Microsoft and Security: Bondo, Lead, or Duct Tape?

May 17, 2021

This round of updates will not fix all of Exchange’s vulnerabilities, but we may be getting closer to some semblance of security. The Register reports, “Microsoft Emits More Fixes for Exchange Server Plus Patches for Remote-Code Exec Holes in HTTP Stack, Visual Studio.” This release includes 55 CVE fixes for 32 MS apps and services, down from the 114 fixes released in April. Writer Thomas Claburn elaborates:

“Among the 55 CVEs identified by Microsoft, four are rated critical, 50 are rated important, and one is rated moderate. Those who recall the slew of Exchange Server fixes in March and April may experience a sense of deja vu: May brings still more Exchange Server fixes, for Exchange Server 2013 CU23, Exchange Server 2016 CU19 and CU20, and Exchange Server 2019 CU8 and CU9. The four Exchange bugs are all rated moderate; one, a security-feature bypass (CVE-2021-31207), is already publicly known. Dustin Childs, director of communications for the Zero Day Initiative, observes in an advisory that a number of Exchange bugs came out of the recent Pwn2Own exploit contest. ‘More Exchange patches are expected as not everything disclosed at the contest has been addressed,’ he said. Aware that state-sponsored miscreants have been breaking into Exchange Servers via earlier vulnerabilities, Microsoft said while it’s not aware of any active exploitation of these latest flaws, ‘our recommendation is to install these updates immediately to protect your environment.’”

Good idea. Childs points to several more vulnerabilities that warrant immediate attention in HTTP Protocol Stack, Hyper-V, Visual Studio, and Windows Wireless Networking. There are also two that depend on their victims accessing a website—an OLE Automation remote code execution vulnerability and a Scripting Engine memory corruption vulnerability. Will it be another month before Microsoft addresses these?

Cynthia Murrell, May 17, 2021

Comments

Comments are closed.

  • Archives

  • Recent Posts

  • Meta