This article is more than 1 year old
Microsoft emits more fixes for Exchange Server plus patches for remote-code exec holes in HTTP stack, Visual Studio
Plus: Grab your updates for Adobe, SAP, Android, Intel
Patch Tuesday Microsoft's May Patch Tuesday brought a lighter-than-usual load of 55 fixes for 32 of the Windows giant's applications and services, which is about half what was served up in April.
The Redmond-based firm's Office and Windows flagships house many of the identified vulnerabilities, alongside Internet Explorer, Visual Studio, Visual Studio Code, Skype, and other software.
Among the 55 CVEs identified by Microsoft, four are rated critical, 50 are rated important, and one is rated moderate.
Those who recall the slew of Exchange Server fixes in March and April may experience a sense of deja vu: May brings still more Exchange Server fixes, for Exchange Server 2013 CU23, Exchange Server 2016 CU19 and CU20, and Exchange Server 2019 CU8 and CU9.
The four Exchange bugs are all rated moderate; one, a security-feature bypass (CVE-2021-31207), is already publicly known.
Dustin Childs, director of communications for the Zero Day Initiative, observes in an advisory that a number of Exchange bugs came out of the recent Pwn2Own exploit contest.
"More Exchange patches are expected as not everything disclosed at the contest has been addressed," he said.
Aware that state-sponsored miscreants have been breaking into Exchange Servers via earlier vulnerabilities, Microsoft said while it's not aware of any active exploitation of these latest flaws, "our recommendation is to install these updates immediately to protect your environment."
Childs points to four other vulnerabilities also deserving of immediate attention:
- HTTP Protocol Stack Remote Code Execution Vulnerability (CVE-2021-31166, critical)
- Hyper-V Remote Code Execution Vulnerability (CVE-2021-28476, critical)
- Visual Studio Remote Code Execution Vulnerability (CVE-2021-27068, important)
- Windows Wireless Networking Information Disclosure Vulnerability (CVE-2020-24587, important)
The other two critical vulnerabilities – OLE Automation Remote Code Execution Vulnerability (CVE-2021-31194) and Scripting Engine Memory Corruption Vulnerability (CVE-2021-26419) – both involve luring a victim to a website to get remote code execution, said Childs.
SAP released 11 security notes, six addressing new issues and five related to previous patches.
Among its three advisories designated Hot News, which is SAP-speak for "critical," one note managed a perfect score of 10 out of 10 in severity – an update to a Security Note from August 2018 that patched the Google Chromium component that comes with SAP Business Client.
The two Hot News runners-up managed only 9.9 severity – an update to an April 2021 patch addressing a remote code execution vulnerability in SAP Commerce (CVE-2021-27602) and an update to a January 2021 patch addressing a code injection flaw in SAP Business Warehouse and SAP BW/4HANA (CVE-2021-21466).
Among the newly disclosed entries, two of the three High Priority notes fix issues in SAP Business One (B1). Security firm Onapsis in a blog post said that both are due to installations carried out by Chef Cookbooks, a configuration management tool for managing IT infrastructure.
Onapsis researcher Thomas Fritsch advises: not using tools for system installation that have not been explicitly released by SAP for production; anonymizing data whenever possible; and isolating test environments from production environments.
Adobe released a dozen security advisories covering 43 CVEs for: Experience Manager, InDesign, Illustrator, InCopy, Genuine Service, Acrobat and Reader, Magneto, Creative Cloud Desktop Application, Media Encoder, After Effects, Medium, and Animate.
The Illustrator vulnerabilities (CVE-2021-21101, CVE-2021-21103, CVE-2021-21104, CVE-2021-21105, CVE-2021-21102) affect the Windows version of the app and are all critical.
The Acrobat and Reader flaws consist of six critical vulnerabilities and four important ones. One of these, CVE-2021-28550, "has been exploited in the wild in limited attacks targeting Adobe Reader users on Windows," Adobe says.
While a few of the above mentioned Adobe apps have less pressing problems to deal with, they largely should be patched as soon as possible.
A week ago, Google published patches addressing 42 CVEs in Android and assorted components from vendors AMLogic, Arm, MediaTek, and Qualcomm. Of the four critical severity flaws, three were found in Android and one resided in AMLogic bootROM.
And finally, Intel has patched some of its Wi-Fi firmware to address various weaknesses that can be exploited to cause a denial of service. ®