It’s Patch Tuesday—the day when Microsoft releases monthly security updates for its software.
Microsoft has software updates to address a total of 79 CVE-listed vulnerabilities in its Windows operating systems and other products, including a critical wormable flaw that can propagate malware from computer to computer without requiring users’ interaction.
Out of 79 vulnerabilities, 18 issues have been rated as critical and rest Important in severity. Two of the vulnerabilities addressed this month by the tech giant are listed as publicly known, of which one is listed as under active attack at the time of release.
May 2019 security updates address flaws in Windows OS, Internet Explorer, Edge, Microsoft Office, and Microsoft Office Services and Web Apps, ChakraCore, .NET Framework, and ASP.NET, Skype for Android, Azure DevOps Server, and the NuGet Package Manager.
Critical Wormable RDP Vulnerability
The wormable vulnerability (CVE-2019-0708) resides in Remote Desktop Services – formerly known as Terminal Services – that could be exploited remotely by sending specially crafted requests over RDP protocol to a targeted system.
The vulnerability could be exploited to spread wormable malware in a similar way as the WannaCry malware spread across the globe in 2017.
“This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system,” Microsoft said in an advisory detailing the Wormable vulnerability.
“While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.”
Surprisingly, besides releasing patches for supported systems, including Windows 7, Windows Server 2008 R2, and Windows Server 2008, Microsoft has also separately released fixes for out-of-support versions of Windows including Windows 2003 and Windows XP to address this critical issue.
As a workaround, Microsoft has advised Windows Server users to block TCP port 3389 and enable Network Level Authentication to prevent any unauthenticated attacker from exploiting this Wormable flaw.
Other Critical and Important Vulnerabilities
Another severe flaw is an important Elevation of Privilege vulnerability (CVE-2019-0863) in Windows that exists in the way Windows Error Reporting (WER) handles files. The flaw is listed as publicly known and is already being actively exploited in limited attacks against specific targets.
Successful exploitation of the flaw could allow a low-privileged remote attacker to run arbitrary code in kernel mode with administrator privileges, eventually letting them install programs, view, change, or delete data, or create new accounts with administrator privileges.
Another publicly disclosed vulnerability affects Skype for Android app. The vulnerability (CVE-2019-0932) could allow an attacker to listen to the conversation of Skype users without their knowledge.
To successfully exploit this vulnerability, all an attacker needs is to call an Android phone with Skype for Android installed that’s also paired with a Bluetooth device.
All critical vulnerabilities listed this month primarily impact various versions of Windows 10 operating system and Server editions and mostly reside in Chakra Scripting Engine, with some also reside in Windows Graphics Device Interface (GDI), Internet Explorer, Edge, Word, Remote Desktop Services, and Windows DHCP Server.
Many important-rated vulnerabilities also lead to remote code execution attacks, while others allow elevation of privilege, information disclosure, security bypass, spoofing tampering, and denial of service attacks.
Users and system administrators are highly recommended to apply the latest security patches as soon as possible to keep cybercriminals and hackers away from taking control of their computers.
For installing the latest security updates, you can head on to Settings → Update & Security → Windows Update → Check for updates on your computer, or you can install the updates manually.
Adobe also rolled out security updates today to fix 87 security vulnerabilities in several of its products. Users of the affected Adobe software for Windows, macOS, Linux, and Chrome OS are advised to update their software packages to the latest versions.