1. IT-Security >
  2. Hacking >
  3. The May 2019 Security Update Review


ArabicEnglishFrenchGermanGreekItalianJapaneseKoreanPersianPolishPortugueseRussianSpanishTurkishVietnamese

The May 2019 Security Update Review

RSS Kategorie Pfeil Hacking vom | Quelle: thezdi.com Direktlink öffnen

May is here and so are the scheduled security patches from Microsoft and Adobe. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.  

Adobe Patches for May 2019

This month, Adobe released updates for Acrobat Reader, Flash Player, and Media Encoder. The update for Acrobat Reader is by far the largest of these, with a total of 84 CVEs being fixed by this patch alone. Overall, 37 of these bug reports came through the ZDI program. The patch fixes a mix of vulnerabilities, including use-after-frees, out-of-bounds reads/writes, heap overflows, type confusions, and more. The worst of these vulnerabilities could allow an attacker to completely take control of an affected system. The update for Flash Player includes one Critical rated bug, which was also reported through the ZDI program. This use-after-free vulnerability could potentially allow an attacker to take control of the affected system.

The final Adobe patch for May covers two CVEs in the Media Encoder. This update addresses a Critical-rated use-after-free code execution bug and an Important-rated out-of-bounds read info disclosure – both of which were reported by ZDI Vulnerability Researcher Mat Powell. None of the bugs patched by Adobe today are listed as being publicly known or under active attack at the time the patches were released.

Microsoft Patches for May 2019

Microsoft released security patches for 79 CVEs along with two advisories. The updates cover Internet Explorer, Edge, Windows, ChakraCore, Microsoft Office and Microsoft Office Services and Web Apps, .NET Framework and ASP.NET, Skype for Android, Azure DevOps Server, and the NuGet Package Manager. Of these 79 CVEs, 22 are rated Critical and 57 are rated Important in severity. A total of 15 of these CVEs came through the ZDI program. Two of these bugs are listed as publicly known and one is listed as under active attack at the time of release.

Let’s take a closer look at some of the more interesting patches for this month, starting with the bug currently being exploited:

CVE-2019-0863 – Windows Error Reporting Elevation of Privilege Vulnerability
This patch corrects a vulnerability in the Windows Error Reporting (WER) component. If exploited, an attacker could use this to execute arbitrary code with administrator privileges. They would need to first gain access to run code on a target system, but malware often uses elevations like this one to go from user-to-admin code execution. While details about the use of the exploit are not available, it is likely being used in limited attacks against specific targets.

CVE-2019-0708 – Remote Desktop Services Remote Code Execution Vulnerability
If it weren’t for the active attack, this bug would be the most interesting patch by far. This update corrects a pre-authentication bug in the Remote Desktop Service – formerly known as Terminal Service – that could allow an attacker to execute their code on a target system. An attacker would just need to send a specially crafted request via RDP. This occurs prior to authentication and there’s no user interaction involved, which makes this a wormable bug. While this is not listed as being under active attack now, don’t wait to test and deploy this patch. Microsoft gives this its highest Exploit Index (XI) rating, so I would not be surprised to see this included in future exploit kits. Microsoft considers this so severe, they are even making patches available for out-of-support OSes like Windows XP and Windows Server 2003. That’s no excuse to not upgrade to a supported OS, but regardless, go install that patch.

CVE-2019-0725 – Windows DHCP Server Remote Code Execution Vulnerability
This patch fixes a vulnerability in the DHCP Server Service that could allow an attacker to run arbitrary code on affected systems. This bug can be reached by remote, unauthenticated attackers who send specially crafted network packets to a target server. That makes this also wormable, albeit only between DHCP servers. If you’re using Windows as your DHCP server, definitely don’t let a lower XI rating delay the testing and installation of this patch.

ADV190013 – Microsoft Guidance to Mitigate Microarchitectural Data Sampling Vulnerabilities
This advisory covers four CVEs disclosed by Intel today and cover a new subclass of speculative execution side channel vulnerabilities they term “Microarchitectural Data Sampling,” but they are also being referred to as - and I sincerely wish I were joking here - “ZombieLoad.” These new CVEs join the more well-known side-channel vulnerabilities known as Meltdown, Spectre, and Foreshadow. As with previous side-channel attacks, these impact far more platforms than just Windows. The NSA keeps an updated GitHub repo with the latest information and guidance for all of these types of bugs. Hopefully, this gets updated soon with the full list of patches, firmware, and guidance needed to mitigate the most recent versions of these bugs. Intel’s guidance on these bugs can be found here.

