Microsoft fixes 16 critical vulnerabilities on Patch Tuesday

Microsoft has released fixes and updates covering a total of 111 common vulnerabilities and exploits (CVEs), 16 of them rated as critical, on yet another huge Patch Tuesday.

Alongside the usual round of updates for Microsoft operating systems, browsers, Office and SharePoint products, the May patches also include updates for .NET Framework, .NET Core, Visual Studio, Power BI, Windows Defender and Microsoft Dynamics.

This is the second set of Patch Tuesday updates to have been released since the beginning of the global Covid-19 coronavirus lockdowns and, as was the case in April, the May patches will pile extra pressure on security teams struggling to keep on top of the additional workloads they are seeing. They must not be ignored, however.

“With the world facing a sudden and shifting landscape, the ‘new normal’ of large patch batches for Patch Tuesdays is not easing the burden on IT and security admins,” said Jay Goodman, strategic product marketing manager at patch management service Automox.

“Yet again, the race to end your vulnerabilities today is on, with admins needing to patch a multitude of holes while adversaries are able to cherry-pick from a host of available attack vectors.”

Richard Melick, Automox’s technical product manager, added: “There is no doubt that the sudden shift to remote work has changed how organisations are responding to vulnerabilities.

“In the light of a few of the critical vulnerabilities revealed and patched by Microsoft today, it is clear that services that support the expanding workspace are a heavy focus for both attackers and software providers.

“If enterprises are not responding to, and deploying, critical patches within 24 hours of release, they could be putting not only those individual, unpatched endpoints at risk, but their full network.”

Satnam Narang, staff research engineer at security management platform Tenable, said: “Similar to the last two Patch Tuesday releases, this month’s release was another massive one, clocking in at 111 CVEs, 16 rated as critical and 95 rated as important. It appears that none of the vulnerabilities patched this month were publicly disclosed or exploited in the wild.”

Todd Schell, senior security product manager at asset management company Ivanti, said most of the critical CVEs would be simply resolved by the OS and browser updates, but he noted four critical CVEs in SharePoint, and one in Visual Studio.

Schell added that this round of updates provided a good opportunity for CISOs to think about reassessing their Patch Tuesday priorities.

“If you look at the Exploitability Assessment, a number of Important CVEs are concerning,” he said. “Ten of this month’s 111 CVEs carried exploit ratings of one, meaning exploitation is more likely for this vulnerability. What is interesting, and often overlooked, is that seven of the 10 CVEs at higher risk of exploit are only rated as Important.

“It is not uncommon to look at the Critical vulnerabilities as the most concerning, but many of the vulnerabilities that end up being exploited are actually the ones rated as Important. If your prioritisation stops at vendor severity or even CVSS scores above a certain level, you may want to reassess your metrics. Look to other risk metrics, such as Publicly Disclosed, Exploited (obviously), and Exploitability Assessment (Microsoft specific) to expand your prioritisation process.”

There was also news this month for those who have taken out extended security updates (ESUs) to provide further coverage for Windows 7, Server 2008 and Server 2008 R2, who must deploy new servicing stack updates (SSUs) before they can download the May patches.

As ever, Microsoft’s release notes are available to read here.