May  2019 – Microsoft Patch Tuesday

April showers bring May flowers, and April security vulnerabilities bring May patches. This month’s updates from Microsoft are, as usual, detailed in the Security Update Guide, which lists over 2000 line items for the May 14 releases – although, of course, many of these are repetitions of the same advisories or CVEs, applied to each of the different operating systems.

As usual, security fixes were issued for all the currently supported versions of Windows client and server operating systems. Microsoft even released an update for Windows XP, which is no longer supported.

 

Be sure to check out the rather long list of known issues before installing these updates. You’ll find the list in the Release Notes on the MSRC web site.

As always, the Malicious Software Removal Tool (MSRT) is updated to include the latest malware definitions.

 

Now let’s take a closer look at this month’s patches.

Security Advisories

The following security advisories were released on Patch Tuesday this month:

ADV190012 | May 2019 Adobe Flash Security Update (Adobe Security Bulletin APSB19-26: CVE-2019-7837). address a critical use-after-free vulnerability in Adobe Flash Player. Successful exploitation could lead to arbitrary code execution in the context of the current user. 

ADV190013 | Microsoft Guidance to mitigate Microarchitectural Data Sampling vulnerabilities. On May 14, 2019, Intel published information about a new subclass of speculative execution side channel vulnerabilities. These vulnerabilities include: CVE-2018-12126 – Microarchitectural Store Buffer Data Sampling (MSBDS), CVE-2018-12130 – Microarchitectural Fill Buffer Data Sampling (MFBDS), CVE-2018-12127 – Microarchitectural Load Port Data Sampling (MLPDS), and CVE-2018-11091 – Microarchitectural Data Sampling Uncacheable Memory (MDSUM). An attacker who successfully exploited these vulnerabilities may be able to read privileged data across trust boundaries. In shared resource environments (such as exists in some cloud services configurations), these vulnerabilities could allow one virtual machine to improperly access information from another.

Operating system, OS components, and web browser updates

 

Windows client operating systems

Windows 10 gets fixes for twenty-nine vulnerabilities this month, but the good news is that only one of these is critical. Both Windows 7 and Windows 8.1 received patches for twenty-three vulnerabilities; with only one critical in 8.1 and two that are critical in Win7. All the vulnerabilities not rated critical are classed as important.

The following KB articles that describe the client OS updates:

KB4499175 — Security-only update for Windows 7 Service Pack 1

KB4499164 — Monthly Rollup Windows 7 Service Pack 1Windows 8.1

KB4499165 — Security-only Update for Windows 8.1

KB4499151 — Monthly Rollup for Windows 8.1

KB4499181Update for Windows 10 version 1703

KB4499179 – Update for Windows 10 version 1709

KB4499167 – Update for Windows 10 version 1803

KB4494441 – Update for Windows 10 version 1809

Windows Server operating systems

Windows Server 2019 has a total of 30 vulnerabilities patched this time, with two of them rated critical. Server 2016 has twenty-eight, also with two critical. Server 2008 R2 and 2012 R2 both get updates for twenty-four vulnerabilities, with two of them rated critical in 2012 R2 and three that are critical in 2008 R2. All the vulnerabilities not rated critical are classed as important.

KB articles that describe update for Windows Server:

KB4474419 — SHA-2 code signing support update for Windows Server 2008 R2 and Windows Server 2008

KB4499149 — 2019-05 Security Monthly Quality Rollup for Windows Server 2008

KB4499158 — 2019-05 Security Only Quality Update for Windows Embedded 8 Standard and Windows Server 2012

KB4499171 — 2019-05 Security Monthly Quality Rollup for Windows Embedded 8 Standard and Windows Server 2012

KB4499180 — 2019-05 Security Only Quality Update for Windows Server 2008

Microsoft web browsers

As usual, a number of security issues were addressed in the two Microsoft web browsers. Internet Explorer 11 got fixes for eight vulnerabilities, five of which are considered critical. Edge received updates to fix fourteen vulnerabilities, and eleven of those are deemed critical. Nine of these are memory corruption issues with the Chakra Scripting Engine.

KB articles that describe the browser updates:

KB4498206 — Cumulative security update for Internet Explorer

Other software/services

In addition to the updates to the operating systems and web browsers, the following products received updates in this month’s Patch Tuesday release:

  •         Adobe Flash Player
  •         Microsoft Office and Microsoft Office Services and Web Apps
  •         Team Foundation Server
  •         Visual Studio
  •         Azure DevOps Server
  •         SQL Server
  •         .NET Framework
  •         .NET Core
  •         ASP.NET Core
  •         ChakraCore
  •         Online Services
  •         Azure
  •         NuGet
  •         Skype for Android

Critical vulnerabilities

The following are some of the critical vulnerabilities addressed by this month’s updates:

CVE-2019-0903  GDI+ Remote Code Execution Vulnerability. A remote code execution vulnerability exists in the way that the Windows Graphics Device Interface (GDI) handles objects in the memory. An attacker who successfully exploited this vulnerability could take control of the affected system.

CVE-2019-0708  Remote Desktop Services Remote Code Execution Vulnerability. A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system.

CVE-2019-0725  Windows DHCP Server Remote Code Execution Vulnerability. A memory corruption vulnerability exists in the Windows Server DHCP service when processing specially crafted packets. An attacker who successfully exploited the vulnerability could run arbitrary code on the DHCP server.

CVE-2019-0884  Scripting Engine Memory Corruption Vulnerability. A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user. An attacker who successfully exploited the vulnerability could gain the same user rights as the current user.

CVE-2019-0911  Scripting Engine Memory Corruption Vulnerability. A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

CVE-2019-0918 Scripting Engine Memory Corruption Vulnerability. A remote code execution vulnerability exists in the way the scripting engine handles objects in memory in Microsoft browsers. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

CVE-2019-0929 Internet Explorer Memory Corruption Vulnerability. A remote code execution vulnerability exists when Internet Explorer improperly accesses objects in memory. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

CVE-2019-0940  Microsoft Browser Memory Corruption Vulnerability. A remote code execution vulnerability exists in the way that Microsoft browsers access objects in memory. The vulnerability could corrupt memory in a way that could allow an attacker to execute arbitrary code in the context of the current user.

CVE-2019-0915 Chakra Scripting Engine Memory Corruption Vulnerability. A remote code execution vulnerability exists in the way that the Chakra scripting engine handles objects in memory in Microsoft Edge. The vulnerability could corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

 

Today’s updates also address the following additional Chakra Scripting Engine memory corruption vulnerabilities: CVE-2019-0916, CVE-2019-0917, CVE-2019-0922, CVE-2019-0924, CVE-2019-0925, CVE-2019-0927, CVE-2019-0933, CVE-2019-0937.