May’s Patch Tuesday
On May 12th, summer finally arrived to Finland, as did the patches from Microsoft’s Patch Tuesday. Tuesday saw patches for 55 vulnerabilities. The number is rather small compared to wintertime, when there are more than 100 patches each month, almost without exceptions.
The highest CVSS for the vulnerabilities is 9.9. The vulnerability CVE-2021-28476 in question affects practically every Microsoft’s operating system. The vulnerability can be used for Hyper-V DoS attacks, but there can be other uses as well.
The second highest CVSS value, 9.8, goes to CVE-2021-31166, enabling the use of a malicious code in the operating system. To benefit from this vulnerability, you need to send a malicious package to the HTTP Protocol Stack component (http.sys) in the operating system. Microsoft has also told this is a worm-like vulnerability, spreading from one device to another, without user actions.
In addition to these very critical vulnerabilities, May saw patches for three vulnerabilities that were public knowledge: CVE-2021-31204, CVE-2021-31207, and CVE-2021-31200. The first one is directed to a NET-framework product and the Visual Studio 2019 application. The second vulnerability, CVE-2021-31207, was found in the Microsoft Exchange server software. A fun fact that’s worth mentioning: this vulnerability was found in the 2021 Pwn2Own competition. The third vulnerability that was public knowledge is CVE-2021-31200, related to the code common_utils.py. This patch has its own article in GitHub.
Active and known issues in Windows operating systems
|Operating System||Active known issues (previous month)|
|Windows 10, version 20H2 and Windows Server, version 20H2||4 (3)|
|Windows 10, version 2004 and Windows Server, version 2004||4 (3)|
|Windows 10, version 1909 and 1903* and Windows Server, version 1903||1 (0)|
|Windows 10, version 1809** and Windows Server 2019||1 (1)|
|Windows 10, version 1803**||0 (0)|
|Windows 10, version 1709*** and Windows Server, version 1709||Support has ended.|
|Windows 10, version 1703***||Support has ended.|
|Windows 10, version 1607 LTSC*** and Windows Server 20162||1 (2)|
|Windows 8.1**** and Windows Server 2012 R2||No data.|
|Windows Server 2012||No data.|
|Windows 7**** and Windows Server 2008 R2 SP1||Mainstream support has ended.|
* 1909 has the same operating system core and identical system files as its predecessor, 1903.
** The support for Windows 10’s build in question has ended for versions Home, Pro, and Enterprise.
*** The support for Windows 10’s build in question has ended for all versions.
**** The Mainstream support period for the Windows version has ended. Extended support periods end: For Windows 8.1, on Jan 10th 2023, and for Windows 7, on Jan 14th 2020.
The critical, zero-day, and public knowledge vulnerabilities mentioned in the beginning should be patched as soon as possible. However, Centero recommends testing the updates carefully before migrating them into production. In addition, you should go through any known issues before deploying the updates.
Microsoft’s documentation on the subject
Microsoft maintains a list of Windows updates and their known issues on the following page. You can find additional information on Windows-versions’ lifecycle behind the last link.
- Known issues and notifications
- Windows 10 update history
- Update history for Windows 8.1 and Windows Server 2012 R2
- Windows Server 2012 update history
- Update history for Windows 7 SP1 and Windows Server 2008 R2 SP1
- Windows lifecycle fact sheet