May 2019 Patch Tuesday has seen Microsoft release security updates to correct 79 vulnerabilities including one critical flaw that could potentially be exploited in a WannaCry-style malware attack.
The wormable vulnerability (CVE-2019-0708) is in Remote Desktop Services and can be exploited by sending specially crafted requests via Remote Desktop Protocol (RDP). The vulnerability is pre-authentication and requires no user interaction. Exploitation of the flaw could allow malware to be installed on a vulnerable computer which could propagate to all other vulnerable computers on the network.
Microsoft does not believe the flaw is being actively exploited, but it will only be a matter of time before an exploit is developed and incorporated into malware. The patch should therefore be applied as soon as possible. If it is not possible to apply the patch, a workaround is available.
The vulnerability is not present in Windows 8 or Windows 10, only earlier operating systems. The flaw is likely to have the greatest impact in healthcare, manufacturing and the industrial sector, where vulnerable Windows versions are still commonly used.
Windows versions that contain the vulnerability are:
- Windows Server 2008
- Windows Server 2008 R2
- Windows 7
- Windows XP
- Windows 2003
Microsoft has chosen to issue patches for all vulnerable Windows versions, including the unsupported Windows 2003 and Windows XP due to the seriousness of the flaw. If it is not possible to apply the patch, a workaround is to block TCP port 3389 and enable Network Level Authentication.
22 Critical Vulnerabilities Patched
22 of the 79 vulnerabilities are rated critical, including one zero-day vulnerability that is being actively exploited in the wild and one vulnerability that was disclosed publicly prior to a patch being released by Microsoft.
The actively exploited vulnerability – CVE-2019-0863 – was identified by security researchers at Palo Alto Networks. This is an elevation of privileges vulnerability in Windows Error Reporting (WER). The flaw can only be exploited if an attacker has gained unprivileged access to a system. Once access is gained, the flaw could be exploited to allow arbitrary code to be run in kernel mode.
The publicly disclosed vulnerability (CVE-2019-0932) is present in Skype for Android, which could allow an attacker to eavesdrop on conversations.
The critical vulnerabilities are present in Adobe Flash Player, Internet Explorer, Microsoft Edge, Microsoft Graphics Component, Microsoft Office, Microsoft Scripting Engine, and Windows DHCP Server.
Adobe Issues Patches to Correct 84 Vulnerabilities
Adobe has also released updates on May 2019 Patch Tuesday to correct vulnerabilities in Adobe Acrobat, Adobe Media Encoder, Adobe Reader, and Adobe Flash Player. The majority of the patches are for vulnerabilities in Adobe Acrobat and Adobe Reader.
84 vulnerabilities have been patched in total, including many remote code execution and information disclosure vulnerabilities. 50 of the vulnerabilities are rated critical and the remainder are rated important.