(http://i.postimg.cc/vZsLgGtc/maxresdefault.jpg)
Microsoft's May Patch Tuesday dump included patches for 55 CVEs with four rated critical. There were also three zero-day bugs but none have been exploited.
Products impacted includes Internet Explorer, .NET Core and Visual Studio, Windows 10 and Office to name a few. You can find the updates for May here (http://msrc.microsoft.com/update-guide/releaseNote/2021-May).
The fixed zero day bugs include:
• CVE-2021-31204 (http://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31204) .NET and Visual Studio Elevation of Privilege Vulnerability
• CVE-2021-31207 (http://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31207) Microsoft Exchange Server Security Feature Bypass Vulnerability
• CVE-2021-31200 (http://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2021-31200) Common Utilities Remote Code Execution Vulnerability
Zero Day Initiative flagged CVE-2021-31166 (http://www.zerodayinitiative.com/blog/2021/5/11/the-may-2021-security-update-review) as one of the more interesting bugs. ZDI said:
CVE-2021-31166 - HTTP Protocol Stack Remote Code Execution Vulnerability
This patch corrects a bug that could allow an unauthenticated attacker to remotely execute code as kernel. An attacker would simply need to send a specially crafted packet to an affected server. That makes this bug wormable, with even Microsoft calling that out in their write-up. Before you pass this aside, Windows 10 can also be configured as a web server, so it is impacted as well. Definitely put this on the top of your test-and-deploy list.
There's also a Hyper-V Remote Code Execution Vulnerability flagged by ZDI with a CVSS rating of 9.9.
source (http://www.zdnet.com/article/microsofts-may-2021-patch-tuesday-55-flaws-fixed-four-critical/?ftag=TRE-03-10aaa6b&bhid=23025033557728410434503082200418&mid=13365145&cid=717836859)