May 2019 Patch Tuesday – 79 Vulns, 22 Critical, RDP RCE, MDS Attacks, Adobe Vulns

This month’s Microsoft Patch Tuesday addresses 79 vulnerabilities with 22 of them labeled as Critical. Of the 22 Critical vulns, 18 are for scripting engines and browsers. The remaining 4 are remote code execution (RCE) in Remote Desktop, DHCP Server, GDI+, and Word. Microsoft also released guidance on the recently disclosed Microarchitectural Data Sampling (MDS) techniques, known as ZombieLoad, Fallout, and RIDL. Adobe’s Patch Tuesday includes patches for vulnerabilities in Flash, Acrobat/Reader (83 vulnerabilities!) and Media Encoder.

Workstation Patches

Scripting Engine, Browser, GDI+, and Word patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.

Remote Desktop Services RCE

Remote Code Execution (RCE) vulnerability CVE-2019-0708 exists in the Remote Desktop Protocol (RDP). Exploiting this vulnerability would allow an unauthenticated attacker to run arbitrary code on an affected system. This type of vulnerability is potentially wormable due to the lack of authentication and pervasiveness of the RDP service. Although a proof-of-concept exploit has not yet been disclosed, this vulnerability should be remediated with very high priority across Windows 7, Server 2008, and Server 2008 R2.

DHCP Server RCE

One vulnerability, CVE-2019-0725, applies to Windows DHCP Server. It is ranked as Critical and can lead to Remote Code Execution. Any unauthenticated attacker who can send packets to a DHCP server can exploit this vulnerability. This patch should be prioritized for any Windows DHCP implementations. A similar vulnerability in the DHCP Server was patched in February, and the DHCP Client was patched for a separate vulnerability in March.

Guidance for Microarchitectural Data Sampling (MDS) attacks

Microsoft has issued a guidance document for how to mitigate Microarchitectural Data Sampling (MDS) attacks. Examples of this style of attack are ZombieLoad, Fallout, and RIDL. The CVEs for these vulnerabilities are: CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091. Intel has also released an overview, as well as a deep-dive document covering the techniques and mitigations.

Microcode updates for impacted processors will be required to mitigate these attacks, as well as OS patches. Microsoft mentions that disabling Hyper-threading (also known as Simultaneous Multi Threading (SMT) may also be required to fully mitigate, though Intel discourages this. Microsoft will distribute microcode updates for Windows 10 systems only. For other Operating Systems, the OEM will need to provide these updates, often in the form of a BIOS update.

Actively Attacked Privilege Escalation in Windows Error Handling

Microsoft also issued a patch for a Windows Error Handling privilege escalation vulnerability (CVE-2019-0863) that has been exploited in the wild. This patch should be prioritized for all supported versions of Windows.

Adobe Patch Tuesday

Adobe released patches for Flash, Acrobat/Reader, and Media Encoder. While the Flash patches cover only one CVE, and the Media Encoder patches cover two, the Acrobat/Reader patches cover a whopping 83 vulnerabilities. It is recommended that any impacted hosts be prioritized for patching, especially for workstations.



*** This is a Security Bloggers Network syndicated blog from The Laws of Vulnerabilities – Qualys Blog authored by Jimmy Graham. Read the original post at: https://blog.qualys.com/laws-of-vulnerabilities/2019/05/14/may-2019-patch-tuesday-79-vulns-22-critical-rdp-rce-mds-attacks-adobe-vulns