 affects IE on all supported versions of Windows. It has not been publicly disclosed and had not been exploited prior to release of the patch. Successful exploitation of this vulnerability requires a user to take some action before the vulnerability can be exploited. Attack complexity is high, and a successful attack depends on conditions beyond the attacker’s control. However, Microsoft’s assessment rates exploitation as more likely. If exploited, the result could be total loss of confidentiality, integrity, and availability.

CVE-2021-31194 – OLE Automation Remote Code Execution Vulnerability. This is a remote code execution vulnerability that affects currently supported versions of Windows Server and client operating system. Attack complexity is low and an attacker can expect repeatable success against the vulnerable component. It has not been publicly disclosed and had not been exploited prior to release of the patch. Successful exploitation of this vulnerability does not require a user to take some action before the vulnerability can be exploited. If exploited, the result could be total loss of confidentiality, integrity, and availability, but Microsoft’s assessment rated exploitation as less likely.

CVE-2021-31166 – HTTP Protocol Stack Remote Code Execution Vulnerability. This is another remote code execution vulnerability that affects Windows 10 and Windows Server 2004, 2012 R2, and 20H2, including the server core installations. Attack complexity is low and an attacker can expect repeatable success against the vulnerable component. It has not been publicly disclosed and had not been exploited prior to release of the patch. Successful exploitation of this vulnerability does not require a user to take some action before the vulnerability can be exploited. If exploited, the result could be total loss of confidentiality, integrity, and availability, and Microsoft’s assessment rated exploitation as more likely.

CVE-2021-28476 – Hyper-V Remote Code Execution Vulnerability. This remote code execution vulnerability in the hyper-v virtual machine component affects Windows Server and client operating systems. Attack complexity is low and an attacker can expect repeatable success against the vulnerable component. It has not been publicly disclosed and had not been exploited prior to release of the patch. Successful exploitation of this vulnerability does not require a user to take some action before the vulnerability can be exploited. If exploited, the result could be total loss of confidentiality, integrity, and availability, but Microsoft’s assessment rated exploitation as less likely.

Important vulnerabilities

In addition to the zero day and critical vulnerabilities discussed above, Patch Tuesday brings us fixes for forty-eight additional issues that are rated Important. These cover a broad base and include spoofing vulnerabilities, security features bypasses, information disclosure, denial of service, remote code execution, and elevation of privilege issues in an array of Windows components and in Microsoft Exchange, Office applications, SharePoint, Skype for Business, and Visual Studio, among others.

Per Microsoft guidance, a rating of Important pertains to a vulnerability whose exploitation could result in compromise of the confidentiality, integrity, or availability of user data, or of the integrity or availability of processing resources. These scenarios include common use scenarios where client is compromised with warnings or prompts regardless of the prompt’s provenance, quality, or usability. Sequences of user actions that do not generate prompts or warnings are also covered.

Microsoft recommends that customers apply Important updates at the earliest opportunity.

Applying the updates

Most organizations will deploy Microsoft and third party software updates automatically to their servers and managed client systems using a patch management system of their choice, such as GFI’s LanGuard. Automated patch management saves time and reduces the risk of botched installations.

Most home users will receive the updates via the Windows Update service that’s built into the operating system. Cumulative and security-only updates are available for supported versions of Windows client and server. Microsoft provides direct downloads for those who need to install the updates manually. You can download these from the Microsoft Update Catalog.

Here are the links to the updates for the latest versions of Windows:

KB5003173 – Windows 10 v 20H2

KB5003169 – Windows 10 v 1909

IMPORTANT NOTE: Windows 10, version 1909 is at end of service on May 11, 2021 for devices running the Home, Pro, Pro for Workstation, Nano Container, and Server SAC editions. After May 11, 2021, these devices will no longer receive monthly security and quality updates that contain protection from the latest security threats.

Known Issues

Before installing updates, you should always research whether there are known issues that could affect your particular machines and configurations before rolling out an update to your production systems. There are a large number of such known issues that impact this month’s updates. A full list of links to the KB articles detailing these issues can be found in the release notes.

Malicious Software Removal Tool (MSRT) update

The MSRT is used to find and remove malicious software from Windows systems and its definitions are updated regularly. The updates are normally installed via Windows Update but if you need to download and install them manually, you’ll find the links for the 32- and 64-bit versions in the Microsoft Download Center: https://www.microsoft.com/en-us/download/details.aspx?id=9905

Third party releases

In addition to Microsoft’s security updates, this month’s Patch Tuesday brought an unusual large number of updates from Adobe: twelve patches for various Adobe products. We will cover these in detail in our Third Party Patch Roundup at the end of the month.

Get your free 30-day GFI LanGuard trial

Get immediate results. Identify where you’re vulnerable with your first scan on your first day of a 30-day trial. Take the necessary steps to fix all issues.