Microsoft and Adobe Patching Advisory for May 2019

Posted: May 15, 2019 in Uncategorized

This month security patches from Microsoft have gained attention from the media as well as the information security community. Microsoft has pushed patches to address 79 vulnerabilities with 23 rated critical, 2 reported as publicly known, and 1 as being actively exploited in the wild but rated as Important. Here are the main highlights: 

1. Windows Remote Desktop Services (RDP) Remote Code Execution Vulnerability (CVE-2019-0708): This is the most critical vulnerability that poses a high risk on organizations. The vulnerability could provide an attacker full privileged access by sending a specially crafted request to the target systems Remote Desktop Service via RDP. It doesn’t require any user interaction to be exploited. This vulnerability is a Remote Code Execution (RCE) and is a ‘wormable’ vulnerability. The affected versions are Win7, Win2008, Win2008 R2. Microsoft has also issued patches for the Out-of-Support versions WinXP and Win2003. Affected versions with port 3389 open should install the patch ASAP. Some workarounds can be enabling NLA and blocking port 3389 at the edge router. Patches for the Out-of-Support version are available in a separate page (https://support.microsoft.com/en-us/help/4500705/customer-guidance-for-cve-2019-0708)

2. Windows DHCP Server Remote Code Execution Vulnerability (CVE-2019-0725): similar to the previous months of 2019, DHCP is being under scrutiny by security researchers. The Remote Code Execution (RCE) vulnerability in DHCP Server could allow a remote unauthenticated attacker to execute arbitrary code by sending a specially crafted packet. Similar to the RDP vulnerability above, it doesn’t require user interaction to be exploited. There’s no publicly known exploit, however, this vulnerability is likely to be weaponized. 

3. Windows Error Reporting Elevation of Privilege Vulnerability (CVE-2019-0863): this is an Elevation of Privilege (EoP) vulnerability that exists in one of the Windows components. It could allow an attacker to execute arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Though, the attacker would need to log on to the system first.

4. Microsoft Guidance to Mitigate Microarchitectural Data Sampling (MDS) Vulnerabilities (ADV190013): this has been dubbed “ZombieLoad”. It is a subclass of the speculative execution vulnerabilities. It joins the CPU vulnerabilities Foreshadow, Meltdown, Spectre. There is currently no patches for this vulnerability. However, the MDS Vulnerabilities have been classified as low to medium severity. Also, there are no reports of any real world exploits of these vulnerabilities. The likelihood is low since exploiting the MDS vulnerabilities outside the controlled conditions of a research environment is a complex undertaking. 

The rest of the vulnerabilities could be new attack vectors for social engineering. We rate the MS patches for this month as “Patch as Scheduled” except for the RDP and DHCP which have been designated as “Patch Now”. The rest of the month’s vulnerabilities should be mitigated by user-education, and email and web-proxy hygiene in order to prevent users handling files or links from unknown or questionable sources.

Links:

·   https://portal.msrc.microsoft.com/en-us/security-guidance

·   https://portal.msrc.microsoft.com/en-us/security-guidance/releasenotedetail/e5989c8b-7046-e911-a98e-000d3a33a34d 

·   CVE-2019-0708 | Remote Desktop Services Remote Code Execution Vulnerability

·   CVE-2019-0725 | Windows DHCP Server Remote Code Execution Vulnerability

·   CVE-2019-0863 | Windows Error Reporting Elevation of Privilege Vulnerability

·   ADV190013 |Microsoft Guidance to mitigate Microarchitectural Data Sampling vulnerabilities

·   MDS | https://www.intel.com/content/www/us/en/architecture-and-technology/mds.html 

·   ZombieLoad | https://zombieloadattack.com/

 

Adobe: 

Adobe released patches to address vulnerabilities in Acrobat and Reader, Flash, and Adobe Media Encoder. In order to exploit the vulnerabilities, an attacker would need to convince the victim to click on a malicious link

The Adobe vulnerabilities receive the “Patch as Scheduled” designation.

·   https://helpx.adobe.com/security.html

 


 Meltdown/Spectre/ZombieLoad:

As mentioned above, Microsoft has released an Advisory for the Microarchitectural Data Sampling (MDS) Vulnerabilities (ADV190013) dubbed “ZombieLoad”. The guidance from InfoSec continues to fall into the broad outline of:

·   Consult with your vendors

·   Test aggressively (especially around the MS Reg-hack)

·   Patch and update your firmware

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV180002

Please always remember the rules of safe patching:

·   Deploy to test/dev environment before production

·   Deploy to a pilot/test group before the whole organization

·   Have a plan to roll back if something doesn’t work

·   Test, test, and test! 

 

Should you have any questions, please feel free to leave a comment. Also make sure you (Follow) if you would like to be aware of what Microsoft and Adobe release for patching security vulnerabilities regularly. 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s