Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Microsoft May 2019 Patch Tuesday SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Microsoft May 2019 Patch Tuesday

This month we got patches for 79 vulnerabilities from Microsoft and 1 from Adobe. From those, 23 are critical and 2 were previously known - including the one that has been exploited in the wild.

The exploited vulnerability (CVE-2019-0863) affects the way Windows Error Reporting (WER) handles files. It may allow a local attacker to elevate privileges and run arbitrary code in kernel mode. The CVSS V3 for this vulnerability is 7.8.

The other previously known (CVE-2019-0932) is an information disclosure vulnerability which affects Skype for Android. Exploiting this vulnerability, an attacker could listen to the conversation of a Skype for Android without the user’s knowledge.

Amongst critical vulnerabilities, it worth mentioning a remote code execution in Windows Remote Desktop Services (CVE-2019-0708). An unauthenticated attacker may exploit this vulnerability by sending specially crafted packets to the vulnerable service and then execute arbitrary code on the target system. It affects Windows 7 and Windows Server 2008. The CVSS V3 score for this vulnerability is 9.8.

Last but not least, we have a new critical remote execution vulnerability affecting GDI+ (Windows Graphics Device Interface). An attacker could exploit this vulnerability by convincing the user to open a specially crafted attachment in an e-mail or instant messenger, for example. The CVSS V3 for this vulnerability is 8.8.  

UPDATE: Today's Patch Tuesday also addresses the new CPU side-channel attack published today known as Zombieload [1] (ADV190013). As Meltdown, Spectre, and Foreshadow the new flaw may allow an attacker to steal sensitive data and keys being processed by the CPU. To fix the issue you must apply OS updates provided by Microsoft today (not available for all versions yet) and firmware microcode from device OEMs. The details for this advisory are available at https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190013.

See Renato's dashboard for a more detailed breakout: https://patchtuesdaydashboard.com

