Patch Tuesday Highlights - May 2021

0 Likes
5 months ago

Microsoft provided fixes for 55 vulnerabilities with its May Patch Tuesday updates, including fixes for three publicly disclosed vulnerabilities. Adobe released patches for 14 vulnerabilities, including one known exploited (Zero-Day) vulnerability in Acrobat and Reader so you’ll want to make sure to apply the Adobe patches this month. Here’s our callout of security updates and issues we think you’ll want to be aware of.

Newsworthy Events

  • I mentioned in last month’s Patch Tuesday Highlights that Pwn2Own 2021 took place in early April and we could expect to see patches from various vendors over the coming months to resolve the exploited vulnerabilities. This month, Microsoft released a Microsoft Exchange update that fixes the Exchange security feature bypass vulnerability (CVE-2021-31207) that was exploited.
  • The Colonial Pipeline cyberattack early this month has disrupted oil transportation in the U.S. Kelly Sheridan at darkreading.com has an interesting article about the Colonial Pipeline attack and the industrial sector’s vulnerability to increasing cyberattacks. Charlie Osborne at zdnet.com published a similarly good read. This attack is another reminder of the importance of keeping up-to-date on patch maintenance.
  • Three Windows OS versions reached their End of Support date this month, which means that May is the last month with security updates for these versions: Windows 10 versions 1803|1809 (Enterprise and Education) and Windows Server version 1909.

Quick Take

  • Microsoft released fixes for 55 vulnerabilities, including three publicly disclosed:
  • Adobe released fixes for 14 vulnerabilities in Acrobat and Reader, including one known exploited (Zero Day) vulnerability:
    • CVE-2021-28550 Adobe Acrobat and Reader Arbitrary Code Execution: This has an Adobe Priority 1 rating and should be addressed as quickly as possible. Affects Acrobat DC, Acrobat Reader DC, Acrobat Reader 202, Acrobat 2017, Acrobat Reader 2017 on Windows and macOS.
  • Servicing Stack Update this month: Windows 10 1803|1809|1909 and Windows Server 2019. As a reminder, Servicing Stack Updates for Windows 10 2004 and newer versions are included in the monthly Cumulative Update so are no longer tracked separately.

Windows Server 2019 Updates

  • There is a new Servicing Stack Update (KB5003243). It is not a prerequisite for May updates but we recommend that you install it this month in case it is required for June updates.
  • CRITICAL Severity: The cumulative update (KB5003171) resolves 18 new CVEs, none of which are publicly disclosed or known exploited.

Windows Server 2016 Updates

  • CRITICAL Severity: The cumulative update (KB50039197) resolves 14 new CVEs, none of which are publicly disclosed or known exploited.

Windows 10 Updates

  • There are new Servicing Stack Update for versions 1803 (KB5003364), 1809 (KB5003243), and 1909 (KB5003244). The Servicing Stack Update is not a prerequisite for applying May updates but we recommend that you install it this month in case it is required for June updates.
  • CRITICAL Severity: The cumulative update (KB number varies by version) resolves up to 26 new CVEs, none of which are publicly disclosed or known exploited.

Windows 8.1 / Windows Server 2012 R2 Updates

  • CRITICAL Severity: The Security Monthly Quality Rollup (KB5003209) resolves 13 new CVEs, none of which are publicly disclosed or known exploited.
  • CRITICAL Severity: The Security Only Quality Update (KB5003220) resolves 12 new CVEs, none of which are publicly disclosed or known exploited.
  • CRITICAL Severity: The Cumulative Security Update for Internet Explorer 11 (KB5003165) resolves 1 new critical CVEs (CVE-2021-26419); it is not publicly disclosed or known exploited. Apply it with the Security Only Quality Update (KB5003220). It is not needed with the Security Monthly Quality Rollup (KB5003209).

Windows Server 2012 Updates

  • CRITICAL Severity: The Security Monthly Quality Rollup (KB5003208) resolves 12 new CVEs, none of which are publicly disclosed or known exploited.
  • CRITICAL Severity: The Security Only Quality Update (KB5003203) resolves 11 new CVEs, none of which are publicly disclosed or known exploited.
  • CRITICAL Severity: The Cumulative Security Update for Internet Explorer 11 (KB5003165) resolves 1 new critical CVEs (CVE-2021-26419); it is not publicly disclosed or known exploited. Apply it with the Security Only Quality Update (KB5003203). It is not needed with the Security Monthly Quality Rollup (KB5003208).

