Microsoft's May Patches Arrive Along with Intel Fixes for New Processor Flaws
Microsoft released its May security updates on "update Tuesday," but a patching vortex also opened up as Intel disclosed new processor vulnerabilities.
If that weren't enough, Microsoft also warned against a vulnerability in Remote Desktop Services that's present in older Windows systems. The vulnerability is sufficiently bad that Microsoft released patches even for its unsupported operating systems.
'Wormable' RDS Flaw
Microsoft put a lot of emphasis this month on patching a "Critical"-rated remote code execution vulnerability (CVE-2019-0708) in Remote Desktop Services (formerly called "Terminal Services"). The vulnerability is present in Windows 7, Windows Server 2008 and Windows Server 2008 R2, but not in newer systems. However, Microsoft took a rare action by also issuing patches this month for unsupported Windows systems, namely Windows XP and Windows 2003.
Microsoft suggested patching CVE-2019-0708 right away. Here's the context offered in an announcement by Simon Pope, director of incident response for the Microsoft Security Response Center:
This vulnerability [CVE-2019-0708] is pre-authentication and requires no user interaction. In other words, the vulnerability is "wormable," meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.
The patch will arrive through the Windows Update service for supported OSes. For unsupported Windows XP and Windows 2003 systems, Microsoft has links to download the patches for CVE-2019-0708 in support article KB4500705.
Other May Patch Highlights
Of the Microsoft May patches, there were 16 updates released addressing "79 unique vulnerabilities this month," according to Chris Goettl, director of product management for security at Ivanti, a maker of IT security and endpoint management software. Of that bunch, there are 22 updates that are rated "Critical" and 55 updates that are deemed "Important," while one is rated "Moderate," according to Cisco's Talos security blog.
The main Microsoft products affected this month include Windows, Office, SharePoint, SQL Server and .NET Framework, according to Goettl. Microsoft has a comprehensive list at this page.
Dustin Childs of Trend Micro's Zero Day Initiative offered a comprehensive view of Microsoft's patches in this blog post. He highlighted CVE-2019-0863 of the bunch this month, as it's already been exploited. It's a Windows Error Reporting vulnerability, rated Important, that could enable elevation of privilege on a network by an attacker.
If exploited, an attacker could use this to execute arbitrary code with administrator privileges. They would need to first gain access to run code on a target system, but malware often uses elevations like this one to go from user-to-admin code execution. While details about the use of the exploit are not available, it is likely being used in limited attacks against specific targets.
The other update highlighted by Childs was the Remote Desktop Services vulnerability (CVE-2019-0708) that Microsoft also had noted. "Microsoft gives this its highest Exploit Index (XI) rating, so I would not be surprised to see this included in future exploit kits," Childs noted.
Microsoft also released two Critical advisories, one for Adobe Flash Player (ADV190012) and one that describes Microsoft guidance to address Intel-disclosed microarchitectural data sampling (MDS) vulnerabilities (ADV190013).
Intel and MDS Flaws
IT pros confused with having to patch the many past Meltdown and Spectre variants announced since January 2018 can brace themselves for some more. The newly described MDS vulnerabilities, announced on Tuesday by Intel, are a subgroup of those past-described speculative execution side-channel attack methods that can potentially affect Intel processors for purposes of information disclosure.
MDS attack methods can be used to gain access to confidential data, according to a write-up by researchers at Vrije Universiteit Amsterdam, who described "Rogue In-Flight Data Load" (RIDL) and "Fallout" methods. The write-up also includes access to a downloadable tool for Windows and Linux that can detect susceptibility to MDS exploits on systems. Additionally, there are "ZombieLoad" and "Store-to-Leak Forwarding" attack methods, per researchers at the Graz University of Technology.
Currently, MDS attack methods are understood by the researchers. They haven't been detected in active use.
"MDS vulnerabilities have been classified as low to medium severity per the industry standard CVSS, and it's important to note that there are no reports of any real world exploits of these vulnerabilities," Intel noted in its announcement.
Fixes are arriving in the form of firmware ("microcode") and operating system updates. Intel also claims to have fixed MDS flaws in its newer products:
MDS is addressed in hardware starting with select 8th and 9th Generation Intel® Core™ processors, as well as the 2nd Generation Intel® Xeon® Scalable processor family. More details can be found here. We expect all future Intel® processors include hardware mitigations addressing these vulnerabilities.
Microsoft published this support article, which offers guidance for organizations to address MDS and L1Terminal Fault vulnerabilities in processors. It's available in addition to the ADV190013 advisory article, which lists the OS security updates per Windows version in table form.
Microsoft is warning of "potential performance impacts" from the updates. "Some customers may have to disable Hyper-Threading (SMT) to fully address the risk from MDS vulnerabilities," Microsoft also warned. Intel appeared to take a somewhat lighter view of performance hits from the patching, but admitted that there will be "performance impacts for PC clients with Intel Hyper-Threading disabled," as well as when Hyper-Threading is disabled in datacenters.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.