Microsoft today released fixes to plug at least 55 security holes in its Windows operating systems and other software. Four of these weaknesses can be exploited by malware and malcontents to seize complete, remote control over vulnerable systems without any help from users. On deck this month are patches to quash a wormable flaw, a creepy wireless bug, and yet another reason to call for the death of Microsoft’s Internet Explorer (IE) web browser.
While May brings about half the normal volume of updates from Microsoft, there are some notable weaknesses that deserve prompt attention, particularly from enterprises. By all accounts, the most pressing priority this month is CVE-2021-31166, a Windows 10 and Windows Server flaw which allows an unauthenticated attacker to remotely execute malicious code at the operating system level. With this weakness, an attacker could compromise a host simply by sending it a specially-crafted packet of data.
“That makes this bug wormable, with even Microsoft calling that out in their write-up,” said Dustin Childs, with Trend Micro’s ZDI program. “Before you pass this aside, Windows 10 can also be configured as a web server, so it is impacted as well. Definitely put this on the top of your test-and-deploy list.”
Kevin Breen from Immersive Labs said the fact that this one is just 0.2 points away from a perfect 10 CVSS score should be enough to identify just how important it is to patch.
“For ransomware operators, this kind of vulnerability is a prime target for exploitation,” Breen said. “Wormable exploits should always be a high priority, especially if they are for services that are designed to be public facing. As this specific exploit would not require any form of authentication, it’s even more appealing for attackers, and any organization using HTTP.sys protocol stack should prioritize this patch.”
Breen also called attention to CVE-2021-26419 — a vulnerability in Internet Explorer 11 — to make the case for why IE needs to stand for “Internet Exploder.” To trigger this vulnerability, a user would have to visit a site that is controlled by the attacker, although Microsoft also recognizes that it could be triggered by embedding ActiveX controls in Office Documents.
“IE needs to die – and I’m not the only one that thinks so,” Breen said. “If you are an organization that has to provide IE11 to support legacy applications, consider enforcing a policy on the users that restricts the domains that can be accessed by IE11 to only those legacy applications. All other web browsing should be performed with a supported browser.”
Another curious bug fixed this month is CVE-2020-24587, described as a “Windows Wireless Networking Information Disclosure Vulnerability.” ZDI’s Childs said this one has the potential to be pretty damaging.
“This patch fixes a vulnerability that could allow an attacker to disclose the contents of encrypted wireless packets on an affected system,” he said. “It’s not clear what the range on such an attack would be, but you should assume some proximity is needed. You’ll also note this CVE is from 2020, which could indicate Microsoft has been working on this fix for some time.”
Microsoft also patched four more security holes its Exchange Server corporate email platform, which recently was besieged by attacks on four other zero-day Exchange flaws that resulted in hundreds of thousands of servers worldwide getting hacked. One of the bugs is credited to Orange Tsai of the DEVCORE research team, who was responsible for disclosing the ProxyLogon Exchange Server vulnerability that was patched in an out-of-band release back in March.
“While none of these flaws are deemed critical in nature, it is a reminder that researchers and attackers are still looking closely at Exchange Server for additional vulnerabilities, so organizations that have yet to update their systems should do so as soon as possible,” said Satnam Narang, staff research engineer at Tenable.
As always, it’s a good idea for Windows users to get in the habit of updating at least once a month, but for regular users (read: not enterprises) it’s usually safe to wait a few days until after the patches are released, so that Microsoft has time to iron out any kinks in the new armor.
But before you update, please make sure you have backed up your system and/or important files. It’s not uncommon for a Windows update package to hose one’s system or prevent it from booting properly, and some updates have been known to erase or corrupt files.
So do yourself a favor and backup before installing any patches. Windows 10 even has some built-in tools to help you do that, either on a per-file/folder basis or by making a complete and bootable copy of your hard drive all at once.
And if you wish to ensure Windows has been set to pause updating so you can back up your files and/or system before the operating system decides to reboot and install patches on its own schedule, see this guide.
