The May 2019 Security Update Review

May is here and so are the scheduled security patches from Microsoft and Adobe. Take a break from your regularly scheduled activities and join us as we review the details for security patches for this month.  

Adobe Patches for May 2019

This month, Adobe released updates for Acrobat Reader, Flash Player, and Media Encoder. The update for Acrobat Reader is by far the largest of these, with a total of 84 CVEs being fixed by this patch alone. Overall, 37 of these bug reports came through the ZDI program. The patch fixes a mix of vulnerabilities, including use-after-frees, out-of-bounds reads/writes, heap overflows, type confusions, and more. The worst of these vulnerabilities could allow an attacker to completely take control of an affected system. The update for Flash Player includes one Critical rated bug, which was also reported through the ZDI program. This use-after-free vulnerability could potentially allow an attacker to take control of the affected system.

The final Adobe patch for May covers two CVEs in the Media Encoder. This update addresses a Critical-rated use-after-free code execution bug and an Important-rated out-of-bounds read info disclosure – both of which were reported by ZDI Vulnerability Researcher Mat Powell. None of the bugs patched by Adobe today are listed as being publicly known or under active attack at the time the patches were released.

Microsoft Patches for May 2019

Microsoft released security patches for 79 CVEs along with two advisories. The updates cover Internet Explorer, Edge, Windows, ChakraCore, Microsoft Office and Microsoft Office Services and Web Apps, .NET Framework and ASP.NET, Skype for Android, Azure DevOps Server, and the NuGet Package Manager. Of these 79 CVEs, 22 are rated Critical and 57 are rated Important in severity. A total of 15 of these CVEs came through the ZDI program. Two of these bugs are listed as publicly known and one is listed as under active attack at the time of release.

Let’s take a closer look at some of the more interesting patches for this month, starting with the bug currently being exploited:

-  CVE-2019-0863 – Windows Error Reporting Elevation of Privilege Vulnerability
This patch corrects a vulnerability in the Windows Error Reporting (WER) component. If exploited, an attacker could use this to execute arbitrary code with administrator privileges. They would need to first gain access to run code on a target system, but malware often uses elevations like this one to go from user-to-admin code execution. While details about the use of the exploit are not available, it is likely being used in limited attacks against specific targets.

-  CVE-2019-0708 – Remote Desktop Services Remote Code Execution Vulnerability
If it weren’t for the active attack, this bug would be the most interesting patch by far. This update corrects a pre-authentication bug in the Remote Desktop Service – formerly known as Terminal Service – that could allow an attacker to execute their code on a target system. An attacker would just need to send a specially crafted request via RDP. This occurs prior to authentication and there’s no user interaction involved, which makes this a wormable bug. While this is not listed as being under active attack now, don’t wait to test and deploy this patch. Microsoft gives this its highest Exploit Index (XI) rating, so I would not be surprised to see this included in future exploit kits. Microsoft considers this so severe, they are even making patches available for out-of-support OSes like Windows XP and Windows Server 2003. That’s no excuse to not upgrade to a supported OS, but regardless, go install that patch.

-  CVE-2019-0725 – Windows DHCP Server Remote Code Execution Vulnerability
This patch fixes a vulnerability in the DHCP Server Service that could allow an attacker to run arbitrary code on affected systems. This bug can be reached by remote, unauthenticated attackers who send specially crafted network packets to a target server. That makes this also wormable, albeit only between DHCP servers. If you’re using Windows as your DHCP server, definitely don’t let a lower XI rating delay the testing and installation of this patch.

-  ADV190013 – Microsoft Guidance to Mitigate Microarchitectural Data Sampling Vulnerabilities
This advisory covers four CVEs disclosed by Intel today and cover a new subclass of speculative execution side channel vulnerabilities they term “Microarchitectural Data Sampling,” but they are also being referred to as - and I sincerely wish I were joking here - “ZombieLoad.” These new CVEs join the more well-known side-channel vulnerabilities known as Meltdown, Spectre, and Foreshadow. As with previous side-channel attacks, these impact far more platforms than just Windows. The NSA keeps an updated GitHub repo with the latest information and guidance for all of these types of bugs. Hopefully, this gets updated soon with the full list of patches, firmware, and guidance needed to mitigate the most recent versions of these bugs. Intel’s guidance on these bugs can be found here.

