May 2021 Patch Tuesday: Adobe fixes exploited Reader 0-day, Microsoft patches 55 holes
On this May 2021 Patch Tuesday:
- Adobe has fixed a Reader flaw exploited in attacks in the wild, as well as delivered security updates for eleven other products, including Magento, Adobe InDesign, Adobe After Effects, Adobe Creative Cloud Desktop Application, and others
- Microsoft has plugged 55 security holes, none actively exploited
- SAP has released 14 new and updated security patches
Adobe updates
Adobe has released security updates for 12 of its products, fixing a total of 44 CVE-numbered flaws.
The updates that should be prioritized are those for Adobe Acrobat and Reader for Windows and macOS, because they fix a number of critical and important vulnerabilities in a widely used product that has often been targeted by attackers. Another good reason is that one of these – CVE-2021-28550 – “has been exploited in the wild in limited attacks targeting Adobe Reader users on Windows.”
According to Adobe, the Experience Manager should be next, as the product has historically been at elevated risk. The update solves two flaws, one of which – CVE-2021-21084 – could allow attackers to execute arbitrary JavaScript in the user’s browser.
The rest of the updates can be implemented in due time, as most of those products are very specific and are rarely (if ever) targeted. Though flaws in Magento are often exploited, the ones fixed in this update are not critical.
Microsoft updates
Microsoft delivered a lighter than usual load of updates on this May 2021 Patch Tuesday, though it covers a wide variety of products.
55 vulnerabilities in all have been fixed, 4 of which are critical, 3 previously publicly known, and (luckily) none are currently exploited by attackers.
Dustin Childs of Trend Micro’s Zero Day Initiative advises administrators to prioritize the patches for:
- CVE-2021-31166 – a HTTP Protocol Stack RCE
- CVE-2021-28476 – a Hyper-V RCE
- CVE-2021-27068 – a Visual Studio RCE
- CVE-2020-24587 – a Windows Wireless Networking information disclosure bug
The first one because it can be exploited by sending a specially crafted packet to an affected server (including Windows 10, when configured as a web server) and because it’s wormable. The second one because it’s been deemed highly critical (though more likely to be exploited for DoS than RCE).
The third one because an attacker would need low privileges and no user interaction for exploitation, and the complexity of the attack has been categorized as “low”. The fourth one because it could allow an attacker to disclose the contents of encrypted wireless packets on an affected system.
This last one is also part of a batch of security vulnerabilities that affect Wi-Fi devices, which have been unearthed and reported by Mathy Vanhoef, a postdoctoral researcher at New York University Abu Dhabi
Finally, administrators should consider a quick implementation of updates for Microsoft Exchange Server and Microsoft SharePoint Server, as they are often targeted by attackers.
Kevin Breen, Director of Cyber Threat Research at Immersive Labs, also advises quick patching of CVE-2021-26419, a Scripting Engine memory corruption vulnerability affecting Internet Explorer 11.
“To trigger the vulnerability, a user would have to visit a site that is controlled by the attacker, although Microsoft also recognizes that it could be triggered by embedding ActiveX controls in Office Documents,” he noted.
“If you are an organization that has to provide IE11 to support legacy applications, consider enforcing a policy on the users that restricts the domains that can be accessed by IE11 to only those legacy applications. All other web browsing should be performed with a supported browser.”
SAP updates
SAP has released 14 new and updated security patches.
The most crucial updates in this batch are for SAP Business Client (fixing a flaw in the browser control Google Chromium delivered with it), SAP Commerce (fixing a RCE), and SAP Business Warehouse and SAP BW/4HANA.