Lucene search

K
talosblog[email protected] (Jonathan Munshaw)TALOSBLOG:71D138211697B43CB345A133B54BC824
HistoryMay 21, 2019 - 6:00 a.m.

Microsoft Patch Tuesday — May 2019: Vulnerability disclosures and Snort coverage

2019-05-2106:00:43
[email protected] (Jonathan Munshaw)
feedproxy.google.com
259

0.975 High

EPSS

Percentile

100.0%

Microsoft released its monthly security update today, disclosing a variety of vulnerabilities in several of its products. The latest Patch Tuesday covers 79 vulnerabilities, 22 of which are rated “critical," 55 that are considered “important” and one “moderate.” This release also includes two critical advisories: one covering Microsoft Live accounts and another addressing updates to Adobe Flash Player.

This month’s security update covers security issues in a variety of Microsoft’s products, including the Scripting Engine, the Microsoft Edge web browser and GDI+. For more on our coverage of these bugs, check out the Snort blog post here, covering all of the new rules we have for this release.

Critical vulnerabilities

Microsoft disclosed 22 critical vulnerabilities this month, seven of which we will highlight below.

CVE-2019-0884, CVE-2019-0911 and CVE-2019-0918 are memory corruption vulnerabilities that exist in the scripting engine when it handles objects in memory in Microsoft browsers. These bugs could corrupt memory in a way that an attacker could gain the ability to remotely execute code in the context of the current user. An attacker could exploit these vulnerabilities by either tricking the user into opening a specially crafted web page while using a Microsoft web browser, or by embedding an ActiveX control marked “safe for initialization” in a specific application or Microsoft Office document that utilizes the browser rendering engine.

CVE-2019-0903 is a remote code execution vulnerability in the GDI+ API. An attacker could use the vulnerability to take complete control of the system and execute, install and delete programs in the context of the current user. An attacker could exploit this bug by tricking a user into visiting a specially crafted, malicious web page or by convincing them to open a malicious email attachment.

CVE-2019-0926 is a memory corruption vulnerability in Microsoft Edge that exists when the web browser improperly accesses objects in memory. An attacker could exploit this vulnerability by tricking the user into opening a specially crafted web page in Edge. This would eventually allow the attacker to corrupt memory in a way that they could then remotely execute code in the context of the current user.

CVE-2019-0929 is a memory corruption vulnerability in Microsoft Internet Explorer that exists in the way the web browser handles objects in memory. An attacker could exploit this vulnerability by tricking the user into opening a specially crafted web page in Internet Explorer. This would eventually allow the attacker to corrupt memory in a way that they could then remotely execute code in the context of the current user.

CVE-2019-0708 is a remote code execution vulnerability in Remote Desktop Services – formerly known as Terminal Services. The vulnerability requires no user interaction and is pre-authentication. Microsoft specifically warned against this bug because it makes the vulnerability “wormable,” meaning future malware that exploits this vulnerability could spread from system to system. An attacker could exploit this vulnerability by sending a specially crafted request to the target system’s Remote Desktop Service via RDP. Snort rule 50137 coverages indicators associated with this vulnerability.

The other critical vulnerabilities are:

Important vulnerabilities

This release also contains 55 important vulnerabilities, one of which we will highlight below.

CVE-2019-0885 is a remote code execution vulnerability in Windows OLE that exists when OLE fails to properly validate user input. An attacker could exploit this bug in a way that would allow them to execute malicious code on the system. This bug can be exploited when a user opens a specially crafted file or program, leading Windows to execute the desired code.

The other important vulnerabilities are:

Moderate vulnerability

There is one moderate vulnerability, CVE-2019-0971, an information disclosure vulnerability in Azure DevOps.

Coverage

In response to these vulnerability disclosures, Talos is releasing the following SNORTⓇ rules that detect attempts to exploit them. Please note that additional rules may be released at a future date and current rules are subject to change pending additional information. Firepower customers should use the latest update to their ruleset by updating their SRU. Open Source Snort Subscriber Rule Set customers can stay up-to-date by downloading the latest rule pack available for purchase on Snort.org.

Snort rules: 50068 - 50091, 50115 - 50119, 50120 - 50122, 50137

0.975 High

EPSS

Percentile

100.0%