Microsoft fixed 55 vulnerabilities yesterday including three zero-days not thought to have been exploited in the wild, one of which affected the under-fire Exchange Server.
This month’s Patch Tuesday is lighter than many have been in recent months, but there were four critical CVEs for admins to address, alongside the three publicly disclosed bugs.
“Microsoft Exchange admins have had a rough stretch in the past few months starting with the zero-day exploits targeted by Hafnium followed by the April Exchange update resolving four NSA discovered vulnerabilities,” he said.
“CVE-2021-31207 is only rated as moderate, but the security feature bypass exploit was showcased prominently in the Pwn2Own contest and at some point details of the exploit will be published. At that point threat actors will be able to take advantage of the vulnerability if they have not already begun attempting to reverse engineer an exploit.”
The other two zero-days fixed by Microsoft this month are CVE-2021-31200, a remote code execution (RCE) vulnerability in Common Utilities, and CVE-2021-31204 which is an elevation of privilege flaw in .NET and Visual Studio.
“Both publicly disclosed vulnerabilities are rated as Important, but the disclosure puts them at a higher risk of being exploited,” warned Goettl.
Also this month, Adobe resolved 42 CVEs, 16 of which are rated critical and one of which is a zero-day being actively exploited in the wild.