On Patchday in May, Microsoft eliminates 55 security problems. Security patches are available for download for Hyper-V, Internet Explorer, Office, SharePointServer and Windows, among others. Anyone using Microsoft software should ensure that Windows Update is active and the patches are installed.
Of the 55 vulnerabilities, four vulnerabilities are rated “critical” by Microsoft. A vulnerability (CVE-2021-31166) in the HTTP protocol stack (http-sys) is considered particularly dangerous, threatening Windows 10 2004, 20H2 and Windows Server 20H2.
In a warning message, Microsoft writes that attackers could remotely execute malicious code with kernel privileges without logging in. All they have to do is send prepared packages to vulnerable systems. If attacks work, malware could spread worm-like. This means that a Trojan could jump from one server to the next and thus infect entire networks.
Another critical vulnerability (CVE-2021-28476) affects Hyper-V. After successful attacks, attackers could crash the host (DoS). To exploit the third critical vulnerability (CVE-2021-26419), an attacker would have to lure Internet Explorer users to a crafted website. Malicious code execution could then occur. The fourth critical vulnerability (CVE-2021-31194) is found in the OLE protocol and threatens various versions of Windows. Nothing is currently known about possible attack scenarios and effects.
More security vulnerabilities
Three vulnerabilities (CVE-2021-31200, CVE-2021-31204, CVE-2021-31207) are publicly known, according to Microsoft, but there are said to be no attacks yet. The vulnerabilities in .NET Core and Visual Studio are rated “important.” The vulnerability in Exchange Server with “moderate.” If attackers successfully exploit the vulnerabilities, they could gain higher privileges or even execute their own code.
The remaining vulnerabilities are rated “important”. After successful attacks, attackers could, among other things, access information that is actually sealed off or execute malicious code.
Microsoft lists more information about the security issues in its Security Update Guide. However, the website is rather confusing. The security researchers from Trend Micro’s Zero Day Initiative, for example, have listed it better.