Browser updates are back for the May's Patch Tuesday

Credit to Author: Greg Lambert| Date: Fri, 14 May 2021 12:37:00 -0700

With 55 updates, three publicly reported vulnerabilities and reported public exploits for Adobe Reader, this week’s Patch Tuesday update will require some time and testing before deployment. There are some tough testing scenarios (we’re looking at you, OLE) and kernel updates make for risky deployments. Focus on the IE and Adobe Reader patches — and take your time with the (technically challenging) Exchange and Windows updates.

Speaking of taking your time, if you’re still Windows 10 1909, this is your last month of security updates. 

The three publicly disclosed vulnerabilities this month include:

You can find this information summarized in this infographic.

There are no reported high-risk changes to the Windows platform this month.  For this patch cycle we have divided our testing guide into two sections:

Microsoft Office

Windows desktop and server platforms

And here’s the testing scenario that should bring joy to the hearts of all desktop (and server) engineers: you need to test OLE automation this month. What does this mean? Roughly it translates to finding (and testing) the key business logic in core, internally developed business-critical apps that rely on complex, multiple, interdependent components that sometimes need a remote service from a little-known server that is still running a very, very specific version of Visual Basic 5.

Each month, Microsoft includes a list of known issues that relate to the operating system and platforms included in this update cycle. Here are a few key issues that relate to the latest builds from Microsoft, including:

You can also find Microsoft’s summary of known issues for this release in a single page.

Microsoft has not (as of May 14) published any major revisions for this Update Tuesday release.

So far, it does not appear that Microsoft has published any mitigations or work-arounds for this April release. 

Each month, we break down the update cycle into product families (as defined by Microsoft) with the following basic groupings:

Browser updates are back with a vengeance. And, this time it’s personal. Holy cow: 35 critical updates for Edge (the Chromium version) and a critical update for Internet Explorer 11 (IE11). All of the reported vulnerabilities could lead to a remote code execution scenario. All of them.

The Chromium updates should be relatively easy to deploy due to the Chromium project’s separation from the desktop operating system. The IE11 update is a complete refresh of the binaries. Any legacy apps will need to be tested against this new build. Add this update to your Patch Now release effort.

Microsoft released three updates rated as critical and 22 rated as important for this cycle. The critical patches address issues in Hyper-V, how Windows handles HTTP requests, and OLE automation server issues. We don’t see an urgent need to rate these reported vulnerabilities as “Patch Now,” and we think that some testing will be required before production deployment. Further adding to these concerns, Microsoft has published a few minor UI issues with this update:

“The May Windows update might cause scroll bar controls to appear blank on the screen and not function. This issue affects 32-bit applications running on 64-bit Windows 10 (WOW64) that create scroll bars using a superclass of the USER32.DLL SCROLLBAR window class. In addition, a memory usage increase of up to 4 GB might occur in 64-bit applications when you create a scroll bar control.”

This month’s security updates cover the following core Windows functional areas:

The patch that wins the highest rating this month is CVE-2021-31194 — a serious vulnerability in the Microsoft OLE automation engine. This update will be a tough one to test as you will need to find an application with an OLE server and compare the results across the two builds. Microsoft has also provided some guidance on removing remote access to JET databases, whichcan be found here. Add these Windows updates to your standard release cycle with an emphasis on testing your core business apps for OLE, JET, and Hyper-V dependencies.

This month’s patches and updates to the Microsoft Office productivity platform affect the following baseline versions:

We get an easy ride this month with Office patches. No critical rated vulnerabilities and only 17 rated important. If you are still using JET databases, you will need to ensure that you have removed remote access with this support note from Microsoft. Add these relatively minor patches to your standard Office update schedule.

After you have updated Adobe Reader (see below), you will need to spend some time with Microsoft’s latest Exchange server update. With three updates rated as important, and a single patch published as moderate, this update cycle is paired with some serious spoofing and security bypass issues.

Microsoft has released the following note on the technical challenge of updating your Exchange server, including, “When you try to manually install this security update by double-clicking the update file (.MSP) to run it in Normal mode (that is, not as an administrator), some files are not correctly updated. When this issue occurs, you don’t receive an error message or any indication that the security update was not correctly installed. However, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) might stop working.”

Take your time, these issues are not time-sensitive (like last month). We are still hearing and experiencing Exchange server update issues and though we don’t expect compatibility or functionality issues with this Exchange update, getting the logistics right with this May update may require some thinking. Add this Exchange Server update to your regular patch release regime.

Microsoft has published five development tool updates — all rated as important — affecting Visual Studio and Microsoft .NET (which has an inter-linking dependency back to Visual Studio). The following specific product groups are patched this month:

The update to Visual Studios Container component (CVE-2021-31204) probably requires the most attention this month, due to the public reporting of this remote code execution vulnerability. The remaining four issues require user interaction and local access to the target system (hence, the important rating from Microsoft). Add these updates to your standard development update release cycle.

While Microsoft has not included an Adobe patch in its release cycle, there has been a critical patch to Adobe Reader in Adobe’s latest patch update. Adobe has reported that the vulnerability CVE-2021-28550 has been exploited in the wild. Unfortunately, this makes the Adobe issue a zero-day that affects all Microsoft devices with a remote code execution vulnerability that could result in complete access to the compromised system.

Add the Adobe Reader update to your “Patch Now” release schedule. And, yes, I really did think that we could retire this section. Maybe next time.