Tripwire’s May 2019 Patch Priority Index (PPI) brings together important vulnerabilities from Microsoft and Adobe.
First and most importantly this month are the patches available to resolve the BlueKeep (CVE-2019-0708) Remote Desktop Services remote code execution vulnerability. As noted by Microsoft:
[This] remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. To exploit this vulnerability, an attacker would need to send a specially crafted request to the target systems Remote Desktop Service via RDP. The update addresses the vulnerability by correcting how Remote Desktop Services handles connection requests.
It is very important to note that Microsoft also released patches for some versions of Windows that no longer receive mainstream support.
Patches for unsupported versions of Windows including Windows XP, Vista, and Server 2003 R2 are available here:
Patches for Windows 7, Server 2008 and Server 2008 R2 can be found from the MSRC security guidance page:
Newer versions of Windows are not prone to the BlueKeep vulnerability.
Up next on the patch priority index this month are patches for Microsoft’s Browser and Scripting Engine. These patches resolve 23 vulnerabilities including fixes for memory corruption, security feature bypass, spoofing and information disclosure vulnerabilities.
Next on the list are patches for Adobe Flash Player (APSB19-19). Adobe has released patches for Adobe Flash Player for Windows, macOS, Linux and Chrome OS. These updates address a critical use-after-free vulnerability in Adobe Flash Player that can lead to arbitrary code execution in the context of the current user.
Following Flash are patches for Adobe Reader (Read more...)
*** This is a Security Bloggers Network syndicated blog from The State of Security authored by Lane Thames. Read the original post at: https://www.tripwire.com/state-of-security/vert/vert-news/tripwire-patch-priority-index-may-2019/