SANS Internet Storm Center

This month we got patches for 79 vulnerabilities from Microsoft and 1 from Adobe. From those, 23 are critical and 2 were previously known - including the one that has been exploited in the wild.

The exploited vulnerability (CVE-2019-0863) affects the way Windows Error Reporting (WER) handles files. It may allow a local attacker to elevate privileges and run arbitrary code in kernel mode. The CVSS V3 for this vulnerability is 7.8.

The other previously known (CVE-2019-0932) is an information disclosure vulnerability which affects Skype for Android. Exploiting this vulnerability, an attacker could listen to the conversation of a Skype for Android without the user’s knowledge.

Amongst critical vulnerabilities, it worth mentioning a remote code execution in Windows Remote Desktop Services (CVE-2019-0708). An unauthenticated attacker may exploit this vulnerability by sending specially crafted packets to the vulnerable service and then execute arbitrary code on the target system. It affects Windows 7 and Windows Server 2008. The CVSS V3 score for this vulnerability is 9.8.

Last but not least, we have a new critical remote execution vulnerability affecting GDI+ (Windows Graphics Device Interface). An attacker could exploit this vulnerability by convincing the user to open a specially crafted attachment in an e-mail or instant messenger, for example. The CVSS V3 for this vulnerability is 8.8.

UPDATE: Today's Patch Tuesday also addresses the new CPU side-channel attack published today known as Zombieload [1] (ADV190013). As Meltdown, Spectre, and Foreshadow the new flaw may allow an attacker to steal sensitive data and keys being processed by the CPU. To fix the issue you must apply OS updates provided by Microsoft today (not available for all versions yet) and firmware microcode from device OEMs. The details for this advisory are available at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190013.

See Renato's dashboard for a more detailed breakout: https://patchtuesdaydashboard.com

