This month, 4 critical class vulnerabilities in Microsoft’s latest Tuesday patch were tackled. The Pwn2Own hack contest also made it possible to fill in 4 other flaws affecting Exchange.
For the second time this year, Microsoft fixes less than 60 flaws in its monthly security update. More precisely 55 for this month of May affecting as well Windows, .NET Core and Visual Studio, Internet Explorer, Office, SharePoint Server, Hyper-V, Skype for Business, Microsoft Lync… Of this set of vulnerabilities, four are considered as critical , 50 significant and only one moderate in terms of severity. According to Microsoft, three of these bugs are known to the public but none are listed as being actively exploited at the time of publication.
Of the flaws corrected, four were discovered. “Microsoft has fixed CVE-2021-31166, a remote code execution vulnerability in the HTTP protocol stack (http.sys). This was discovered internally by Microsoft and is considered a probable exploit on Microsoft’s exploitability index. To take advantage of this breach, the attacker must target a vulnerable web server with a packet containing exploit code. This vulnerability has the particularity of self-replicating. Organizations that use the HTTP protocol stack in their server architecture should apply these updates immediately.
Persistent Exchange Server vulnerabilities
Another critical flaw to be corrected as soon as possible: CVE-2021-28476 with a CVSS score of 9.9, which concerns Hyper V vulnerable to remote code execution. Microsoft notes that an attacker is more likely to exploit this weakness for denial of service than to execute malicious code. For this reason, the attack could be rated as high, bringing the CVSS rating to 8.5. The other two vulnerabilities rated critical, CVE-2021-31194 and CVE-2021-26419, relate to OLE Automation remote code execution and script engine memory corruption, respectively.
Microsoft also had to address a vulnerability CVE-2021-27068 in Visual Studio 2019 that could allow code execution. It is unusual because it is listed as also requiring no user interaction. If the attacker must escalate privileges to work, the complexity of the attack is listed as low. The Redmond firm has also corrected four vulnerabilities in Exchange Server revealed during the recent Pwn2Own hack competition. The vulnerabilities, which include CVE-2021-31198, CVE-2021-31207, CVE-2021-31209, and CVE-2021-31195, are all rated significant or moderate. The latter is attributed to Orange Tsai of the DEVCORE research team, responsible for the disclosure of the ProxyLogon vulnerability on Exchange Server, corrected last March. Note that all these techniques used during the contest did not require interaction with the user.