 Here’s the full list of CVEs released by Microsoft for May 2019:

The one other publicly known bug for this month is a vulnerability in Skype for Android that could allow attackers to eavesdrop on a call. This is not to be confused with a different Skype for Android flaw disclosed earlier this year. This current problem seems much less severe.

Of the Critical-rated bugs not previously discussed, the Word and GDI+ patches stand out. While Remote Code Execution (RCE) bugs in Office apps are typically rated Important, this vulnerability can be reached through the Preview Pane, which greatly increases the risk. The GDI+ issue could allow an attacker to execute their code if they can get a target user to view an image. The rest of the Critical-rated updates are related to browsers and can allow code execution by convincing a user to browse to a specially crafted website.

Nearly half of the release – 41 patches – address some form of Remote Code Execution (RCE). While most of these are related to a web browser, there are a baker’s dozen of patches for the Jet Database Engine. We disclosed a bug in this component last September, and since then, we’ve seen a host of further research into this technology. The remaining RCE bugs mostly occur within the Office suite of applications. For these bugs, an attacker would need to convince a user to open a crafted file, so there’s a social engineering factor involved.

Next up are a variety of Elevation of Privilege (EoP) bugs in various components – most notably the Windows Kernel and the Unified Write Filter (UWF). If you’re not familiar with it, UWF is an optional component on Windows 10 that aims to protect drives by intercepting and redirecting any writes to the drive to a virtual overlay. It’s primarily targeted toward thin clients and kiosks, so pay special attention to this one if that describes your enterprise. Another EoP of note involves the Kerberos authentication protocol. This vulnerability allows an attacker to successfully decode and replace an authentication request using Kerberos if they can intercept the request on the network. Should they accomplish this man-in-the-middle exploit, they would then be authenticated as an administrator with complete control of the target system. Again, the attacker would already need to be on a target network, but this would certainly be a novel method for escalating permissions.

All of the .NET Core and .NET Framework updates for May involve some form of a Denial-of-Service attack. There are a few patches for info disclosure vulnerabilities as well. Of these, the patch for Hyper-V definitely stands out. While some info disclosure bugs reveal only uninitialized memory, CVE-2019-0886 could allow someone on a guest OS to access information on the underlying host OS.

There are a few patches for Azure AD Connect and the Azure DevOps Server for May. The bug corrected in Azure AD Connect is listed as an EoP due to two PowerShell cmdlets, but these cmdlets could be reached remotely if remote access is enabled on the Azure AD Connect server. If that describes your configuration, treat this as Critical and disable those cmdlets. The Azure DevOps Server has two cross-site scripting (XSS) bugs to go along with an info disclosure bug that could divulge device information like resource IDs, SAS tokens, and other user properties.

Three security feature bypasses (SFB) are fixed by this release as well. The first occurs in IE where certain Mark of the Web warnings can be bypassed. The second SFB occurs in the Windows Defender Application Control (WDAC). This bug could allow an attacker to bypass the Windows PowerShell Constrained Language Mode, but several steps need to take place for this to happen. The final bypass fixed this month exists in Dynamics On-Premise and could allow attackers to send attachment types normally blocked by the system. Exploitation of this would also not be straightforward, as an attacker would need to intercept and edit a POST request to include a special character.

The release is rounded out by a handful of patches for SharePoint correcting some XSS bugs, a few spoofing vulnerabilities, and an RCE bug. For the RCE, an attacker would need to convince an authenticated user to invoke a specially crafted page on an affected version of SharePoint. The NuGet Package Manager gets updated to version 5.0.2 to correct a tampering bug that could allow an attacker to make modifications to the intermediate build folder and potentially impact future builds of a project. Previous updates for NuGet included updates for the .NET Core SDK, but this release only includes a new version of the package manager.

Finally, the remaining advisory for May is Microsoft’s version of the aforementioned patch for Flash in Internet Explorer.

Looking Ahead

The next patch Tuesday falls on June 11, and we’ll return with details and patch analysis then. Until then, happy patching and may all your reboots be smooth and clean!