If you experience glitches or problems installing any of these patches this month, please consider leaving a comment about it below; there’s a better-than-even chance other readers have experienced the same and may chime in here with some helpful tips.
I installed the May KB5003173. It hosed my Outlook 365 install. Text would not show in body. Pictures would. Removing patch did not work. Updating Office 365 did not work. I had to uninstall and reinstall Office 365.
Run this command (it is a downgrade but a fix). I had multiple clients reporting the same issue:
*******
“C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe” /update user updatetoversion=16.0.13901.20462
Yes, May 2021 update for Office 365/2019/2016 breaks outlook. a workaround is to revert back to April 2021 version. Instructions from the link below will fix the issue for now or until Microsoft fixes the update!
https://www.slipstick.com/outlook/uninstall-update-office-click-run/
We’re using Office Standard 2019 and have not seen any problems after installing the Windows update.
Online Repair seems to have fixed the issue for me.
Although I had *already* delayed Windows Updates until June, my Outlook 2019 suffered this same problem. And here I thought my local machine client license would tend to inoculate Outlook and Office from cloud network breakage by Microsoft. Nope.
This is/was an unrelated Office 365 Outlook application problem, several of our customers experienced it as well.
If no one else has answered with this. You can also revert to previous version of Outlook. Instructions are on the web
Broke my third-party badge reader (singalong, you know this tune) that has a 2H20 machine running only Python, Chrome, and WLIR. The machine knows it has a reader, but no response otherwise when swiping. Have reseated everything.
I go back to the DOS days (and even before that) and still use windows at work but I’m grateful I decided to check out Apple with a laptop in 2003 and then my first desktop in 2008. Updates just go smoothly in my 12 years using them.
When work pushing out security updates/patches it seems to be a painful process where I have to sit through multiple reboots or forced power downs before it finally is installed. Based on every employee going through that I’m sure the company has a serious hidden cost in using Windows. Personally I think in tech areas the employee should be able to pick their OS and computer.
Computer powered on/ active hours set/ updates during non-usage time/ updates don’t take long anyway/ Windows is a lot better system then it was a couple of decades ago. Can’t honestly say that about IOS or Linux. There is no serious “Hidden Cost”. Windows 10 is the best operating system available. Yes, I am biased. I have used them all, Windows is just better overall.
“Windows is just better overall” = Bullsh in any actual metric you list, as a 25+ years user of all of it since 3.1.
Obviously OSX and iOS AND Linux kick the security and privacy tar out of any version of windows, that’s just math that you’re not actually doing, and the fact that you say “best” just denotes the wool you’ve pulled over your own eyes in defending your pesonal preference without real data in any real aspect. Windows is low lying fruit and you’re a happy scavenger, that much is apparent. Multiple months in a row last year W10 updates borked machines and clobbered files, killed 3rd party dependencies, installed and reinstalled telemetry BS without permission, the list goes on forever. Every once in a great while Apple screws up an update but it’s not in the same ballpark. You are biased sir, period. That’s fine, but if you don’t realize it you might start to.
Totally, there are so many hidden costs when using Apple products. Proprietary hardware, expensive programs, but worst of all is that if anything breaks the only fix is a factory reset. And don’t even get me started on updating an Apple. We have several in our environment and updates have broken those machines far more than any Windows machine. Out of 100+ machines running W10, a patch has caused issues maybe twice, where out of our 5 Apples in that same time I’ve had reimage at least 5 times.
“but worst of all is that if anything breaks the only fix is a factory reset” – Is not a fact. Not even close.
That is usually the FASTEST way to get a user back to a working machine, assuming they’ve backed up.
“Proprietary hardware” – Never heard of a Mac Clone, hackintosh, etc? We know about Apple HW costs.
“expensive programs” – Lol?
“We have several in our environment and updates have broken those machines far more than any Windows machine” – I call full BS on this. Fully, entirely. User error is apparent.
https[://]www.laptopmag[.]com/news/new-macos-update-is-wrecking-macbooks-what-to-do-now and https[://]www.techradar[.]com/how-to/macos-11-big-sur-problems-how-to-fix-the-most-common-issues and other links do indeed say that Mac updates break machines.
