I don’t understand the reasoning behind Microsoft’s rating of important for the RDS vulnerability. This vulnerability (CVE-2019-0863) should be a considered a zero-day security issue as it has been publicly disclosed and reported as exploited in the wild.
Even worse, the RDS security issue is a pre-authentication vulnerability, meaning as user does not have to be logged in to be vulnerable. Although creating a “wormable” attack is complex and requires significant skills, there are millions of RDP end-points published on the internet – expect a serious attack in the next few days.
Known Issues
Each month, we provide some detail on the currently known (and generally unmitigated) issues with the latest Windows 10 (1803 and 1809) and server release:
- After installing the Windows 10 May 2019 update, there may be issues using the Preboot Execution Environment (PXE) to start a device from a Windows Deployment Services (WDS) server configured to use Variable Window Extension.
- Certain operations, such as rename, that you perform on files or folders that are on a Cluster Shared Volume (CSV) may fail with the error, “STATUS_BAD_IMPERSONATION_LEVEL (0xC00000A5)”.
- When attempting to print from Microsoft Edge or other Universal Windows Platform (UWP) applications, you may receive the error, “Your printer has experienced an unexpected configuration problem. 0x80070007e.”
- After installing KB4493509, devices with some Asian language packs installed may receive the error, “0x800f0982 – PSFX_E_MATCHING_COMPONENT_NOT_FOUND.”
For more information on these issues, you can find the Microsoft KB article here.
Major Revisions
For each update cycle, we track the major revisions (excluding documentation only updates) to patches released in the previous Patch Tuesday update cycle. This month we had CVE-2019-0604 (a Microsoft SharePoint RCE issue) updated mid-month, requiring a full update to your servers, if previously patched.
We also break down the update cycle into product families (as defined by Microsoft) with the following basic groupings.
- Browsers (Microsoft IE and Edge)
- Microsoft Windows (both desktop and server)
- Microsoft Office (Including Web Apps and Exchange)
- Microsoft NET Core, .NET Core and Chakra Core
- Adobe Flash Player
Browsers
Though not completely unexpected, this month brings a large number of memory corruption related vulnerabilities for both Microsoft browsers. There have been 23 reported vulnerabilities with 18 rated as critical, the remaining five rated as important by Microsoft, relating to:
- Edge and Internet Explorer (IE)
- Chakra and IE scripting engine
- IE Browser memory handling
In addition, there are browser-based spoofing and elevation of privilege vulnerabilities reported as well. The vast majority of these reported vulnerabilities could lead to potential Remote Code Execution (RCE) scenarios with little or no user interaction. We recommend that you make these browser updates a “Patch Now” priority for your release cycle.
Windows
Microsoft has reported three critical vulnerabilities for this May Patch Tuesday including:
- CVE-2019-0708 : a remote execution vulnerability in Remote Desktop Services
- CVE-2019-0725: a memory corruption vulnerability in the Windows Server DHCP
- CVE-2019-0903: a remote code execution vulnerability in the way that the Windows Graphics Device Interface (GDI) handles objects in memory
However, the real concern here is the publicly reported and exploited (ironically named) Windows Error Reporting (WER) vulnerability (CVE-2019-0863) rated as important by Microsoft. And, what’s up with all of the JET database errors? Almost half of the reported vulnerabilities in Windows this month relate to this small database (MSJET) component. Given the zero-day RDS vulnerability, add these Windows updates to your “Patch Now” release schedule.
Microsoft Office
A single remote code execution vulnerability rated as critical by Microsoft in their Word software has been reported for the May patch cycle. An attacker who successfully exploited this vulnerability could use a specially crafted file to perform actions in the security context of the current user. Apparently, this memory corruption only exists on Word (both PC and Mac) and relies on a series of complex steps before the target system is compromised. Add these updates to your standard release cycle.
Development Tools (.NET and Chakra Core)
There are four main updates to the Microsoft development platform, all rated as important by Microsoft for this month’s May update cycle:
- CVE-2019-0820: .NET Framework and .NET Core improperly process RegEx strings
- CVE-2019-0864: .NET Framework improperly handles objects in heap memory.
- CVE-2019-0980, CVE-2019-0981: .NET Framework or .NET Core improperly handle web requests.
All four updates apply to all currently supported versions of Microsoft.NET(including 4.8) and apply to all currently supported desktop and server platforms. Interestingly, there are several development updates that do not directly map to a desktop or server platform. For example, the following updates apply only to Azure:
- CVE-2019-0872, CVE-2019-0979: Azure DevOps Server and Team Foundation Server Cross-site Scripting Vulnerability
- CVE-2019-1000: Microsoft Azure AD Connect Elevation of Privilege Vulnerability
Given that the underlying platform has changed, how do we test? What is the impact of these changes? I think that some more time and energy will be required to understand the future platform for Microsoft Azure. And, how we manage changes and patches to our cloud operating system. Noting that .NET 4.8 has just been released, add these patches to your testing and then the standard development release schedule.
Adobe
Though not actively reported as exploited, this month’s critical-rated vulnerability from Adobe (APSB19-26) is a common “use after free” memory corruption error that could lead to arbitrary code execution on the target machine, using the user’s logged in credentials.
Our advice is to prevent Adobe Flash Player from running. You can disable attempts to instantiate Adobe Flash Player in Internet Explorer and other applications that honor the kill bit feature, such as Office 2007 and Office 2010, by setting the kill bit for the control in the registry.
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftInternet ExplorerActiveX Compatibility{D27CDB6E-AE6D-11CF-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
[HKEY_LOCAL_MACHINESOFTWAREWow6432NodeMicrosoftInternet ExplorerActiveX Compatibility{D27CDB6E-AE6D-11CF-96B8-444553540000}]
"Compatibility Flags"=dword:00000400
Patch Adobe now. If you can’t, kill Adobe Flash now. Please.
Given the issues in the October release (now really the November release) and the (DNS) problems in January, Microsoft has released a dashboard for patching “Health” found here.