Description
CVE	Disclosed	Exploited	Exploitability (old versions)	current version	Severity	CVSS Base (AVG)	CVSS Temporal (AVG)
.NET Framework Denial of Service Vulnerability
CVE-2019-0864	No	No	Less Likely	Less Likely	Important
.NET Framework and .NET Core Denial of Service Vulnerability
CVE-2019-0820	No	No	Less Likely	Less Likely	Important
.Net Framework and .Net Core Denial of Service Vulnerability
CVE-2019-0980	No	No	Less Likely	Less Likely	Important
CVE-2019-0981	No	No	Less Likely	Less Likely	Important
ASP.NET Core Denial of Service Vulnerability
CVE-2019-0982	No	No	Less Likely	Less Likely	Important
Azure DevOps Server and Team Foundation Server Cross-site Scripting Vulnerability
CVE-2019-0872	No	No	Less Likely	Less Likely	Important
CVE-2019-0979	No	No	-	-	Important
Azure DevOps Server and Team Foundation Server Information Disclosure Vulnerability
CVE-2019-0971	No	No	Less Likely	Less Likely	Important
Chakra Scripting Engine Memory Corruption Vulnerability
CVE-2019-0912	No	No	-	-	Critical	4.2	3.8
CVE-2019-0913	No	No	-	-	Critical	4.2	3.8
CVE-2019-0914	No	No	-	-	Critical	4.2	3.8
CVE-2019-0915	No	No	-	-	Critical	4.2	3.8
CVE-2019-0916	No	No	-	-	Critical	4.2	3.8
CVE-2019-0917	No	No	-	-	Critical	4.2	3.8
CVE-2019-0922	No	No	-	-	Critical	4.2	3.8
CVE-2019-0923	No	No	-	-	Important	4.2	3.8
CVE-2019-0924	No	No	-	-	Critical	4.2	3.8
CVE-2019-0925	No	No	-	-	Critical	4.2	3.8
CVE-2019-0927	No	No	-	-	Critical	4.2	3.8
CVE-2019-0933	No	No	-	-	Critical	4.2	3.8
CVE-2019-0937	No	No	-	-	Critical	4.2	3.8
Diagnostic Hub Standard Collector, Visual Studio Standard Collector Elevation of Privilege Vulnerability
CVE-2019-0727	No	No	Less Likely	Less Likely	Important	6.7	6.0
GDI+ Remote Code Execution Vulnerability
CVE-2019-0903	No	No	More Likely	More Likely	Critical	8.8	7.9
Internet Explorer Information Disclosure Vulnerability
CVE-2019-0930	No	No	More Likely	More Likely	Important	2.4	2.2
Internet Explorer Memory Corruption Vulnerability
CVE-2019-0929	No	No	-	-	Critical	7.5	6.7
Internet Explorer Security Feature Bypass Vulnerability
CVE-2019-0995	No	No	-	-	Important	7.3	6.6
Internet Explorer Spoofing Vulnerability
CVE-2019-0921	No	No	Less Likely	Less Likely	Important	2.4	2.2
Jet Database Engine Remote Code Execution Vulnerability
CVE-2019-0893	No	No	Less Likely	Less Likely	Important	7.8	7.0
CVE-2019-0894	No	No	Less Likely	Less Likely	Important	7.8	7.0
CVE-2019-0895	No	No	Less Likely	Less Likely	Important	7.8	7.0
CVE-2019-0896	No	No	Less Likely	Less Likely	Important	7.8	7.0
CVE-2019-0897	No	No	Less Likely	Less Likely	Important	7.8	7.0
CVE-2019-0898	No	No	Less Likely	Less Likely	Important	7.8	7.0
CVE-2019-0899	No	No	Less Likely	Less Likely	Important	7.8	7.0
CVE-2019-0900	No	No	Less Likely	Less Likely	Important	7.8	7.0
CVE-2019-0901	No	No	Less Likely	Less Likely	Important	7.8	7.0
CVE-2019-0902	No	No	Less Likely	Less Likely	Important	7.8	7.0
CVE-2019-0889	No	No	Less Likely	Less Likely	Important	7.8	7.0
CVE-2019-0890	No	No	Less Likely	Less Likely	Important	7.8	7.0
CVE-2019-0891	No	No	Less Likely	Less Likely	Important	7.8	7.0
Latest Servicing Stack Updates
ADV990001	No	No	-	-	Critical
May 2019 Adobe Flash Security Update
ADV190012	No	No	-	-	Critical
Microsoft Azure AD Connect Elevation of Privilege Vulnerability
CVE-2019-1000	No	No	Less Likely	Less Likely	Important
Microsoft Browser Memory Corruption Vulnerability
CVE-2019-0940	No	No	More Likely	More Likely	Critical	7.5	6.7
Microsoft Dynamics On-Premise Security Feature Bypass
CVE-2019-1008	No	No	Less Likely	Less Likely	Important
Microsoft Edge Elevation of Privilege Vulnerability
CVE-2019-0938	No	No	-	-	Important	4.2	3.8
Microsoft Edge Memory Corruption Vulnerability
CVE-2019-0926	No	No	-	-	Critical	4.2	3.8
Microsoft Guidance to mitigate Microarchitectural Data Sampling vulnerabilities
ADV190013	No	No	More Likely	More Likely	Important
Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
CVE-2019-0945	No	No	Less Likely	Less Likely	Important
CVE-2019-0946	No	No	Less Likely	Less Likely	Important
CVE-2019-0947	No	No	-	-	Important
Microsoft Office SharePoint XSS Vulnerability
CVE-2019-0963	No	No	-	-	Important
Microsoft SQL Server Analysis Services Information Disclosure Vulnerability
CVE-2019-0819	No	No	Less Likely	Less Likely	Important
Microsoft SharePoint Elevation of Privilege Vulnerability
CVE-2019-0957	No	No	Less Likely	Less Likely	Important
CVE-2019-0958	No	No	Less Likely	Less Likely	Important
Microsoft SharePoint Server Information Disclosure Vulnerability
CVE-2019-0956	No	No	-	-	Important
Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2019-0952	No	No	-	-	Important
Microsoft SharePoint Spoofing Vulnerability
CVE-2019-0949	No	No	-	-	Important
CVE-2019-0950	No	No	-	-	Important
CVE-2019-0951	No	No	-	-	Important
Microsoft Word Remote Code Execution Vulnerability
CVE-2019-0953	No	No	Less Likely	Less Likely	Critical
NuGet Package Manager Tampering Vulnerability
CVE-2019-0976	No	No	Less Likely	Less Likely	Important
Remote Desktop Services Remote Code Execution Vulnerability
CVE-2019-0708	No	No	-	-	Critical	9.8	8.8
Scripting Engine Memory Corruption Vulnerability
CVE-2019-0884	No	No	More Likely	More Likely	Critical	6.4	5.8
CVE-2019-0911	No	No	More Likely	More Likely	Critical	7.5	6.7
CVE-2019-0918	No	No	More Likely	More Likely	Critical	7.5	6.7
Skype for Android Information Disclosure Vulnerability
CVE-2019-0932	Yes	No	Less Likely	Less Likely	Important
Unified Write Filter Elevation of Privilege Vulnerability
CVE-2019-0942	No	No	Less Likely	Less Likely	Important	4.4	4.0
Win32k Elevation of Privilege Vulnerability
CVE-2019-0892	No	No	More Likely	More Likely	Important	7.8	7.0
Windows DHCP Server Remote Code Execution Vulnerability
CVE-2019-0725	No	No	Less Likely	Less Likely	Critical	8.1	7.3
Windows Defender Application Control Security Feature Bypass Vulnerability
CVE-2019-0733	No	No	Less Likely	Less Likely	Important	5.3	4.8
Windows Elevation of Privilege Vulnerability
CVE-2019-0734	No	No	Less Likely	Less Likely	Important	7.8	7.0
CVE-2019-0936	No	No	More Likely	More Likely	Important	7.8	7.0
Windows Error Reporting Elevation of Privilege Vulnerability
CVE-2019-0863	Yes	Yes	Detected	Detected	Important	7.8	7.0
Windows GDI Information Disclosure Vulnerability
CVE-2019-0882	No	No	More Likely	More Likely	Important	4.7	4.2
CVE-2019-0961	No	No	More Likely	More Likely	Important	4.7	4.2
CVE-2019-0758	No	No	More Likely	More Likely	Important	4.7	4.2
Windows Hyper-V Information Disclosure Vulnerability
CVE-2019-0886	No	No	Less Likely	Less Likely	Important	5.5	5.0
Windows Kernel Elevation of Privilege Vulnerability
CVE-2019-0881	No	No	More Likely	More Likely	Important	8.8	7.9
Windows NDIS Elevation of Privilege Vulnerability
CVE-2019-0707	No	No	More Likely	More Likely	Important	7.0	6.3
Windows OLE Remote Code Execution Vulnerability
CVE-2019-0885	No	No	More Likely	More Likely	Important	7.8	7.0
Windows Storage Service Elevation of Privilege Vulnerability
CVE-2019-0931	No	No	More Likely	More Likely	Important	7.0	6.3

References

[1] https://zombieloadattack.com/

--
Renato Marinho
Morphus Labs| LinkedIn| Twitter

Renato

76 Posts
ISC Handler

May 14th 2019

Faaaaaark. :-(

DomMcIntyreDeVitto

45 Posts

Links to CVEs are broken

Jens

6 Posts

The Microsoft GDI+ patches are separate from the Nvidia GTX and RTX graphics Windows driver patches. Quadro and Tesla GPUs are also affected. If the drivers are OEM they may not update automatically.

Best info I have on this is from: https://www.tomshardware.com/news/nvidia-driver-update-severe-security-vulnerability,39323.html

R

41 Posts

I find it rather fascinating that kb4494441 installed itself, successfully, twice so far on my system.
{o.o}

JD

13 Posts