On Tuesday May12 2020 Microsoft rolled out its scheduled monthly security update with patches for 55 security flaws affecting Windows, Exchange Server, Internet Explorer, Office, Hyper-V, Visual Studio, and Skype for Business.
Four of these 55 bugs, are rated as Critical, while 50 are rated as Important, and one is listed as Moderate in severity. Three of the vulnerabilities are publicly known, although, unlike last month, none of them are under active exploitation at the time of release.
The most critical of the flaws addressed is CVE-2021-31166, a wormable remote code execution vulnerability in the HTTP protocol stack. The issue, which could allow an unauthenticated attacker to send a specially crafted packet to a targeted server, is rated 9.8 out of a maximum of 10 on the CVSS scale.
Another vulnerability of note is a remote code execution flaw in Hyper-V (CVE-2021-28476), which also scores the highest severity among all flaws patched this month with a CVSS rating of 9.9.
“This issue allows a guest VM to force the Hyper-V host’s kernel to read from an arbitrary, potentially invalid address,” Microsoft said in its advisory. “The contents of the address read would not be returned to the guest VM. In most circumstances, this would result in a denial of service of the Hyper-V host (bugcheck) due to reading an unmapped address.”
“It is possible to read from a memory mapped device register corresponding to a hardware device attached to the Hyper-V host which may trigger additional, hardware device specific side effects that could compromise the Hyper-V host’s security,” the Windows maker noted.
In addition, the Patch Tuesday update addresses a scripting engine memory corruption flaw in Internet Explorer (CVE-2021-26419) and four weaknesses in Microsoft Exchange Server, marking the third consecutive month Microsoft has shipped fixes for the product since ProxyLogon exploits came to light in March —
- CVE-2021-31207 (CVSS score: 6.6) – Security Feature Bypass Vulnerability (publicly known)
- CVE-2021-31195 (CVSS score: 6.5) – Remote Code Execution Vulnerability
- CVE-2021-31198 (CVSS score: 7.8) – Remote Code Execution Vulnerability
- CVE-2021-31209 (CVSS score: 6.5) – Spoofing Vulnerability
While CVE-2021-31207 and CVE-2021-31209 were demonstrated at the 2021 Pwn2Own contest, Orange Tsai from DEVCORE, who disclosed the ProxyLogon Exchange Server vulnerability, is credited with reporting CVE-2021-31195.
Elsewhere, the update addresses a slew of privilege escalation bugs in Windows Container Manager Service, an information disclosure vulnerability in Windows Wireless Networking, and several remote code execution flaws in Microsoft Office, Microsoft SharePoint Server, Skype for Business, and Lync, Visual Studio, and Windows Media Foundation Core.
To install the latest security updates, Windows users can head to Start > Settings > Update & Security > Windows Update, or by selecting Check for Windows updates.