IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Exchange Server zero-day among latest Microsoft Patch Tuesday fixes

The firm has patched three zero-day vulnerabilities across its products that haven’t yet been exploited

Microsoft has patched 55 vulnerabilities across a swathe of its products as part of its latest round of Patch Tuesday fixes, including three zero-day vulnerabilities that haven’t yet been publicly exploited.

The most alarming of the flaws, tracked as CVE-2021-31207, is present in the Microsoft Exchange Server platform, which was at the heart of a devastating supply chain attack earlier in the year. 

This vulnerability is a security feature bypass flaw and was discovered as part of last month’s Pwn2Own contest. Although it hasn’t been exploited by cyber criminals, details of the exploitation demonstrated in the contest will be published soon.

The Exchange Server flaw has been patched alongside CVE-2021-31204, an elevation of privilege vulnerability in .NET and Visual Studio, as well as CVE-2021-31200, a remote code execution flaw in the Common Utilities component.  

Four of the flaws patched as part of the 55 are classed as ‘critical’, and none of them are the three zero-days highlighted. These include remote code execution flaws in HTTP.sys, Windows OLE Automation and Hyper-V, as well as a scripting engine memory corruption bug in Internet Explorer.

The 55 CVEs patched in May represents the smallest wave of Patch Tuesday fixes so far in 2021, after more than 100 were addressed this time last month. This wave included patches for five zero-days vulnerabilities and four critical Microsoft Exchange Server flaws discovered by the NSA. 

Related Resource

The definitive guide to IT security

Protecting your MSP and your customers

The definitive guide to IT security for MSPs - whitepaper from LiongardDownload now

The most serious of the five zero-days included CVE-2021-28310, an escalation of privilege flaw in the Desktop Window Manager component of Windows 10 that was likely being used in a chain alongside other vulnerabilities to seize control of machines.

Although CVE-2021-31207, patched this month, is deemed as less likely to be exploited, cyber criminals will be working hard to reverse engineer an exploit from the fix released this week.

The fact that details around a successful exploitation, as demonstrated in the Pwn2Own contest, could be published soon too, should urge businesses to patch their vulnerable systems as soon as possible.

Featured Resources

Accelerating healthcare transformation through patient-centred medtech solutions

Seize the digital transformation opportunities to streamline patient care and optimise patient outcomes

Free Download

Big payoffs from big bets in AI-powered automation

Automation disruptors realise 1.5 x higher revenue growth

Free Download

Hyperscaler cloud service providers top ten

Why it's important for companies to consider hyperscaler cloud service providers, and why they matter

Free Download

Strategic app modernisation drives digital transformation

Address business needs both now and in the future

Free Download

Recommended

Windows users now able to run Linux apps and distros natively
Microsoft Windows

Windows users now able to run Linux apps and distros natively

24 Nov 2022
Microsoft issues emergency fixes for wide-reaching Kerberos issues
Software

Microsoft issues emergency fixes for wide-reaching Kerberos issues

21 Nov 2022
Microsoft targets optimised supply chain investments with new platform launch
Business operations

Microsoft targets optimised supply chain investments with new platform launch

16 Nov 2022
Microsoft says “it’s just too difficult” to effectively disrupt ransomware
Security

Microsoft says “it’s just too difficult” to effectively disrupt ransomware

4 Nov 2022

Most Popular

Empowering employees to truly work anywhere
Sponsored

Empowering employees to truly work anywhere

22 Nov 2022
Salesforce co-CEO Bret Taylor resigns with cryptic parting message
Business operations

Salesforce co-CEO Bret Taylor resigns with cryptic parting message

1 Dec 2022
Netherlands urges citizens to prepare survival kits in case hackers target critical infrastructure
cyber attacks

Netherlands urges citizens to prepare survival kits in case hackers target critical infrastructure

2 Dec 2022