By Satnam Narang, Staff Research Engineer, Tenable
This month’s Patch Wednesday release addressed 55 CVEs, 4 of which are rated critical. This is the second time in 2021 that Microsoft has patched less than 60 CVEs.
“Microsoft patched CVE-2021-31166, a remote code execution vulnerability in the HTTP Protocol Stack (http.sys). This vulnerability was discovered internally by Microsoft and is rated as Exploitation More Likely on Microsoft’s Exploitability Index.
“To exploit the flaw, an attacker would need to target a vulnerable server using the HTTP Protocol Stack with a packet containing the exploit code. Additionally concerning is that this vulnerability is wormable, meaning it can self-replicate on its own without human intervention. The most devastating wormable attack in the last several years was the WannaCry attacks. Organisations that utilise the HTTP Protocol Stack in their server architecture should apply these updates immediately.
“Microsoft also patched four vulnerabilities in Microsoft Exchange Server. The flaws, which include CVE-2021-31198, CVE-2021-31207, CVE-2021-31209 and CVE-2021-31195, are all rated Important or Moderate. CVE-2021-31195 is attributed to Orange Tsai of the DEVCORE research team, who was responsible for disclosing the ProxyLogon Exchange Server vulnerability that was patched in an out-of-band release back in March. While none of these flaws are deemed critical in nature, it is a reminder that researchers and attackers are still looking closely at Exchange Server for additional vulnerabilities, so organisations that have yet to update their systems should do so as soon as possible.”