Windows 7 / Windows Server 2008 R2 Extended Security Updates

  • These updates can only be installed on devices that have an active ESU MAK license.
  • In ZENworks Patch Management, these updates only show up in the feed if you have purchased the ZENworks Patch Management Add-On Subscription for Windows 7 / Windows Server 2008 Extended Security Updates. Otherwise, you must download them from the Microsoft Update Catalog and use the Custom Patch feature to create the patch. For more details, see Installing Windows 7 / Windows Server 2008 Extended Security Updates with ZENworks Patch Management.
  • CRITICAL Severity: The Security Monthly Quality Rollup (KB5003233) resolves 12 new CVEs, none of which are publicly disclosed or known exploited.
  • CRITICAL Severity: The Security Only Quality Update (KB45003228) resolves 11 new CVEs, none of which are publicly disclosed or known exploited.
  • CRITICAL Severity: The Cumulative Security Update for Internet Explorer 11 (KB5003165) resolves 1 new critical CVEs (CVE-2021-26419); it is not publicly disclosed or known exploited. Apply it with the Security Only Quality Update (KB5003228). It is not needed with the Security Monthly Quality Rollup (KB5003233).

Windows Server 2008 Extended Security Updates

  • These updates can only be installed on devices that have an active ESU MAK license.
  • In ZENworks Patch Management, these updates only show up in the feed if you have purchased the ZENworks Patch Management Add-On Subscription for Windows 7 / Windows Server 2008 Extended Security Updates. Otherwise, you must download them from the Microsoft Update Catalog and use the Custom Patch feature to create the patch. For more details, see Installing Windows 7 / Windows Server 2008 Extended Security Updates with ZENworks Patch Management.
  • CRITICAL Severity: The Security Monthly Quality Rollup (KB5003210) resolves 11 new CVEs, none of which are publicly disclosed or known exploited.
  • CRITICAL Severity: The Security Only Quality Update (KB5003225) resolves 10 new CVEs, none of which are publicly disclosed or known exploited.
  • CRITICAL Severity: The Cumulative Security Update for Internet Explorer 9 (KB5003165) resolves 1 new critical CVEs (CVE-2021-26419); it is not publicly disclosed or known exploited. Apply it with the Security Only Quality Update (KB5003225). It is not needed with the Security Monthly Quality Rollup (KB5003210).

Microsoft Exchange Server

Microsoft SharePoint Server

Microsoft Office 2010–2016 (Windows) and 2016-2019 (Mac)

  • IMPORTANT Severity: The Security Update resolves up to 10 CVEs depending on the version. None have public disclosures or known exploits.

Microsoft 365 Apps (formerly Office 365 ProPlus) and Office 2019

Adobe Acrobat and Reader

  • CRITICAL Severity: CVE-2021-28550 Adobe Acrobat and Reader Arbitrary Code Execution: This has an Adobe Priority 1 rating and should be addressed as quickly as possible. Affects Acrobat DC, Acrobat Reader DC, Acrobat Reader 202, Acrobat 2017, Acrobat Reader 2017 on Windows and macOS.

Third-Party Security Updates

  • Amazon Corretto 8.292.10.1 for Windows (resolves 2 CVEs)
  • Apache OpenOffice 4.1.9 (resolves 1 CVE)
  • Apple iTunes 12.11.3 for Windows (resolves 4 CVEs)
  • Google Chrome 90.0.4430.212 (resolves 15 CVEs)
  • Mozilla Firefox 88.0.1 (resolves 2 CVEs)
  • Mozilla Firefox 78.10.1 ESR (resolves 1 CVE)
  • Mozilla SeaMonkey 2.53.7 (resolves 14 CVEs)
  • Mozilla Thunderbird 78.10.1 (resolves 1 CVE)
  • Oracle VirtualBox 6.1.20 (resolves 20 CVEs)

Labels:

Patch Management
Comment List
Anonymous
Related Discussions
Recommended