Microsoft has patched 55 vulnerabilities across a swathe of its products as part of its latest round of Patch Tuesday fixes, including three zero-day vulnerabilities that haven’t yet been publicly exploited.
The most alarming of the flaws, tracked as CVE-2021-31207, is present in the Microsoft Exchange Server platform, which was at the heart of a devastating supply chain attack earlier in the year.
This vulnerability is a security feature bypass flaw and was discovered as part of last month’s Pwn2Own contest. Although it hasn’t been exploited by cyber criminals, details of the exploitation demonstrated in the contest will be published soon.
The Exchange Server flaw has been patched alongside CVE-2021-31204, an elevation of privilege vulnerability in .NET and Visual Studio, as well as CVE-2021-31200, a remote code execution flaw in the Common Utilities component.
Four of the flaws patched as part of the 55 are classed as ‘critical’, and none of them are the three zero-days highlighted. These include remote code execution flaws in HTTP.sys, Windows OLE Automation and Hyper-V, as well as a scripting engine memory corruption bug in Internet Explorer.
The 55 CVEs patched in May represents the smallest wave of Patch Tuesday fixes so far in 2021, after more than 100 were addressed this time last month. This wave included patches for five zero-days vulnerabilities and four critical Microsoft Exchange Server flaws discovered by the NSA.
RELATED RESOURCE
The most serious of the five zero-days included CVE-2021-28310, an escalation of privilege flaw in the Desktop Window Manager component of Windows 10 that was likely being used in a chain alongside other vulnerabilities to seize control of machines.
Although CVE-2021-31207, patched this month, is deemed as less likely to be exploited, cyber criminals will be working hard to reverse engineer an exploit from the fix released this week.
The fact that details around a successful exploitation, as demonstrated in the Pwn2Own contest, could be published soon too, should urge businesses to patch their vulnerable systems as soon as possible.
-
Meta just revived plans to train AI models using European user dataNews Meta has confirmed plans to train AI models using European users’ public content and conversations with its Meta AI chatbot.
-
AI is helping bad bots take over the internetNews Automated bot traffic has surpassed human activity for the first time in a decade, according to Imperva
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
A journey to cyber resiliencewhitepaper DORA: Ushering in a new era of cyber security
