Microsoft Fixes Exchange Server Zero-Day in May Patch Tuesday

Microsoft fixed 55 vulnerabilities yesterday including three zero-days not thought to have been exploited in the wild, one of which affected the under-fire Exchange Server.

This month’s Patch Tuesday is lighter than many have been in recent months, but there were four critical CVEs for admins to address, alongside the three publicly disclosed bugs.

Top of the priority list should be CVE-2021-31207, which was discovered as part of this year’s Pwn2Own competition, according to Ivanti senior director of product management, Chris Goettl.

“Microsoft Exchange admins have had a rough stretch in the past few months starting with the zero-day exploits targeted by Hafnium followed by the April Exchange update resolving four NSA discovered vulnerabilities,” he said.

“CVE-2021-31207 is only rated as moderate, but the security feature bypass exploit was showcased prominently in the Pwn2Own contest and at some point details of the exploit will be published. At that point threat actors will be able to take advantage of the vulnerability if they have not already begun attempting to reverse engineer an exploit.”

The other two zero-days fixed by Microsoft this month are CVE-2021-31200, a remote code execution (RCE) vulnerability in Common Utilities, and CVE-2021-31204 which is an elevation of privilege flaw in .NET and Visual Studio.

“Both publicly disclosed vulnerabilities are rated as Important, but the disclosure puts them at a higher risk of being exploited,” warned Goettl.

Of the critical CVEs, Qualys research and engineering VP, Anand Paturi, singled out SharePoint RCE bug CVE-2021-31181, and CVE-2021-31166, an HTTP protocol stack RCE vulnerability in Windows.

Also this month, Adobe resolved 42 CVEs, 16 of which are rated critical and one of which is a zero-day being actively exploited in the wild.

What’s Hot on Infosecurity Magazine?