Microsoft’s Patch Tuesday for May has software updates that addresses 79 CVE-listed vulnerabilities in its Windows operating systems and other products which includes a critical wormable flaw that can propagate malware from computer to computer without the need of any interaction by the user.
18 out of 79 vulnerabilities have been given the severity critical and the remaining as Important in severity. Two of the vulnerabilities are listed as publicly known, of which one is under active attack at the time of release.
May 2019 security updates address flaws in Windows OS, Internet Explorer, Edge, Microsoft Office, and Microsoft Office Services and Web Apps, ChakraCore, .NET Framework, and ASP.NET, Skype for Android, Azure DevOps Server, and the NuGet Package Manager.
Critical Wormable RDP Vulnerability
The wormable vulnerability (CVE-2019-0708) is found in Remote Desktop Services which was earlier known as Terminal Services. It could be exploited remotely by sending specially crafted requests over RDP protocol to a targeted system.
The vulnerability could be exploited to spread wormable malware similar to how the WannaCry malware was spread in 2017.
According to the company’s advisory, the vulnerability is pre-authenticated and does not require any user interaction. On exploiting this vulnerability successfully, it is possible to execute arbitrary code on the target system.
Microsoft has released patches for Windows 7, Windows Server 2008 R2, and Windows Server 2008. Besides, the tech giant has also separately released patches for out-of-support versions of Windows that includes Windows 2003 and Windows XP to address this critical issue.
Microsoft has advised Windows Server users to block TCP port 3389 and enable Network Level Authentication to prevent any unauthenticated user from exploiting this Wormable flaw.
Another severe vulnerability is an important Elevation of Privilege vulnerability (CVE-2019-0863) in Windows that exists in the way Windows Error Reporting (WER) handles files. The flaw is listed as publicly known and is already being actively exploited in limited attacks against specific targets.
On exploiting this flaw, it is possible for a remote attacker to run arbitrary code in kernel mode with administrator privileges, allowing them to install programs, view, change, or delete data, or create new accounts with administrator privileges.
Another vulnerability (CVE-2019-0932) affects Skype for Android app. This flaw lets an attacker to listen to the conversation of Skype users without their knowledge.
In order to exploit this vulnerability, the attacker has to just make a call to an Android phone with Skype for Android installed that’s also paired with a Bluetooth device.
All critical vulnerabilities impact different versions of Windows 10 operating system and Server editions and mostly reside in Chakra Scripting Engine, with some also reside in Windows Graphics Device Interface (GDI), Internet Explorer, Edge, Word, Remote Desktop Services, and Windows DHCP Server.
Many important-rated vulnerabilities lead to remote code execution attacks and some let elevation of privilege, information disclosure, security bypass, spoofing tampering, and denial of service attacks.
It is advised that all the users and system administrators must apply the latest security patches at the earliest to be safe.
In order to install the latest security updates, go to Settings → Update & Security → Windows Update → Check for updates on your computer, or you can install the updates manually.