May, 2021: Patch Tuesday: 2 Publicly Disclosed Vulnerabilities

Welcome to this May Patch Tuesday Bulletin. This month was much less exciting than last with only 55 unique CVE’s, 8 technologies, 2 technologies with critical updates, and 2 vulnerabilities that have been publicly disclosed. CVE-2021-31204 and CVE-2021-31207 were both publicly disclosed vulnerabilities affecting Visual Studio and Microsoft Exchange, respectively. Both vulnerabilities were rated “less likely” to be exploited. Windows, SharePoint, and IE all had vulnerabilities with high CVSS scores and were rated as “Exploitation More Likely” so it will be important to ensure that these technologies are updated quickly. There were no known actively attacked vulnerabilities or vulnerabilities with exploits released.

Over the years we've had millions of visitors to UltimateWindowsSecurity.com. Every month we have thousands and thousands of visitors to our Security Log Encyclopedia which documents all of the Security Log event ID’s for Windows Server OS’s. Back in 2007 when SharePoint added auditing capability, I realized that my audience not only needed the event information from SharePoint but I also found a similar need in SQL Server and Exchange. So not only did I document the data but I also started to develop the means to extract that event data from these applications so that it’s accessible and useable to the end user. Some 8 years later and LOGbinder is continuing to grow as companies realize LOGbinder bridges the gap between these applications and their infosec team. Visit LOGbinder.com to download a free 30-day fully functional trial and see the security event data that you have literally been missing.

So, without further ado, here’s the chart of MS patches this month.

Patch data provided by:

Technology

Products Affected

Severity

Reference

Workaround/ Exploited

Vulnerability Info

IE

IE 11

Critical

CVE-2021-26419

*Workaround: No

**Public: No

Exploited: No

Remote Code Execution

Visual Studio

Visual Studio 2019, 2019 for Mac, Code, Code Remote – Containers Extension

Important

CVE-2021-27068

CVE-2021-31204**

CVE-2021-31211

CVE-2021-31213

CVE-2021-31214

*Workaround: No

**Public: Yes

Exploited: No

Remote Code Execution

Elevation of Privilege

.Net

.NET 5.0

.NET Core 3.1

Important

CVE-2021-31204**

*Workaround: No

**Public: Yes

Exploited: No

Elevation of Privilege

Exchange

Server 2013, 2016, 2019

Important

CVE-2021-31195

CVE-2021-31198

CVE-2021-31207**

CVE-2021-31209

*Workaround: No

**Public: Yes

Exploited: No

Remote Code Execution

Security Feature Bypass

Spoofing

Azure

Microsoft Accessibility Insights for Web

Important

CVE-2021-31936

*Workaround: No

**Public: No

Exploited: No

Information Disclosure

Dynamics

Dynamics 365 for Finance and Operations

Important

CVE-2021-28461

*Workaround: No

**Public: No

Exploited: No

Spoofing

Office

365 Apps for Enterprise

Excel 2013, 2016

Lync Server 2013

Office 2013, 2016, 2019, 2019 for Mac

Online Server

Web Apps Server 2013

SharePoint Enterprise Server 2013, Foundation 2013

Word 2013, 2016

Skype for Business 2015, 2019

Important

CVE-2021-26418

CVE-2021-26421

CVE-2021-26422

CVE-2021-28455

CVE-2021-28474

CVE-2021-28478

CVE-2021-31171

CVE-2021-31172

CVE-2021-31173

CVE-2021-31174

CVE-2021-31175

CVE-2021-31176

CVE-2021-31177

CVE-2021-31178

CVE-2021-31179

CVE-2021-31180

CVE-2021-31181

*Workaround: No

**Public: No

Exploited: No

Information Disclosure

Remote Code Execution

Spoofing

Windows

Windows 8.1, RT 8.1, 10

Server 2012, 2016, 2019

Critical

CVE-2020-24587

CVE-2020-24588

CVE-2020-26144

CVE-2021-28455

CVE-2021-28465

CVE-2021-28476

CVE-2021-28479

CVE-2021-31165

CVE-2021-31166

CVE-2021-31167

CVE-2021-31168

CVE-2021-31169

CVE-2021-31170

CVE-2021-31182

CVE-2021-31184

CVE-2021-31185

CVE-2021-31186

CVE-2021-31187

CVE-2021-31188

CVE-2021-31190

CVE-2021-31191

CVE-2021-31192

CVE-2021-31193

CVE-2021-31194

CVE-2021-31205

CVE-2021-31208

*Workaround: No

**Public: No

Exploited: No

Remote Code Execution

Elevation of Privilege

Information Disclosure

Spoofing

Denial of Service

Security Feature Bypass