Microsoft fixes 55 security vulnerabilities in May 2021 Patch Tuesday

On May 11, Microsoft released the May 2021 Patch Tuesday, repairing 55 security vulnerabilities, involving Windows, Microsoft Office, Exchange Server, Visual Studio Code, Internet Explorer, and other widely used products, including high-risk types of vulnerabilities such as remote code execution and privilege escalation. Among the vulnerabilities fixed by Microsoft’s monthly update this month, there are 4 critical vulnerabilities and 50 high-risk vulnerabilities.

Vulnerability Detail

CVE-2021-31166: HTTP Protocol Stack Remote Code Execution Vulnerability

The HTTP protocol stack (http.sys) has a remote code execution vulnerability. An unauthenticated remote attacker can exploit this vulnerability by sending specially crafted data packets to the target host to execute arbitrary code on the target system. The CVSS score is 9.8, and Microsoft said that this vulnerability can be used for worm-like spread.

CVE-2021-28476: Hyper-V Remote Code Execution Vulnerability

The Windows Hyper-V has a remote code execution vulnerability, with a CVSS score of 9.9. This vulnerability allows the guest VM to force the Hyper-V host’s kernel to read any address that may be invalid. In some cases, an attacker who successfully exploited this vulnerability can run binary files on Hyper-V servers or execute arbitrary code on the system.

CVE-2021-31181, CVE-2021-28474: Microsoft SharePoint Remote Code Execution Vulnerability

CVE-2021-31194: OLE Automation Remote Code Execution Vulnerability

This vulnerability exists in Windows OLE. The attacker builds a malicious website to induce users to visit and exploit this vulnerability through the Web browser to call OLE automation to realize remote code execution.

CVE-2021-31207: Microsoft Exchange Server Security Feature Bypass Vulnerability