Patch Impact Assessment May 2019

Vulnerability Assessment

1

PUBLICLY DISCLOSED

1

EXPLOITED

1

ZERO-DAY

With 79 reported CVE vulnerability entries and two advisories from Microsoft, this is a big update for Windows this month. With this May Patch Tuesday update cycle, we are seeing reported issues in Remote Desktop Services (RDS), DHCP and the core graphics GDI component. The RDS vulnerability (CVE-2019-0863) should be a considered a zero-day security issue as it has been publicly disclosed and reported as exploited in the wild.

 

Windows

Microsoft has reported three critical vulnerabilities for this May Patch Tuesday. The real concern here the publicly reported and exploited (ironically named) Windows Error Reporting (WER) vulnerability (CVE-2019-0863) rated as important by Microsoft.

VULNERABILITIES

0
LOW

0
MODERATE

29
IMPORTANT

3
CRITICAL

PATCH NOW!

Browsers

Though not completely unexpected, this month brings a large number of memory corruption related vulnerabilities for both Microsoft browsers. There have been 23 reported vulnerabilities with 18 rated as critical, the remaining five rated as important

VULNERABILITIES

0
LOW

0
MODERATE

5
IMPORTANT

18
CRITICAL

PATCH NOW!

Office

A single remote code execution vulnerability rated as critical by Microsoft in their Word software has been reported for the May patch cycle. An attacker who successfully exploited this vulnerability could use a specially crafted file to perform actions in the security context of the current user.

VULNERABILITIES

0
LOW

0
MODERATE

12
IMPORTANT

1
CRITICAL

SCHEDULE

Dev Tools

There are four main updates to the Microsoft development platform all rated as important by Microsoft for this month’s May update cycle. All four updates apply to all currently supported versions of Microsoft .NET (including 4.8) and apply to all currently supported desktop and server platforms. 

VULNERABILITIES

0
LOW

0
MODERATE

4
IMPORTANT

0
CRITICAL

SCHEDULE

Adobe Flash Player

Though not actively reported as exploited this month’s critical-rated vulnerability from Adobe (APSB19-26) is a common “use after free” memory corruption error that could lead to arbitrary code execution on the target machine, using the user’s logged in credentials. 

VULNERABILITIES

0
LOW

0
MODERATE

0
IMPORTANT

1
CRITICAL

PATCH NOW!

Leave a Comment

Your email address will not be published. Required fields are marked *

Understanding the Threatscape Report

The Readiness “Threatscape” report summarizes your risk of not applying this month’s patches, using all publicly-available vulnerability data.

It’s important to note that it’s equally important to know the risk to your applications if you DO apply this month’s patches. This is of course is dependent on:

  • The current state (version and build) of each platform (Windows, Office, Browser, etc.).
  • Which applications are part of your portfolio.

Luckily, determining the risk of applying patches is easy (and fast and dynamic, thanks to our Dynamic Platform Assessment tool.

To understand what will happen when you apply this month’s patches, contact us and assess your first 25 applications for free.

For each major platform, the pie chart shows the breakdown of vulnerabilities rated critical, important, moderate and low. These match the tables below the graph.

The size of the pie represents the total number of vulnerabilities. The larger the pie, the more vulnerabilities present.

The position of the pie on the vertical axis represents the relative risk to your application portfolio. The higher the position, the higher the exploitability.

Related Posts

Patch Tuesday

A ‘business-as-usual’ Patch Tuesday update for Windows desktops

With no “zero-days” and a relatively light load of Office, Developer Tools and legacy ESU updates, May’s patch cycle focused on the Windows desktop and server platforms, with 111 security related updates to all platforms.

Read More
Assurance Dashboard

Assurance Security Dashboard May 2020

For May, we’re trying out a new way of reporting data using a report format that more closely aligns with what customers of our new Assurance offering will see.

Read More
Opinion

Microsoft Installer: Assassin or Assistant?

Many software products come packaged in MSI files. Microsoft Installer is a common tool for software developers to ship their products with because it allows …

Read More