 Here’s the full list of CVEs released by Microsoft for May 2019:

CVE Title Severity Public Exploited XI - Latest XI - Older Type
CVE-2019-0863 Windows Error Reporting Elevation of Privilege Vulnerability Important Yes Yes 0 0 EoP
CVE-2019-0932 Skype for Android Information Disclosure Vulnerability Important Yes No 2 2 Info
CVE-2019-0912 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2019-0913 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2019-0914 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2019-0915 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2019-0916 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2019-0917 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2019-0922 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2019-0924 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2019-0925 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2019-0927 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2019-0933 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2019-0937 Chakra Scripting Engine Memory Corruption Vulnerability Critical No No 2 N/A RCE
CVE-2019-0903 GDI+ Remote Code Execution Vulnerability Critical No No 1 1 RCE
CVE-2019-0929 Internet Explorer Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2019-0940 Microsoft Browser Memory Corruption Vulnerability Critical No No 1 1 RCE
CVE-2019-0926 Microsoft Edge Memory Corruption Vulnerability Critical No No 1 N/A RCE
CVE-2019-0953 Microsoft Word Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2019-0708 Remote Desktop Services Remote Code Execution Vulnerability Critical No No N/A 1 RCE
CVE-2019-0884 Scripting Engine Memory Corruption Vulnerability Critical No No 1 1 RCE
CVE-2019-0911 Scripting Engine Memory Corruption Vulnerability Critical No No 1 1 RCE
CVE-2019-0918 Scripting Engine Memory Corruption Vulnerability Critical No No 1 1 RCE
CVE-2019-0725 Windows DHCP Server Remote Code Execution Vulnerability Critical No No 2 2 RCE
CVE-2019-0980 .NET Core Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2019-0982 .NET Core Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2019-0820 .NET Framework and .NET Core Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2019-0981 .Net Framework and .Net Core Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2019-0864 .NET Framework Denial of Service Vulnerability Important No No 2 2 DoS
CVE-2019-1000 Azure AD Connect Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-0727 Diagnostic Hub Standard Collector,Visual Studio Standard Collector Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-0938 Microsoft Edge Elevation of Privilege Vulnerability Important No No 1 N/A EoP
CVE-2019-0957 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-0958 Microsoft SharePoint Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-0942 Unified Write Filter Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-0892 Win32k Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2019-0734 Windows Elevation of Privilege Vulnerability Important No No 2 2 EoP
CVE-2019-0936 Windows Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2019-0881 Windows Kernel Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2019-0707 Windows NDIS Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2019-0931 Windows Storage Service Elevation of Privilege Vulnerability Important No No 1 1 EoP
CVE-2019-0971 Azure DevOps Server and Team Foundation Server Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-0930 Internet Explorer Information Disclosure Vulnerability Important No No 1 1 Info
CVE-2019-0956 Microsoft SharePoint Server Information Disclosure Vulnerability Important No No N/A 2 Info
CVE-2019-0819 Microsoft SQL Server Analysis Services Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-0758 Windows GDI Information Disclosure Vulnerability Important No No 1 1 Info
CVE-2019-0882 Windows GDI Information Disclosure Vulnerability Important No No 1 1 Info
CVE-2019-0961 Windows GDI Information Disclosure Vulnerability Important No No 1 1 Info
CVE-2019-0886 Windows Hyper-V Information Disclosure Vulnerability Important No No 2 2 Info
CVE-2019-0923 Chakra Scripting Engine Memory Corruption Vulnerability Important No No 2 N/A RCE
CVE-2019-0889 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-0890 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-0891 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-0893 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-0894 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-0895 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-0896 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-0897 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-0898 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-0899 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-0900 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-0901 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-0902 Jet Database Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-0945 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-0946 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability Important No No 2 2 RCE
CVE-2019-0947 Microsoft Office Access Connectivity Engine Remote Code Execution Vulnerability Important No No N/A 2 RCE
CVE-2019-0952 Microsoft SharePoint Server Remote Code Execution Vulnerability Important No No N/A 2 RCE
CVE-2019-0885 Windows OLE Remote Code Execution Vulnerability Important No No 1 1 RCE
CVE-2019-0995 Internet Explorer Security Feature Bypass Vulnerability Important No No 2 N/A SFB
CVE-2019-1008 Microsoft Dynamics On-Premise Security Feature Bypass Important No No 2 2 SFB
CVE-2019-0733 Windows Defender Application Control Security Feature Bypass Vulnerability Important No No 2 2 SFB
CVE-2019-0921 Internet Explorer Spoofing Vulnerability Important No No 2 2 Spoof
CVE-2019-0949 Microsoft SharePoint Spoofing Vulnerability Important No No N/A 2 Spoof
CVE-2019-0950 Microsoft SharePoint Spoofing Vulnerability Important No No N/A 2 Spoof
CVE-2019-0951 Microsoft SharePoint Spoofing Vulnerability Important No No N/A 2 Spoof
CVE-2019-0976 NuGet Package Manager Tampering Vulnerability Important No No 2 2 Tampering
CVE-2019-0872 Azure DevOps Server and Team Foundation Server Cross-site Scripting Vulnerability Important No No 2 2 XSS
CVE-2019-0979 Azure DevOps Server and Team Foundation Server Cross-site Scripting Vulnerability Important No No N/A 2 XSS
CVE-2019-0963 Microsoft Office SharePoint XSS Vulnerability Important No No N/A 2 XSS

