Patch Tuesday May 2021

Jordan Hammond Fun Headshot
Jordan Hammond|Updated May 19, 2021
Patch Tuesday May 2021
Patch Tuesday May 2021

It is time once again to patch your systems. This month does appear to be light in the total number of CVE’s patched with 55 total patched and only 4 of them critical. However, those 4 critical patches are pretty bad, with 2 of them rating higher than 9.8 out of 10. On the bright side, none of these have been actively exploited yet. Three exploits are already publicly known, but none of those are the critical exploits. On top of the Windows patches, we have a zero-day for Adobe Reader that is already being actively used. Let’s dive right into the Highlights and see how bad it really is.

Patch Tuesday May 2021 Lowlights

Some Highlights (Or Lowlights)

CVE-2021-28476 - This is by far the highest-rated threat, coming in at a 9.9 out of 10. So those of you that use Hyper-V may want to take some extra notice. This allows a guest vm to force the Hyper-V host's kernel to read from an arbitrary, potentially invalid address. This makes it possible to read from a memory mapped device register corresponding to a hardware device attached to the Hyper-V host which may trigger additional hardware device specific side effects that could compromise the Hyper-V host's security. I am not even sure how all of this would work. I was lost enough that I took the description right from the vulnerabilities page. While I may be a little lost in the weeds on it, those that have ill intent might have a much firmer grasp, and it would not be 9.9 if not serious.

CVE-2021-31166 - This one is only slightly lower-ranked at 9.8, but it impacts a far wider variety of machines. Microsoft has given us far less information about this one, but with the attack vector being remote execution on the HTTP protocol, and no user interaction required, it seems very likely this one is wormable. With a low complexity rating, I would say this could become really bad if not patched quickly.

CVE-2021-28550 - This is my first time adding a non-Windows patch to the lowlights. This is the currently used Adobe bug, it allows users to run arbitrary code in the current user’s context.  While they may be slightly limited if your users are not admins, that does not mean completely limited, and it would be possible to use the arbitrary code to elevate their privileges, please consider moving up your patch timeline for Adobe for this one.

Non-Windows News

In all of the months I did patch Tuesday, I never had to point out anything outside of the windows patching until last month. Now here we are again! Adobe Reader zero-day was announced today, and it is actively being exploited. In cases like this it is recommended you patch ASAP. I know we all hate cutting out testing, but users that have Adobe Reader are a serious risk until patched. If you are looking for which machines in your environment have Reader installed, PDQ Inventory has a prebuilt collection that will give you the entire list. PDQ Deploy can let you send out the update in just a few minutes to make sure you are as secure as possible.

In Review

We have made it through another month, and it is clear that we are making up for quantity with quality. This month has some doozies! While none of the Windows exploits being patched are currently being used, there are 2 that are extremely dangerous, and 3 others are publicly known. Adobe has filled in the currently exploited void for us. It is nice when companies work together! Speaking of working together, PDQ Deploy and Inventory work wonders on keeping your systems patched and helping you identify those that have fallen behind on the times. With exploits this bad getting closed this month there has never been a better time to check them out.

*Highlights Magazine is a trademark of "Highlights For Children". Lowlights Magazine is a dripping satire and should be recognized as such.


Jordan Hammond Fun Headshot
Jordan Hammond

Jordan had spent his life wondering why tasks he didn’t like to do had no options to complete themselves. Eventually he had to make that happen on his own. It turned out that he enjoyed making tasks complete themselves, and PDQ thought that is something he should talk about on the internet while drinking most Thursdays on the PDQ webcast.

Related Articles