Sorry this post is coming in a bit late, but I’m finally back with the Patch Tuesday Rundown for May! May’s Patch Tuesday saw only 55 security fixes compared to the 108 tallied in the month of April. We’re currently tracking 4 critical vulnerabilities, none of which are being exploited in the wild to the best of our knowledge and vendor communications.
On the Microsoft side, CVE-2021-26419 is a critical remote code execution vulnerability that impacts Internet Explorer 11 and 9 running on multiple versions of Microsoft Windows and Windows Server. In a web-based attack scenario, an attacker could host a specially crafted website that is designed to exploit the vulnerabilty through Internet Explorer and then convince a user to view the website. We also see an HTTP Protocol Stack remote code execution vulnerability (CVE-2021-31166) and a Microsoft Windows Object Linking (OLE) Automation execution vulnerability (CVE-2021-31194).
For Adobe, they’ve released a trove of 12 new security bulletins with 9 critical updates covering 25 critical CVEs. The vulnerabilities cover a wide range of Adobe’s portfolio, including Acrobat, Illustrator, and a large portion of the Creative Cloud Suite. There are 10 critical vulnerabilities in Adobe Acrobat and Reader alone, including many that affect arbitrary code execution and privilege escalation concerns.