The one other publicly known bug for this month is a vulnerability in Skype for Android that could allow attackers to eavesdrop on a call. This is not to be confused with a different Skype for Android flaw disclosed earlier this year. This current problem seems much less severe.

Of the Critical-rated bugs not previously discussed, the Word and GDI+ patches stand out. While Remote Code Execution (RCE) bugs in Office apps are typically rated Important, this vulnerability can be reached through the Preview Pane, which greatly increases the risk. The GDI+ issue could allow an attacker to execute their code if they can get a target user to view an image. The rest of the Critical-rated updates are related to browsers and can allow code execution by convincing a user to browse to a specially crafted website.

Nearly half of the release – 41 patches – address some form of Remote Code Execution (RCE). While most of these are related to a web browser, there are a baker’s dozen of patches for the Jet Database Engine. We disclosed a bug in this component last September, and since then, we’ve seen a host of further research into this technology. The remaining RCE bugs mostly occur within the Office suite of applications. For these bugs, an attacker would need to convince a user to open a crafted file, so there’s a social engineering factor involved.

Next up are a variety of Elevation of Privilege (EoP) bugs in various components – most notably the Windows Kernel and the Unified Write Filter (UWF). If you’re not familiar with it, UWF is an optional component on Windows 10 that aims to protect drives by intercepting and redirecting any writes to the drive to a virtual overlay. It’s primarily targeted toward thin clients and kiosks, so pay special attention to this one if that describes your enterprise. Another EoP of note involves the Kerberos authentication protocol. This vulnerability allows an attacker to successfully decode and replace an authentication request using Kerberos if they can intercept the request on the network. Should they accomplish this man-in-the-middle exploit, they would then be authenticated as an administrator with complete control of the target system. Again, the attacker would already need to be on a target network, but this would certainly be a novel method for escalating permissions.

All of the .NET Core and .NET Framework updates for May involve some form of a Denial-of-Service attack. There are a few patches for info disclosure vulnerabilities as well. Of these, the patch for Hyper-V definitely stands out. While some info disclosure bugs reveal only uninitialized memory, CVE-2019-0886 could allow someone on a guest OS to access information on the underlying host OS.

There are a few patches for Azure AD Connect and the Azure DevOps Server for May. The bug corrected in Azure AD Connect is listed as an EoP due to two PowerShell cmdlets, but these cmdlets could be reached remotely if remote access is enabled on the Azure AD Connect server. If that describes your configuration, treat this as Critical and disable those cmdlets. The Azure DevOps Server has two cross-site scripting (XSS) bugs to go along with an info disclosure bug that could divulge device information like resource IDs, SAS tokens, and other user properties.

Three security feature bypasses (SFB) are fixed by this release as well. The first occurs in IE where certain Mark of the Web warnings can be bypassed. The second SFB occurs in the Windows Defender Application Control (WDAC). This bug could allow an attacker to bypass the Windows PowerShell Constrained Language Mode, but several steps need to take place for this to happen. The final bypass fixed this month exists in Dynamics On-Premise and could allow attackers to send attachment types normally blocked by the system. Exploitation of this would also not be straightforward, as an attacker would need to intercept and edit a POST request to include a special character.

