Be Aware of Skype for Android Vulnerability and Windows Error Reporting Elevation of Privilege Vulnerability
by Chris Goettl, Director of Product Management, Security, Ivanti
Looks like a busy, but pretty typical lineup this month. Microsoft has released a total of 16 updates resolving 79 unique vulnerabilities for May. There is one zero-day vulnerability that has also been disclosed publicly, which affects all versions of Windows. There is also a public disclosure for Skype for Android. Adobe has released updates for Acrobat, Acrobat Reader and Flash Player resolving a total of 85 unique vulnerabilities. Both Adobe updates are rated as Critical.
The Microsoft updates this month affect the following products:
- Windows
- Office and O365
- Sharepoint
- .Net Framework
- SQL Server
The biggest concern this month is the update for Windows. The zero-day vulnerability (CVE-2019-0863) has been detected in exploits in the wild and has been publicly disclosed, meaning more threat actors could get their hands on it and develop similar attacks. The elevation-of-privilege vulnerability exists in the way Windows Error Reporting handles files. The attack would allow a threat actor to gain kernel mode access to the system. The attacker would need to gain unprivileged execution on the victim’s system first, but that would not be a significant barrier.
There is a publicly disclosed vulnerability (CVE-2019-0932) in Skype for Android that could allow for information disclosure. An attacker could use the exploit to listen to a conversation of a Skype for Android user without their knowledge.
Another vulnerability in windows that is worth noting is CVE-2019-0708. The vulnerability exists in Remote Desktop Services (Terminal Services) when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests that could remotely execute code. This would have the potential of a global WannaCry level event. What’s more, Microsoft has released updates for Windows XP and Server 2003 (which you wouldn’t have found unless you were looking at the Windows Update Catalog). So this affects Windows 7, Server 2008 R2, XP and Server 2003. Here is a good article on this by Brian Krebs.
Adobe has two updates this month resolving 85 unique CVEs. Both updates resolve critical CVEs and should be a priority this month.
Ivanti priorities this month:
- Patch the Windows OS and browsers (Including XP and 2003!)
- Patch Adobe Reader, Acrobat, AIR and Flash
About the Author
Chris Goettl, is director of product management, security, Ivanti. Chris is a strong industry voice with more than 10 years of experience in supporting, implementing, and training IT Admins on how to implement strong patching processes. He hosts a monthly Patch Tuesday webinar, blogs on vulnerability and related software security topics, and his commentary is often quoted as a security expert in the media.
Chris can be reached online at Twitter @ChrisGoettl and at Ivanti’s website: www.ivanti.com.