Microsoft's May 2021 Patch Tuesday: 55 flaws fixed, four critical

There were also three zero-day bugs but none have been exploited.
Written by Larry Dignan, Contributor

Microsoft's May Patch Tuesday dump included patches for 55 CVEs with four rated critical. There were also three zero-day bugs but none have been exploited.

Products impacted includes Internet Explorer, .NET Core and Visual Studio, Windows 10 and Office to name a few. You can find the updates for May here

The fixed zero day bugs include:

  • CVE-2021-31204 .NET and Visual Studio Elevation of Privilege Vulnerability
  • CVE-2021-31207 Microsoft Exchange Server Security Feature Bypass Vulnerability
  • CVE-2021-31200 Common Utilities Remote Code Execution Vulnerability

Zero Day Initiative flagged CVE-2021-31166 as one of the more interesting bugs. ZDI said:

CVE-2021-31166 - HTTP Protocol Stack Remote Code Execution Vulnerability

This patch corrects a bug that could allow an unauthenticated attacker to remotely execute code as kernel. An attacker would simply need to send a specially crafted packet to an affected server. That makes this bug wormable, with even Microsoft calling that out in their write-up. Before you pass this aside, Windows 10 can also be configured as a web server, so it is impacted as well. Definitely put this on the top of your test-and-deploy list.

There's also a Hyper-V Remote Code Execution Vulnerability flagged by ZDI with a CVSS rating of 9.9.

Editorial standards