Microsoft issued the May 2019 Security Updates that include 79 unique vulnerability fixes, 22 rated critical. Additional guidance was also published to mitigate speculative execution side channel or “MDS” vulnerabilities.
The updates address multiple Microsoft products to include:
- .NET Core
- .NET Framework
- Adobe Flash Player
- ASP.NET Core
- Azure DevOps Server
- Internet Explorer
- Microsoft Edge
- Microsoft Office and Microsoft Office Services and Web Apps
- Microsoft Windows
- Online Services
- Skype for Android
- SQL Server
- Team Foundation Server
- Visual Studio.
One notable patch fixes a Windows Error Reporting Elevation of Privilege Vulnerability (CVE-2019-0863) that is known to be exploited in the wild.
“An elevation of privilege vulnerability exists in the way Windows Error Reporting (WER) handles files. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with administrator privileges,” Microsoft noted in the update.
One critical patch addresses a remote code execution vulnerability CVE-2019-0953 in Microsoft Word software as it fails to properly handle objects in memory.
As part of the monthly updates, Microsoft also issued security guidance (ADV190013) to mitigate Microarchitectural Data Sampling (MDS) vulnerabilities (CVE-2018-12126, CVE-2018-12130, CVE-2018-12127 and CVE-2018-11091).
“An attacker who successfully exploited these vulnerabilities may be able to read privileged data across trust boundaries. In shared resource environments (such as exists in some cloud services configurations), these vulnerabilities could allow one virtual machine to improperly access information from another. In non-browsing scenarios on standalone systems, an attacker would need prior access to the system or an ability to run a specially crafted application on the target system to leverage these vulnerabilities,” Microsoft stated in the advisory.
Microsoft also issued a security advisory for Adobe Flash, that was also made available by Adobe in APSB19-26 to fix a Critical vulnerability CVE-2019-7837 that could allow arbitrary code execution. Adobe also issued a security update for Adobe Acrobat and Reader for Windows and macOS (APSB19-18) that addresses 83 vulnerabilities.
The 22 critical Microsoft RCE vulnerabilities are listed below (each impacts Windows, Browser, Development Tools or Office product families):