Microsoft security alert.
May 11, 2021
Advisory overview
Qualys Vulnerability R&D Lab has released new vulnerability checks in the Enterprise TruRisk Platform to protect organizations against 51 vulnerabilities that were fixed in 11 bulletins announced today by Microsoft. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their Qualys subscription. Visit Qualys Security Blog to prioritize remediation.
Non-Qualys customers can audit their network for these and other vulnerabilities by signing up for a Qualys Free Trial, or by trying Qualys Community Edition.
Vulnerability details
Microsoft has released 11 security bulletins to fix newly discovered flaws in their software. Qualys has released the following checks for these new vulnerabilities:
-
Microsoft Internet Explorer Security Update for May 2021
- Severity
- Serious 3
- Qualys ID
- 100415
- Vendor Reference
- KB5003165, KB5003169, KB5003171, KB5003172, KB5003173, KB5003174, KB5003197, KB5003208, KB5003209, KB5003210, KB5003233
- CVE Reference
- CVE-2021-26419
- CVSS Scores
- Base 7.6 / Temporal 6.3
- Description
-
Internet Explorer is a web-browser developed by Microsoft which is included in Microsoft Windows Operating Systems.
Microsoft has released Cumulative Security Updates for Internet Explorer which addresses various vulnerabilities found in Internet Explorer 11 (IE 11) and IE9.
KB Articles associated with the Update:
KB5003209
KB5003165
KB5003208
KB5003233
KB5003197
KB5003172
KB5003173
KB5003169
KB5003171
KB5003174QID Detection Logic (Authenticated):
This QID checks for the file version of %windir%\System32\mshtml.dll
- Consequence
- Successful exploitation of the vulnerability may allow the attacker to cause Memory Corruption.
- Solution
-
For more information, Customers are advised to refer the Security Update Guide.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2021-26419
-
Microsoft SharePoint Enterprise Server Multiple Vulnerabilities May 2021
- Severity
- Critical 4
- Qualys ID
- 110380
- Vendor Reference
- KB5001916, KB5001917, KB5001935
- CVE Reference
- CVE-2021-26418, CVE-2021-28474, CVE-2021-28478, CVE-2021-31171, CVE-2021-31172, CVE-2021-31173, CVE-2021-31181
- CVSS Scores
- Base 6.5 / Temporal 5.1
- Description
-
Microsoft has released May security updates to fix multiple security vulnerabilities.
This security update contains the following KBs:
KB5001935
KB5001916
KB5001917QID Detection Logic:
This authenticated QID checks the file versions from the above Microsoft KB article with the versions on the affected SharePoint system. - Consequence
-
Successful exploitation allows an attacker to execute code remotely.
- Solution
-
Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Office and Microsoft Office Services and Web Apps Security Update May 2021
-
Microsoft Office and Microsoft Office Services and Web Apps Security Update May 2021
- Severity
- Critical 4
- Qualys ID
- 110381
- Vendor Reference
- KB4464542, KB4493197, KB4493206, KB5001914, KB5001918, KB5001919, KB5001920, KB5001923, KB5001925, KB5001927, KB5001928, KB5001931, KB5001936
- CVE Reference
- CVE-2021-28455, CVE-2021-31174, CVE-2021-31175, CVE-2021-31176, CVE-2021-31177, CVE-2021-31178, CVE-2021-31179, CVE-2021-31180
- CVSS Scores
- Base 6.8 / Temporal 5
- Description
-
Microsoft has released May 2021 security updates to fix multiple security vulnerabilities.
This security update contains the following KBs:
KB5001931
KB4464542
KB5001919
KB5001928
KB5001927
KB5001936
KB5001923
KB5001918
KB5001914
KB5001925
KB5001920
KB4493206
KB4493197
QID Detection Logic:
This authenticated QID checks the file versions from the Microsoft advisory with the versions on the affected office system.Note: Office click-2-run and Office 365 installations need to be updated manually or need to be set to automatic update. There is no direct download for the patch.
- Consequence
-
Successful exploitation allows an attacker to execute code remotely.
- Solution
-
Refer to Microsoft Security Guidance for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Office and Microsoft Office Services and Web Apps Security Update May 2021
-
Microsoft Skype for Business Server Security and Lync Server Update for May 2021
- Severity
- Critical 4
- Qualys ID
- 110382
- Vendor Reference
- KB5003729
- CVE Reference
- CVE-2021-26421, CVE-2021-26422
- CVSS Scores
- Base 6.5 / Temporal 4.8
- Description
-
Microsoft has released updates to fix multiples updates to fix issues on Microsoft Skype for Business Server and Microsoft Lync Server..
Affected Software:
Microsoft Lync Server 2013
Skype for Business Server 2015
Microsoft Skype for Business Server 2019QID Detection Logic:
- Consequence
-
Successful exploitation of vulnerability can lead to Remote Code Execution and Spoofing attacks.
