Microsoft's May Patch Tuesday dump included patches for 55 CVEs with four rated critical. There were also three zero-day bugs but none have been exploited.
Products impacted includes Internet Explorer, .NET Core and Visual Studio, Windows 10 and Office to name a few. You can find the updates for May here.
The fixed zero day bugs include:
- CVE-2021-31204 .NET and Visual Studio Elevation of Privilege Vulnerability
- CVE-2021-31207 Microsoft Exchange Server Security Feature Bypass Vulnerability
- CVE-2021-31200 Common Utilities Remote Code Execution Vulnerability
Zero Day Initiative flagged CVE-2021-31166 as one of the more interesting bugs. ZDI said:
CVE-2021-31166 - HTTP Protocol Stack Remote Code Execution Vulnerability
This patch corrects a bug that could allow an unauthenticated attacker to remotely execute code as kernel. An attacker would simply need to send a specially crafted packet to an affected server. That makes this bug wormable, with even Microsoft calling that out in their write-up. Before you pass this aside, Windows 10 can also be configured as a web server, so it is impacted as well. Definitely put this on the top of your test-and-deploy list.
There's also a Hyper-V Remote Code Execution Vulnerability flagged by ZDI with a CVSS rating of 9.9.