I am not at all saying Apple has not blown it also, the question is the direct comparison with W10.
I have gripes to make with Apple also, don’t worry. That’s to skip the comparison.
Why notepad app and their future updates will be independent of windows 10 system?
Issue with no text in email body affected by laptop today. Found this forum and figured this is the cause. If i just leave the laptop alone, will MS issue a patch to fix the patch? Not comfortable doing the roll back exercise.
How did we ever get here?! I’m not an Enterprise, so I got off the merry-go-round after XP which I thought was great! Got a Chromebook in 2012 & haven’t looked back. Yeah, I know it’s not a “real” computer. Right. Maybe it’s a good thing I’m not smart enough to be a Tech pro. Well at least you made Bill & co. filthy rich!
Windows 10. The Redmond curse. Gates on top in wealth for marketing crap that does not function properly. I will stay with 7 as long as possible with no other MS crap on my clunker.
Why don’t you just install Linux and use a real OS thats not backdoored and intentionally vulnerable. Then you won’t have any telemetry, spying, forced upgrades, etc.
I did. Linux is to difficult to navigate. Designed by geeks for use by a cult. Win 7 is more user friendly than all other OS.
Chrome 64 also had a security update today !
The ‘do no evil’ browser!
The updates bricked my main desktop. I get to the login, and it just spins. I’m going to troubleshoot later, thank goodness for fallback laptops!
KB5003173 caused issues with text and graphics in Outlook 2016 and 2019. Removing the update fixed the issues.
There must be some other variables. I’m not seeing any problems in Outlook 2019 after installing the update.
Don’t believe that’s correct – I had the issue prior to installing that update. Believe its an Outlook patch that is the root cause and rolling back to the previous build (see instructions in this thread) fixed it for me. Doing either an offline or online repair did not resolve the issue.
Don’t believe that’s correct – I had the issue prior to installing that update. Believe its an Outlook patch that is the root cause and rolling back to the previous build (see instructions in this thread) fixed it for me. Doing either an offline or online repair did not resolve the issue.
Can the file iexplore.exe be safely deleted from Windows 10 Pro, assuming there’s a way to get permission from TrustedInstaller transfered to the administrator?
The advice regarding these security deficiencies is descriptive only, there is little or no information on how these RCE bugs are being abused or which security features in Hyper-V are being bypassed.
To anyone saying that Outlook couldn’t read/write emails after the update: that was an update to the Microsoft 365 Apps and Office 2019. It was not related at all to this Windows update. Microsoft has since patched the former.
I’ve had multiple reports of Outlook not starting after installing KB5003169 for Windows 10 1909 from my patching test group. 20% of devices need to be rebooted before Outlook will load following the May quality update.
I’ve not released the May updates for Office 365 2008 channel yet.
Might as well make a template for articles – “Microsoft today released fixes to plug at least 55 security holes”…
–
Am I wrong, or is it gonna be this way for decades to come ?
error 0x800f0922. If you uninstalled the new Edge before, then be certain to delete the folders left behind. Specifically delete the directories “Edge\” and below from “C:\Program Files (x86)\Microsoft\”. Otherwise the 21-05 update will fail with error 0x800f0922, then it unrolls the install, and in 24hrs will retry the update and fail again.
With the cleaned directory, the update installs edge fresh, and then it can be un-installed again after the 21-05 update.
I follow AskWoody’s advice to pause updates a few weeks–unless there is something really critical which I might install sooner if I don’t see any major issue reported here. I installed the May updates today on my notebook; since that went fine I did my desktop, too. No issues at all so far.
This last update borked my text for some reason O.o
If I go in the normal way through windows it’s fine, but if I go to upload an image or something I get this now: https://gyazo.com/63cc13d12b32afecc509cd716c288000
Never had this happen before so I don’t even know where I’d start in regards to figuring out what exactly is causing this 🙁