The release is rounded out by a handful of patches for SharePoint correcting some XSS bugs, a few spoofing vulnerabilities, and an RCE bug. For the RCE, an attacker would need to convince an authenticated user to invoke a specially crafted page on an affected version of SharePoint. The NuGet Package Manager gets updated to version 5.0.2 to correct a tampering bug that could allow an attacker to make modifications to the intermediate build folder and potentially impact future builds of a project. Previous updates for NuGet included updates for the .NET Core SDK, but this release only includes a new version of the package manager.

Finally, the remaining advisory for May is Microsoft’s version of the aforementioned patch for Flash in Internet Explorer.

Looking Ahead

The next patch Tuesday falls on June 11, and we’ll return with details and patch analysis then. Until then, happy patching and may all your reboots be smooth and clean!

...

Webseite öffnen Komplette Webseite öffnen

Newsbewertung

Kommentiere zu The May 2019 Security Update Review






Ähnliche Beiträge

  • 1. CentOS Blog: CentOS Pulse Newsletter, March 2019 (#1903) vom 427.03 Punkte ic_school_black_18dp
    Dear CentOS enthusiast, Another month into 2019, and we have a lot to tell you about. Releases and updates SIG updates Events Contributing to the newsletter CentOS is 15! As you may have seen either at recent events, or on social media, we're getti
  • 2. CentOS Blog: CentOS Pulse Newsletter, March 2019 (#1903) vom 427.03 Punkte ic_school_black_18dp
    Dear CentOS enthusiast, Another month into 2019, and we have a lot to tell you about. Releases and updates SIG updates Events Contributing to the newsletter CentOS is 15! As you may have seen either at recent events, or on social media, we're getti
  • 3. CentOS Blog: CentOS Pulse Newsletter, March 2019 (#1903) vom 427.03 Punkte ic_school_black_18dp
    Dear CentOS enthusiast, Another month into 2019, and we have a lot to tell you about. Releases and updates SIG updates Events Contributing to the newsletter CentOS is 15! As you may have seen either at recent events, or on social media, we're getti
  • 4. CentOS Blog: CentOS Pulse Newsletter, March 2019 (#1903) vom 427.03 Punkte ic_school_black_18dp
    Dear CentOS enthusiast, Another month into 2019, and we have a lot to tell you about. Releases and updates SIG updates Events Contributing to the newsletter CentOS is 15! As you may have seen either at recent events, or on social media, we're getti
  • 5. The August 2019 Security Update Review vom 398.51 Punkte ic_school_black_18dp
    August is here and it brings with it the scheduled security patches from Microsoft and Adobe. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.   Adobe Patches for August 2019 Adobe releas
  • 6. CentOS Blog: CentOS Community Newsletter, August 2019 (#1908) vom 382.31 Punkte ic_school_black_18dp
    Dear CentOS enthusiast, It's been another busy month, but better a few days late than never! If you'd like to help out with the process of putting together the newsletter, please see the Contributing section at the end. We're always looking for help! Re
  • 7. The June 2019 Security Update Review vom 367.88 Punkte ic_school_black_18dp
    June has arrived and so have the scheduled security patches from Microsoft and Adobe. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month. Adobe Patches for June 2019 This month, Ad
  • 8. The May 2019 Security Update Review vom 343.54 Punkte ic_school_black_18dp
    May is here and so are the scheduled security patches from Microsoft and Adobe. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.   Adobe Patches for May 2019 This month, Ado
  • 9. The February 2019 Security Update Review vom 338.15 Punkte ic_school_black_18dp
    February is here and with it comes the latest in security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month. Adobe Patches for February 2019
  • 10. The February 2019 Security Update Review vom 338.15 Punkte ic_school_black_18dp
    February is here and with it comes the latest in security offerings from Adobe and Microsoft. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month. Adobe Patches for February 2019
  • 11. The July 2019 Security Update Review vom 337.28 Punkte ic_school_black_18dp
    July has arrived and so have the scheduled security patches from Microsoft and Adobe. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month. Adobe Patches for July 2019 Adobe released
  • 12. CentOS Blog: CentOS Pulse Newsletter, May 2019 (#1905) vom 307.27 Punkte ic_school_black_18dp
    Dear CentOS enthusiast, Another month into 2019, and we have a lot to tell you about. Releases and updates SIG updates Events Contributing to the newsletter #CentOS15 Yes, we've mentioned this before, but we're still pretty stoked about it. On the 15