Patch Impact Assessment May 2019

Vulnerability Assessment

1

PUBLICLY DISCLOSED

1

EXPLOITED

1

ZERO-DAY

With 79 reported CVE vulnerability entries and two advisories from Microsoft, this is a big update for Windows this month. With this May Patch Tuesday update cycle, we are seeing reported issues in Remote Desktop Services (RDS), DHCP and the core graphics GDI component. The RDS vulnerability (CVE-2019-0863) should be a considered a zero-day security issue as it has been publicly disclosed and reported as exploited in the wild.

 

Windows

Microsoft has reported three critical vulnerabilities for this May Patch Tuesday. The real concern here the publicly reported and exploited (ironically named) Windows Error Reporting (WER) vulnerability (CVE-2019-0863) rated as important by Microsoft.

VULNERABILITIES

0
LOW

0
MODERATE

29
IMPORTANT

3
CRITICAL

PATCH NOW!

Browsers

Though not completely unexpected, this month brings a large number of memory corruption related vulnerabilities for both Microsoft browsers. There have been 23 reported vulnerabilities with 18 rated as critical, the remaining five rated as important

VULNERABILITIES

0
LOW

0
MODERATE

5
IMPORTANT

18
CRITICAL

PATCH NOW!

Office

A single remote code execution vulnerability rated as critical by Microsoft in their Word software has been reported for the May patch cycle. An attacker who successfully exploited this vulnerability could use a specially crafted file to perform actions in the security context of the current user.

VULNERABILITIES

0
LOW

0
MODERATE

12
IMPORTANT

1
CRITICAL

SCHEDULE

Dev Tools

There are four main updates to the Microsoft development platform all rated as important by Microsoft for this month’s May update cycle. All four updates apply to all currently supported versions of Microsoft .NET (including 4.8) and apply to all currently supported desktop and server platforms. 

VULNERABILITIES

0
LOW

0
MODERATE

4
IMPORTANT

0
CRITICAL

SCHEDULE

Adobe Flash Player

Though not actively reported as exploited this month’s critical-rated vulnerability from Adobe (APSB19-26) is a common “use after free” memory corruption error that could lead to arbitrary code execution on the target machine, using the user’s logged in credentials. 

VULNERABILITIES

0
LOW

0
MODERATE

0
IMPORTANT

1
CRITICAL

PATCH NOW!

Related Posts

Patch Tuesday

A Challenging Patch Tuesday for Legacy Windows Platforms

This is a big Patch Tuesday for some Windows users. Older systems such as Windows 7 and Server 2008 need both urgent and important updates to resolve publicly disclosed and exploited vulnerabilities. If you are running later versions of Windows 10, the situation is much improved, with recommendations for scheduled updates and comprehensive testing before deployment.

Read More
Patch Impact Assessment Summary

Patch Impact Assessment July 2019

This is a big Patch Tuesday for some Windows users. Older systems such as Windows 7 and Server 2008 need both urgent and important updates to resolve publicly disclosed and exploited vulnerabilities.

Read More
Patch Tuesday

Big, complex Patch Tuesday for Windows, critical updates for Adobe and Edge

This month, Microsoft delivers a big, complex series of updates to Windows, Azure and Edge. With 88 vulnerabilities addressed and four made public, we see “Patch Now” recommendations for both browsers, Windows and Adobe.

Read More