Patch Tuesday – May 2019
This month’s quality update for Windows 10 is so good that it installs itself twice, Microsoft releases patches for Intel Microarchitectural Data Sampling (MDS) attacks, and there’s a fix for a zero-day flaw in Windows Error Reporting.
Windows and Windows Server
This month Microsoft patched one critical remote code execution (RCE) vulnerability (CVE-2019-0903) in the way the Windows Graphics Device Interface (GDI) handles objects in memory. If exploited, an attacker could install programs; view, change, or delete data; or create new accounts with full user rights. Microsoft says that users with standard user rights would be less impacted than those with administrator privileges.
Zero-Day in Windows Error Reporting
There’s an elevation of privilege (EOP) zero-day in the Windows Error Reporting service (CVE-2019-0863) that could allow an attacker to run arbitrary code in kernel mode. Discovered by researchers from PolarBear and Palo Alto Networks, CVE-2019-0863 is already being exploited and can allow an attacker to elevate from standard user rights to administrator privileges. The fix is available for all supported versions of Windows.
Zombieload Side-Channel Attacks
You may have heard in the news last week that Intel CPUs are affected by new Zombieload side-channel attacks. Or Microarchitectural Data Sampling (MDS) attacks as they are officially known. As part of this month’s quality update for Windows 10, Microsoft is including changes to the OS to protect against this kind of attack. But you will also need to apply microcode (firmware) updates to devices to get full protection.
The quality update includes microcode updates for some versions of Windows. Microsoft has promised all supported versions of Windows will receive microcode updates as they are provided by Intel. Now, Microsoft isn’t providing microcode updates for the following versions of Windows. Microsoft recommends getting microcode updates from OEMs instead.
- Windows 10 Version 1803 for x64-based Systems
- Windows Server, version 1803 (Server Core Installation)
- Windows 10 Version 1809 for x64-based Systems
- Windows Server 2019
- Windows Server 2019 (Server Core installation)
Microsoft has also issued guidance to mitigate MDS attacks here. Customers are also advised that they may need to disable hyperthreading to be fully protected but Microsoft doesn’t detail under what circumstances. Regardless, these updates can impact performance. There aren’t any known MDS attacks in the wild yet but working proof-of-concept code has been demonstrated in a lab, so it’s only a matter of time. Additionally, if you have enabled Spectre Variant 2 protections enabled, Retpoline optimizations are turned on by default on supported systems with this month’s update.
Windows XP and Windows Server 2003
Yes, you read that right. This month Microsoft issued a fix for Windows XP and Windows Server 2003, which are no longer supported; Windows 7, Windows Server 2008, and Windows Server 2008 R2 that addresses an issue with Remote Desktop Services that could be exploited by a worm to spread through vulnerable devices.
Windows 10 Quality Update is so Good that it Installs Itself Twice
Don’t be alarmed if this month’s quality update for Windows 10 (KB4494441) installs itself twice. This happened on one of my systems where Windows Update reported that the update was available again the day after it was first installed. I humored it, rebooted, and haven’t been bothered by it since. Microsoft is aware of this issue.
Windows 10 System Restore Fails Restart
I don’t think this problem is necessarily connected to this month’s patches, but Microsoft has updated a support document detailing an issue system restore. The document states that performing a system restore from Windows can cause a Stop error on restart. To avoid this, Microsoft recommends rebooting into the Windows Recovery Environment (WinRE) and starting the restore process from there.
Office, SQL, and SharePoint
There are three security updates for Office this month. One is an RCE rated critical and could allow an attacker to perform actions in the context of the currently logged in user. There are two other RCEs rated important and both could allow an attacker to run arbitrary code on a user’s system but are more difficult to exploit.
SQL Server Analysis Services gets a fix for an information disclosure vulnerability that could let an attacker query tables or columns for which they don’t have access rights. Microsoft SharePoint Foundation 2013 Service Pack 1 and Microsoft SharePoint Enterprise Server 2016 both get an RCE fix (CVE-2019-0952) rated important that could allow an authenticated attacker to use a specially crafted page to perform actions in the security context of the SharePoint application pool process. SharePoint Server 2016, 2019, and Foundation 2013 Service Pack 1 are affected by an EOP issue that could let an attacker perform cross-site scripting attacks in the security context of the current user, read content, and take actions on the SharePoint site on behalf of the user.
Adobe released patches this month for Flash Player, Acrobat and Reader, and many other products. You can get the full details here.