Exchange Server zero-day among latest Microsoft Patch Tuesday fixes
The firm has patched three zero-day vulnerabilities across its products that haven’t yet been exploited
Microsoft has patched 55 vulnerabilities across a swathe of its products as part of its latest round of Patch Tuesday fixes, including three zero-day vulnerabilities that haven’t yet been publicly exploited.
The most alarming of the flaws, tracked as CVE-2021-31207, is present in the Microsoft Exchange Server platform, which was at the heart of a devastating supply chain attack earlier in the year.
This vulnerability is a security feature bypass flaw and was discovered as part of last month’s Pwn2Own contest. Although it hasn’t been exploited by cyber criminals, details of the exploitation demonstrated in the contest will be published soon.
The Exchange Server flaw has been patched alongside CVE-2021-31204, an elevation of privilege vulnerability in .NET and Visual Studio, as well as CVE-2021-31200, a remote code execution flaw in the Common Utilities component.
Four of the flaws patched as part of the 55 are classed as ‘critical’, and none of them are the three zero-days highlighted. These include remote code execution flaws in HTTP.sys, Windows OLE Automation and Hyper-V, as well as a scripting engine memory corruption bug in Internet Explorer.
The 55 CVEs patched in May represents the smallest wave of Patch Tuesday fixes so far in 2021, after more than 100 were addressed this time last month. This wave included patches for five zero-days vulnerabilities and four critical Microsoft Exchange Server flaws discovered by the NSA.
RELATED RESOURCE
The most serious of the five zero-days included CVE-2021-28310, an escalation of privilege flaw in the Desktop Window Manager component of Windows 10 that was likely being used in a chain alongside other vulnerabilities to seize control of machines.
Although CVE-2021-31207, patched this month, is deemed as less likely to be exploited, cyber criminals will be working hard to reverse engineer an exploit from the fix released this week.
The fact that details around a successful exploitation, as demonstrated in the Pwn2Own contest, could be published soon too, should urge businesses to patch their vulnerable systems as soon as possible.
-
The UK AI revolution: navigating the future of the intelligent enterpriseAs AI reshapes industries and societies, decision-makers in the UK face a critical choice: build a sovereign future or merely import it.
-
Turning the UK AI revolution into a sovereign realityThe UK AI Revolution documentary series posed difficult questions about AI’s hype, control, and future. Now, IT leaders must find the architectural answers
-
Veeam patches Backup & Replication vulnerabilities, urges users to updateNews The vulnerabilities affect Veeam Backup & Replication 13.0.1.180 and all earlier version 13 builds – but not previous versions.
-
Two Fortinet vulnerabilities are being exploited in the wild – patch nowNews Arctic Wolf and Rapid7 said security teams should act immediately to mitigate the Fortinet vulnerabilities
-
Everything you need to know about Google and Apple’s emergency zero-day patchesNews A serious zero-day bug was spotted in Chrome systems that impacts Apple users too, forcing both companies to issue emergency patches
-
Security experts claim the CVE Program isn’t up to scratch anymore — inaccurate scores and lengthy delays mean the system needs updatedNews CVE data is vital in combating emerging threats, yet inaccurate ratings and lengthy wait times are placing enterprises at risk
-
IBM AIX users urged to patch immediately as researchers sound alarm on critical flawsNews Network administrators should patch the four IBM AIX flaws as soon as possible
-
Critical Dell Storage Manager flaws could let hackers access sensitive data – patch nowNews A trio of flaws in Dell Storage Manager has prompted a customer alert
-
Flaw in Lenovo’s customer service AI chatbot could let hackers run malicious code, breach networksNews Hackers abusing the Lenovo flaw could inject malicious code with just a single prompt
-
Industry welcomes the NCSC’s new Vulnerability Research Initiative – but does it go far enough?News The cybersecurity agency will work with external researchers to uncover potential security holes in hardware and software
