May Patch Tuesday sees four critical vulnerabilities patched by Microsoft and Adobe ships a fix for an Acrobat Reader zero-day that is under attack in the wild.

Microsoft Patch Tuesday May 2021

55 vulnerabilities, 4 critical, are resolved in the May security patch bundle from Microsoft.  Of particular note are:

CVE-2021-31166 which is a Windows Server flaw that allows an unauthenticated attacker to remotely execute malicious code – and Microsft warns this exploit is wormable and recommends its patching should be prioritised.

CVE-2021-26419 is a critical scripting engine vulnerability in Internet Explorer 11 which can be triggered by visiting a malicious site or opening an Microsoft Office document containing a malicious ActiveX control

CVE-2021-31207 is another Security Feature Bypass in Microsoft Exchange.  Although this vulnerability needs to be chained with others in order to facilitate exploitation it was used (and so publicised) in the 2021 Pwn2Own hacking competition.

Adobe Patches for May 2021

Adobe’s May patch bundle includes a fix for a critical zero-day in the ubiquitous Adobe Acrobat PDF reader that is under active attack on Windows PC.

10 Critical and 4 Important updates are fixed in Adobe Acrobat, with CVE-2021-28550 which enabled Arbitrary Code Execution attracting the most attention. By exploiting this vulnerability, an attacker could create a specially crafted PDF document which executes malware when a user opens the file.

While the Adobe products should automatically install updates, users can prompt the update to happen now by selecting HELP -> Check For Updates from the product menu.

Adobe also released security patches for a total of 43 vulnerabilities in their creative products including InDesign and  Illustrator.