May 2019 Patch Tuesday – 79 Vulns, 22 Critical, RDP RCE, MDS Attacks, Adobe Vulns
Last updated on: October 27, 2022
This month’s Microsoft Patch Tuesday addresses 79 vulnerabilities with 22 of them labeled as Critical. Of the 22 Critical vulns, 18 are for scripting engines and browsers. The remaining 4 are remote code execution (RCE) in Remote Desktop, DHCP Server, GDI+, and Word. Microsoft also released guidance on the recently disclosed Microarchitectural Data Sampling (MDS) techniques, known as ZombieLoad, Fallout, and RIDL. Adobe’s Patch Tuesday includes patches for vulnerabilities in Flash, Acrobat/Reader (83 vulnerabilities!) and Media Encoder.
UPDATE May 15: Microsoft has also issued Remote Desktop patches for Windows XP and Server 2003.
Scripting Engine, Browser, GDI+, and Word patches should be prioritized for workstation-type devices, meaning any system that is used for email or to access the internet via a browser. This includes multi-user servers that are used as remote desktops for users.
Remote Desktop Services RCE
Remote Code Execution (RCE) vulnerability CVE-2019-0708 exists in the Remote Desktop Protocol (RDP). Exploiting this vulnerability would allow an unauthenticated attacker to run arbitrary code on an affected system. This type of vulnerability is potentially wormable due to the lack of authentication and pervasiveness of the RDP service. Although a proof-of-concept exploit has not yet been disclosed, this vulnerability should be remediated with very high priority across Windows 7, Server 2008, and Server 2008 R2. Due to the high risk of this vulnerability, Microsoft has also issued patches for Windows XP and Server 2003. Patch now!
UPDATE May 15: See Windows RDP Remote Code Execution Vulnerability (BlueKeep) – How to Detect and Patch.
DHCP Server RCE
One vulnerability, CVE-2019-0725, applies to Windows DHCP Server. It is ranked as Critical and can lead to Remote Code Execution. Any unauthenticated attacker who can send packets to a DHCP server can exploit this vulnerability. This patch should be prioritized for any Windows DHCP implementations. A similar vulnerability in the DHCP Server was patched in February, and the DHCP Client was patched for a separate vulnerability in March.
Guidance for Microarchitectural Data Sampling (MDS) attacks
Microsoft has issued a guidance document for how to mitigate Microarchitectural Data Sampling (MDS) attacks. Examples of this style of attack are ZombieLoad, Fallout, and RIDL. The CVEs for these vulnerabilities are: CVE-2018-12126, CVE-2018-12127, CVE-2018-12130, and CVE-2019-11091. Intel has also released an overview, as well as a deep-dive document covering the techniques and mitigations.
Microcode updates for impacted processors will be required to mitigate these attacks, as well as OS patches. Microsoft mentions that disabling Hyper-threading (also known as Simultaneous Multi Threading (SMT) may also be required to fully mitigate, though Intel discourages this. Microsoft will distribute microcode updates for Windows 10 systems only. For other Operating Systems, the OEM will need to provide these updates, often in the form of a BIOS update.
UPDATE May 15: Related article from Dark Reading: New Intel Vulnerabilities Bring Fresh CPU Attack Dangers.
Actively Attacked Privilege Escalation in Windows Error Handling
Microsoft also issued a patch for a Windows Error Handling privilege escalation vulnerability (CVE-2019-0863) that has been exploited in the wild. This patch should be prioritized for all supported versions of Windows.
Adobe Patch Tuesday
Adobe released patches for Flash, Acrobat/Reader, and Media Encoder. While the Flash patches cover only one CVE, and the Media Encoder patches cover two, the Acrobat/Reader patches cover a whopping 83 vulnerabilities. It is recommended that any impacted hosts be prioritized for patching, especially for workstations.
The comments covering CVE-2019-0708 are incomplete, as they do not note that this also affects Windows Server 2003 and Windows XP. Microsoft have taken the hugely unusual step of developing patches for those EOL O/S’s as detailed below:
Please amend the blog to reflect this.