May’s Patch Tuesday

On May 12th, summer finally arrived to Finland, as did the patches from Microsoft’s Patch Tuesday. Tuesday saw patches for 55 vulnerabilities. The number is rather small compared to wintertime, when there are more than 100 patches each month, almost without exceptions.

 

Key points

The highest CVSS for the vulnerabilities is 9.9. The vulnerability CVE-2021-28476 in question affects practically every Microsoft’s operating system. The vulnerability can be used for Hyper-V DoS attacks, but there can be other uses as well.

The second highest CVSS value, 9.8, goes to CVE-2021-31166, enabling the use of a malicious code in the operating system. To benefit from this vulnerability, you need to send a malicious package to the HTTP Protocol Stack component (http.sys) in the operating system. Microsoft has also told this is a worm-like vulnerability, spreading from one device to another, without user actions.

In addition to these very critical vulnerabilities, May saw patches for three vulnerabilities that were public knowledge: CVE-2021-31204CVE-2021-31207, and CVE-2021-31200. The first one is directed to a NET-framework product and the Visual Studio 2019 application. The second vulnerability, CVE-2021-31207, was found in the Microsoft Exchange server software. A fun fact that’s worth mentioning: this vulnerability was found in the 2021 Pwn2Own competition. The third vulnerability that was public knowledge is CVE-2021-31200, related to the code common_utils.py. This patch has its own article in GitHub.

 

Active and known issues in Windows operating systems

 

Operating System Active known issues (previous month)
Windows 10, version 20H2  and Windows Server, version 20H2 4 (3)
Windows 10, version 2004 and Windows Server, version 2004 4 (3)
Windows 10, version 1909 and 1903* and Windows Server, version 1903 1 (0)
Windows 10, version 1809** and Windows Server 2019 1 (1)
Windows 10, version 1803** 0 (0)
Windows 10, version 1709*** and Windows Server, version 1709 Support has ended.
Windows 10, version 1703*** Support has ended.
Windows 10, version 1607 LTSC*** and Windows Server 20162 1 (2)
Windows 8.1**** and Windows Server 2012 R2 No data.
Windows Server 2012 No data.
Windows 7**** and Windows Server 2008 R2 SP1 Mainstream support has ended.

* 1909 has the same operating system core and identical system files as its predecessor, 1903.

** The support for Windows 10’s build in question has ended for versions Home, Pro, and Enterprise.

*** The support for Windows 10’s build in question has ended for all versions.

**** The Mainstream support period for the Windows version has ended. Extended support periods end: For Windows 8.1, on Jan 10th 2023, and for Windows 7, on Jan 14th 2020.

 

Recommended actions

The critical, zero-day, and public knowledge vulnerabilities mentioned in the beginning should be patched as soon as possible. However, Centero recommends testing the updates carefully before migrating them into production. In addition, you should go through any known issues before deploying the updates.

Microsoft’s documentation on the subject

Microsoft maintains a list of Windows updates and their known issues on the following page. You can find additional information on Windows-versions’ lifecycle behind the last link.

With the help of Centero Software Manager Cloud and CSM Cloud for Servers your devices get these and other updates in a managed way, according to the configuration you have selected.

 

Read more on this topic:

New Support Applications’ versions published on CSM in August

There were 47 published new version updates on CSM released in August, and we compiled a list of some of those releases and their release notes for you: Adobe Flash Player ActiveX 32.0.0.414 Important fixes Adobe Flash Player Plugin 32.0.0.414 Important fixes Adobe Reader DC 20.012.20041 Planned update. Fixes multiple security vulnerabilities listed in Adobe […]

Comparing Patch Management solutions – Part 8/12 – Ivanti Patch for SCCM

This blog series is based on our Patch Management Tools’ Comparison, conducted in 2019. In the eight post of the series we’ll look at the features and function of Ivanti Patch for SCCM solution.