Microsoft released its May Patch Tuesday update this week, with a total of 38 security fixes, including three zero-day vulnerabilities. The first zero-day vulnerability, tracked as CVE-2021-33742, is a Windows NTFS Elevation of Privilege (EoP) vulnerability. The second, tracked as CVE-2021-31201, is a Windows SMBv3 Elevation of Privilege (EoP) vulnerability. The third and final zero-day, tracked as CVE-2021-31199, is a Microsoft Exchange Server Remote Code Execution (RCE) vulnerability. Read on to learn more.
The three zero-day vulnerabilities include two actively exploited in attacks and another publicly disclosed.
The two actively exploited zero-day vulnerabilities addressed in this update are:
The flaw was given a CVSSv3 score of 6.7. Exploiting this vulnerability requires an attacker to have administrative rights or physical access to the vulnerable device; therefore, Microsoft has rated this as “Exploitation Less Likely” according to its Exploitability Index.
Microsoft also released a security update for one publicly disclosed zero-day vulnerability that was not actively exploited:
The vulnerability lies in the processing of RTF documents and emails. Microsoft said that the Preview Pane feature in Microsoft Outlook and Office is a vector for exploitation. An unauthenticated, remote attacker can exploit this vulnerability by sending a specially crafted document to a vulnerable system. However, the vulnerability is considered highly complex to exploit.
The complete list of resolved vulnerabilities in the May 2023 Patch Tuesday updates can be found in the full report.
Nuspire applies patches when released in accordance with vendor recommendations.
Organizations should review the Microsoft May 2023 Patch Tuesday security updates, apply patches to affected systems as soon as possible and regularly scan the environment to identify those systems yet to be patched.