- Solution
-
Customers are advised to refer to CVE-2021-26422 and CVE-2021-26421 for more details pertaining to the vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Update Guidance
-
Visual Studio Code Remote - Containers Extension Remote Code Execution Vulnerability
- Severity
- Serious 3
- Qualys ID
- 375557
- Vendor Reference
- CVE-2021-31213
- CVE Reference
- CVE-2021-31213
- CVSS Scores
- Base 6.8 / Temporal 5
- Description
-
Visual Studio Code is a lightweight but powerful source code editor which runs on your desktop and is available for Windows, macOS and Linux.
Affected Versions:
Containers Extension for Visual Studio Code prior to version 0.177.2QID Detection Logic(Authenticated):
This QID checks for the vulnerable versions of Containers Extension for Visual Studio Code. - Consequence
- A local attacker who successfully exploited the vulnerability could inject arbitrary code to run in the context of the current user.
- Solution
-
Please refer to Microsoft advisory for Visual Studio Code for more details.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2021-31213 Windows
-
Visual Studio Code Remote Code Execution Vulnerability
- Severity
- Critical 4
- Qualys ID
- 375556
- Vendor Reference
- CVE-2021-31214
- CVE Reference
- CVE-2021-31211, CVE-2021-31214
- CVSS Scores
- Base 9.3 / Temporal 6.9
- Description
-
Visual Studio Code is a lightweight but powerful source code editor which runs on your desktop and is available for Windows, macOS and Linux.
Affected Versions:
Visual studio code prior to version 1.56.1QID Detection Logic(Authenticated):
This QID checks for the vulnerable versions of visual studio code. - Consequence
- A local attacker who successfully exploited the vulnerability could inject arbitrary code to run in the context of the current user.
- Solution
-
Please refer to Microsoft advisory for Visual Studio Code for more details.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2021-31214 MAC OS X
CVE-2021-31214 Windows
-
Microsoft Exchange Server Multiple Vulnerabilities - May 2021
- Severity
- Critical 4
- Qualys ID
- 50111
- Vendor Reference
- KB5003435
- CVE Reference
- CVE-2021-31195, CVE-2021-31198, CVE-2021-31207, CVE-2021-31209
- CVSS Scores
- Base 6.8 / Temporal 5.6
- Description
-
Microsoft Exchange Server is prone to multiple vulnerabilities:
Microsoft Exchange Server Spoofing Vulnerability
Microsoft Exchange Server Security Feature Bypass Vulnerability
Microsoft Exchange Server Remote Code Execution VulnerabilityKB Articles associated with this update are: KB5003435
Affected Versions:
Microsoft Exchange Server 2013 Cumulative Update 23
Microsoft Exchange Server 2016 Cumulative Update 19
Microsoft Exchange Server 2016 Cumulative Update 20
Microsoft Exchange Server 2019 Cumulative Update 8
Microsoft Exchange Server 2019 Cumulative Update 9QID Detection Logic (authenticated):
The QID checks for the version of file Exsetup.exe.
- Consequence
-
Successful exploitation allows attackers to execute remote code.
- Solution
-
Customers are advised to refer to KB5000978, KB5000871 for information pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
KB5003435
-
Microsoft Windows Security Update for May 2021
- Severity
- Urgent 5
- Qualys ID
- 91762
- Vendor Reference
- KB5003169, KB5003171, KB5003172, KB5003174, KB5003197, KB5003203, KB5003208, KB5003209, KB5003210, KB5003220, KB5003225, KB5003228, KB5003233
- CVE Reference
- CVE-2020-24587, CVE-2020-24588, CVE-2020-26144, CVE-2021-28476, CVE-2021-28479, CVE-2021-31165, CVE-2021-31167, CVE-2021-31168, CVE-2021-31169, CVE-2021-31170, CVE-2021-31182, CVE-2021-31184, CVE-2021-31185, CVE-2021-31186, CVE-2021-31187, CVE-2021-31188, CVE-2021-31190, CVE-2021-31191, CVE-2021-31192, CVE-2021-31193, CVE-2021-31194, CVE-2021-31205, CVE-2021-31208
- CVSS Scores
- Base 7.2 / Temporal 6
- Description
-
Microsoft releases the security update for Windows May 2021
The KB Articles associated with the update:
KB5003169
KB5003171
KB5003172
KB5003174
KB5003197
KB5003203
KB5003208
KB5003209
KB5003210
KB5003220
KB5003225
KB5003228
KB5003233
This QID checks for the file version of ntoskrnl.exe
The following versions of ntoskrnl.exe with their corresponding KBs are verified:
KB5003169 - 10.0.18362.1533
KB5003171 - 10.0.17763.1935
KB5003172 - 10.0.10240.18932
KB5003174 - 10.0.17134.2208
KB5003197 - 10.0.14393.4402
KB5003203 - 6.2.9200.23347
KB5003208 - 6.2.9200.23347
KB5003209 - 6.3.9600.20012
KB5003210 - 6.0.6003.21115
KB5003220 - 6.3.9600.20012
KB5003225 - 6.0.6003.21115
KB5003228 - 6.1.7601.24596
KB5003233 - 6.1.7601.24596
- Consequence
- A remote attacker could exploit this vulnerability and execute code on the target system.
