May Patch Tuesday Commentary
There are a number of Publicly Disclosed vulnerabilities and one Zero Day exploit this month across Microsoft and Adobe. Microsoft has resolved 55 vulnerabilities, four of which are rated as Critical. The top concern from the Microsoft updates this month is the update for Microsoft Exchange that includes the fix for CVE-2021-31207, which made its debut in the 2021 Pwn2Own competition. There are two other publicly disclosed vulnerabilities resolved by Microsoft this month in Common Utilities found in the NNI open source toolkit (CVE-2021-31200), and in .NET and Visual Studio (CVE-2021-31204)
Microsoft Exchange Admins have had a rough stretch in the past few months starting with the zero day exploits targeted by HAFNIUM followed by the April Exchange update resolving four NSA discovered vulnerabilities, and with the May update we are seeing the first of several vulnerabilities that were showcased in Pwn2Own getting to resolution. CVE-2021-31207 is only rated as Moderate, but the Security Feature Bypass exploit was showcased prominently in the Pwn2Own contest and at some point details of the exploit will be published. At that point threat actors will be able to take advantage of the vulnerability if they have not already begun attempting to reverse engineer an exploit.
There are two other publicly disclosed vulnerabilities resolved by Microsoft this month. CVE-2021-31200 is a Remote Code Execution vulnerability in Common Utilities, which is a python script from the NNI (Neural Network Intelligence) open source toolkit, and CVE-2021-31204 which is a Elevation of Privilege vulnerability in .NET and Visual Studio. Both Publicly Disclosed vulnerabilities are rated as Important, but the disclosure puts them at a higher risk of being exploited.
Adobe has released 12 updates for May Patch Tuesday. These updates resolve 42 unique CVEs, 16 of which are rated as critical and one is actively being exploited in targeted attacks (CVE-2021-28550). Adobe Acrobat and Reader (APSB21-29) is a priority 1 update indicating it resolves a vulnerability that is actively being exploited. The updates for Adobe Magento (APSB21-30) and Adobe Experience Manager (APSB21-15) are rated priority 2 by Adobe. The updates for Adobe InDesign, Illustrator, InCopy, Adobe Creative Cloud Desktop Application, Animate, and Medium are rated as priority 3, but do include Critical vulnerabilities. The remainder of Adobe’s releases are rated priority 3 and include updates for vulnerabilities rated as Important.
On a side topic, this month marks the final update for several Windows 10 and Server editions, so make sure you have updated any systems to newer branches to avoid a disruption in security update coverage come June. Windows 10 1803 and 1809 and Server 1909 all received their final update on May Patch Tuesday 2021.
May Patch Tuesday Priorities:
- Microsoft Exchange - due to the very public demonstration of the exploit during Pwn2Own this update should be considered a higher risk than the Moderate rating it received from Microsoft.
- Windows Operating System and Internet Explorer – The OS and IE updates this month carried all four Critical CVEs that were resolved. These should also get more immediate attention.
- Adobe Acrobat and Reader should be deployed quickly followed by Magento and Experience Manager. The priority 3 updates are not as urgent, but should be updated as testing allows.
- Common Utilities and .NET and Visual Studio are less likely to be targeted, but due to the public disclosures they should not be ignored for long.