Description
CVE Disclosed Exploited Exploitability (old versions) current version Severity CVSS Base (AVG) CVSS Temporal (AVG)
.NET Framework Denial of Service Vulnerability
CVE-2019-0864 No No Less Likely Less Likely Important    
.NET Framework and .NET Core Denial of Service Vulnerability
CVE-2019-0820 No No Less Likely Less Likely Important    
.Net Framework and .Net Core Denial of Service Vulnerability
CVE-2019-0980 No No Less Likely Less Likely Important    
CVE-2019-0981 No No Less Likely Less Likely Important    
ASP.NET Core Denial of Service Vulnerability
CVE-2019-0982 No No Less Likely Less Likely Important    
Azure DevOps Server and Team Foundation Server Cross-site Scripting Vulnerability
CVE-2019-0872 No No Less Likely Less Likely Important    
CVE-2019-0979 No No - - Important    
Azure DevOps Server and Team Foundation Server Information Disclosure Vulnerability
CVE-2019-0971 No No Less Likely Less Likely Important    
Chakra Scripting Engine Memory Corruption Vulnerability
CVE-2019-0912 No No - - Critical 4.2 3.8
CVE-2019-0913 No No - - Critical 4.2 3.8
CVE-2019-0914 No No - - Critical 4.2 3.8
CVE-2019-0915 No No - - Critical 4.2 3.8
CVE-2019-0916 No No - - Critical 4.2 3.8
CVE-2019-0917 No No - - Critical 4.2 3.8
CVE-2019-0922 No No - - Critical 4.2 3.8
CVE-2019-0923 No No - - Important 4.2 3.8
CVE-2019-0924 No No - - Critical 4.2 3.8
CVE-2019-0925 No No - - Critical 4.2 3.8
CVE-2019-0927 No No - - Critical 4.2 3.8
CVE-2019-0933 No No - - Critical 4.2 3.8
CVE-2019-0937 No No - - Critical 4.2 3.8
Diagnostic Hub Standard Collector, Visual Studio Standard Collector Elevation of Privilege Vulnerability
CVE-2019-0727 No No Less Likely Less Likely Important 6.7 6.0
GDI+ Remote Code Execution Vulnerability
CVE-2019-0903 No No More Likely More Likely Critical 8.8 7.9
Internet Explorer Information Disclosure Vulnerability
CVE-2019-0930 No No More Likely More Likely Important 2.4 2.2
Internet Explorer Memory Corruption Vulnerability
CVE-2019-0929 No No - - Critical 7.5 6.7
Internet Explorer Security Feature Bypass Vulnerability
CVE-2019-0995 No No - - Important 7.3 6.6
Internet Explorer Spoofing Vulnerability
CVE-2019-0921 No No Less Likely Less Likely Important 2.4 2.2
Jet Database Engine Remote Code Execution Vulnerability
CVE-2019-0893 No No Less Likely Less Likely Important 7.8 7.0
CVE-2019-0894 No No Less Likely Less Likely Important 7.8 7.0
CVE-2019-0895 No No Less Likely Less Likely Important 7.8 7.0
CVE-2019-0896 No No Less Likely Less Likely Important 7.8 7.0
CVE-2019-0897 No No Less Likely Less Likely Important 7.8 7.0
CVE-2019-0898 No No Less Likely Less Likely Important 7.8 7.0
CVE-2019-0899 No No Less Likely Less Likely Important 7.8 7.0
CVE-2019-0900 No No Less Likely Less Likely Important 7.8 7.0
CVE-2019-0901 No No Less Likely Less Likely Important 7.8 7.0
CVE-2019-0902 No No Less Likely Less Likely Important 7.8 7.0
CVE-2019-0889 No No Less Likely Less Likely Important 7.8 7.0
CVE-2019-0890 No No Less Likely Less Likely Important 7.8 7.0
CVE-2019-0891 No No Less Likely Less Likely Important 7.8 7.0
Latest Servicing Stack Updates
ADV990001 No No - - Critical    
May 2019 Adobe Flash Security Update
ADV190012 No No - - Critical    
Microsoft Azure AD Connect Elevation of Privilege Vulnerability
CVE-2019-1000 No No Less Likely Less Likely Important    
Microsoft Browser Memory Corruption Vulnerability
CVE-2019-0940 No No More Likely More Likely Critical 7.5 6.7
Microsoft Dynamics On-Premise Security Feature Bypass
CVE-2019-1008 No No Less Likely Less Likely Important    
Microsoft Edge Elevation of Privilege Vulnerability
CVE-2019-0938 No No - - Important 4.2 3.8
Microsoft Edge Memory Corruption Vulnerability
CVE-2019-0926 No No - - Critical 4.2 3.8
Microsoft Guidance to mitigate Microarchitectural Data Sampling vulnerabilities
ADV190013 No No More Likely More Likely Important    
Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability
CVE-2019-0945 No No Less Likely Less Likely Important    
CVE-2019-0946 No No Less Likely Less Likely Important    
CVE-2019-0947 No No - - Important    
Microsoft Office SharePoint XSS Vulnerability
CVE-2019-0963 No No - - Important    
Microsoft SQL Server Analysis Services Information Disclosure Vulnerability
CVE-2019-0819 No No Less Likely Less Likely Important    
Microsoft SharePoint Elevation of Privilege Vulnerability
CVE-2019-0957 No No Less Likely Less Likely Important    
CVE-2019-0958 No No Less Likely Less Likely Important    
Microsoft SharePoint Server Information Disclosure Vulnerability
CVE-2019-0956 No No - - Important    
Microsoft SharePoint Server Remote Code Execution Vulnerability
CVE-2019-0952 No No - - Important    
Microsoft SharePoint Spoofing Vulnerability
CVE-2019-0949 No No - - Important    
CVE-2019-0950 No No - - Important    
CVE-2019-0951 No No - - Important    
Microsoft Word Remote Code Execution Vulnerability
CVE-2019-0953 No No Less Likely Less Likely Critical    
NuGet Package Manager Tampering Vulnerability
CVE-2019-0976 No No Less Likely Less Likely Important    
Remote Desktop Services Remote Code Execution Vulnerability
CVE-2019-0708 No No - - Critical 9.8 8.8
Scripting Engine Memory Corruption Vulnerability
CVE-2019-0884 No No More Likely More Likely Critical 6.4 5.8
CVE-2019-0911 No No More Likely More Likely Critical 7.5 6.7
CVE-2019-0918 No No More Likely More Likely Critical 7.5 6.7
Skype for Android Information Disclosure Vulnerability
CVE-2019-0932 Yes No Less Likely Less Likely Important    
Unified Write Filter Elevation of Privilege Vulnerability
CVE-2019-0942 No No Less Likely Less Likely Important 4.4 4.0
Win32k Elevation of Privilege Vulnerability
CVE-2019-0892 No No More Likely More Likely Important 7.8 7.0
Windows DHCP Server Remote Code Execution Vulnerability
CVE-2019-0725 No No Less Likely Less Likely Critical 8.1 7.3
Windows Defender Application Control Security Feature Bypass Vulnerability
CVE-2019-0733 No No Less Likely Less Likely Important 5.3 4.8
Windows Elevation of Privilege Vulnerability
CVE-2019-0734 No No Less Likely Less Likely Important 7.8 7.0
CVE-2019-0936 No No More Likely More Likely Important 7.8 7.0
Windows Error Reporting Elevation of Privilege Vulnerability
CVE-2019-0863 Yes Yes Detected Detected Important 7.8 7.0
Windows GDI Information Disclosure Vulnerability
CVE-2019-0882 No No More Likely More Likely Important 4.7 4.2
CVE-2019-0961 No No More Likely More Likely Important 4.7 4.2
CVE-2019-0758 No No More Likely More Likely Important 4.7 4.2
Windows Hyper-V Information Disclosure Vulnerability
CVE-2019-0886 No No Less Likely Less Likely Important 5.5 5.0
Windows Kernel Elevation of Privilege Vulnerability
CVE-2019-0881 No No More Likely More Likely Important 8.8 7.9
Windows NDIS Elevation of Privilege Vulnerability
CVE-2019-0707 No No More Likely More Likely Important 7.0 6.3
Windows OLE Remote Code Execution Vulnerability
CVE-2019-0885 No No More Likely More Likely Important 7.8 7.0
Windows Storage Service Elevation of Privilege Vulnerability
CVE-2019-0931 No No More Likely More Likely Important 7.0 6.3

 

References

[1] https://zombieloadattack.com/

--
Renato Marinho
Morphus Labs| LinkedInTwitter

Renato

45 Posts
ISC Handler
Faaaaaark. :-(
DomMcIntyreDeVitto

41 Posts
Links to CVEs are broken
Jens

5 Posts
The Microsoft GDI+ patches are separate from the Nvidia GTX and RTX graphics Windows driver patches. Quadro and Tesla GPUs are also affected. If the drivers are OEM they may not update automatically.

Best info I have on this is from: https://www.tomshardware.com/news/nvidia-driver-update-severe-security-vulnerability,39323.html
R

36 Posts
I find it rather fascinating that kb4494441 installed itself, successfully, twice so far on my system.
{o.o}
JD

11 Posts

Sign Up for Free or Log In to start participating in the conversation!