- Solution
-
Please refer to the Security Update Guide for more information pertaining to these vulnerabilities.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
Microsoft Security Update Guide WIndows
-
Microsoft Visual Studio Security Update for May 2021
- Severity
- Critical 4
- Qualys ID
- 91763
- Vendor Reference
- CVE-2021-27068
- CVE Reference
- CVE-2021-27068, CVE-2021-31204
- CVSS Scores
- Base 6.5 / Temporal 4.8
- Description
-
Microsoft has released security update for Visual Studio which resolves multiple security vulnerabilities.
Affected Software:
Microsoft Visual Studio 2019 version 16.4 (includes 16.0 - 16.3)
Microsoft Visual Studio 2019 version 16.7 (includes 16.0 - 16.6)
Microsoft Visual Studio 2019 version 16.9 (includes 16.0 - 16.8)QID Detection Logic:Authenticated
This QID detects vulnerable versions of Microsoft Visual Studio by checking file version of devenv.exe. - Consequence
- Successful exploitation can affect confidentiality, integrity and availability.
- Solution
-
Customers are advised to refer to CVE-2021-27068 for more information pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2021-27068 WIndows
-
Microsoft Windows Codecs Library Web Media Extension Remote Code Execution Vulnerability
- Severity
- Critical 4
- Qualys ID
- 91764
- Vendor Reference
- CVE-2021-28465
- CVE Reference
- CVE-2021-28465
- CVSS Scores
- Base 6.8 / Temporal 5
- Description
-
A remote code execution vulnerability exists in the way that Microsoft Windows Codecs Library handles objects in memory.
Affected Product:
Microsoft.WebMediaExtensions prior to version 1.0.40831.0QID detection Logic:
The gets the version of Extension by querying wmi class Win32_InstalledStoreProgram. - Consequence
- An attacker who successfully exploited this vulnerability could lead to remote code execution.
- Solution
-
Users are advised to check CVE-2021-28465 for more information.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2021-28465 WIndows
-
Microsoft .NET Core Security Update May 2021(DEPRECATED)
- Severity
- Serious 3
- Qualys ID
- 91766
- Vendor Reference
- CVE-2021-31204
- CVE Reference
- CVE-2021-31204
- CVSS Scores
- Base 4.6 / Temporal 3.4
- Description
-
A denial of service vulnerability exists when .NET Core improperly handles web requests.
This security update is rated Important for supported versions of .NET Core.Affected versions:
.NET 5.0 and .NET Core 3.1QID Detection Logic (Authenticated):
The qid looks for sub directories under %programfiles%\dotnet\shared\Microsoft.NETCore.App, %programfiles(x86)%\dotnet\shared\Microsoft.NETCore.App and checks for vulnerable versions in .version file on Windows. NOTE: This QID is Deprecated. This QID will retire on 06/21/2021. - Consequence
- Successful exploitation of this vulnerability can lead to escalation of priviledges.
- Solution
-
Customers are advised to refer to CVE-2021-31204 for more details pertaining to this vulnerability.
Patches:
The following are links for downloading patches to fix these vulnerabilities:
CVE-2021-31204 WIndows
These new vulnerability checks are included in Qualys vulnerability signature 2.5.182-3. Each Qualys account is automatically updated with the latest vulnerability signatures as they become available. To view the vulnerability signature version in your account, from the Qualys Help menu, select the About tab.
Selective Scan Instructions Using Qualys
To perform a selective vulnerability scan, configure a scan profile to use the following options:
- Ensure access to TCP ports 135 and 139 are available.
- Enable Windows Authentication (specify Authentication Records).
-
Enable the following Qualys IDs:
- 100415
- 110380
- 110381
- 110382
- 375557
- 375556
- 50111
- 91762
- 91763
- 91764
- 91766
- If you would like the scan to return the Windows Hostname, also include QID 82044 and ensure access to UDP port 137 is available.
- If you would like to be notified if Qualys is unable to log on to a host (if Authentication fails), also include QID 105015.
In addition, prior to running a scan for these new vulnerabilities, you can estimate your exposure to these new threats by running the Risk Analysis Report, available from the Qualys Vulnerability Management Reports tab.
Access for Qualys Customers
Platforms and Platform Identification
Technical Support
For more information, customers may contact Qualys Technical Support.
About Qualys
The Enterprise TruRisk Platform and its integrated suite of security and compliance applications provides organizations of all sizes with a global view of their security and compliance solutions, while drastically reducing their total cost of ownership. Qualys solutions include: continuous monitoring, vulnerability management, policy compliance, PCI compliance, security assessment questionnaire, web application scanning, web application firewall, malware detection and SECURE Seal for security testing of web sites.