Microsoft’s May 2019 Patch Tuesday has already rolled out, containing fixes for 79 vulnerabilities in a number of products. The rollout also includes a security update for Windows XP and Server 2003, which were not included in the mainstream customer support notification.
More attention should be paid to CVE-2019-0863, a zero-day vulnerability exploited in the wild, and ADV190013, a specific security advisory addressing a brand new set of Intel CPU flaws that were just revealed several hours ago. The new vulnerabilities in Intel processors can allow attackers to retrieve data being processed inside a CPU. The most dangerous of the flaws has been dubbed Zombieload – a side-channel attack very similar to the Meltdown, Spectre, and Foreshadow exploits.
More about CVE-2019-0863
According to the official description, this is an elevation of privilege vulnerability which exists in the way Windows Error Reporting (WER) handles files. In case of a successful exploitation, the attacker could run arbitrary code in kernel mode. This could lead to a range of malicious activities such as installing programs, changing or deleting data, and creating new accounts with administrative rights.
CVE-2019-0863 has been exploited in the wild, as revealed by security researchers from PolarBear and Palo Alto Networks. The flaw has been exploited to elevate rights on vulnerable systems from regular accounts to admin access. Not much is known about the actual attacks as details are still kept secret for users to have more time to patch their systems.
The bug has been fixed by “correcting the way WER handles files,” as explained by Microsoft. The patch is available for all Windows systems.
As for the rest of the vulnerabilities, 73 are rated important or low. One particular vulnerability has been posted separately as a mitigating update against a wormable threat. The flaw is known under the CVE-2019-0708 identifier, and is a ‘wormable’ flaw in Remote Desktop Services, which Microsoft has patched even in the no longer supported Windows XP and Server 2003 versions.
Products that have been patched in this month’s set of updates include Internet Explorer, Edge, Office, Office Services and Web Apps, Azure DevOps Server, SQL Server, ChakraCore, NuGet, .NET Framework, .NET Core, Team Foundation Server, Visual Studio, Online Services, and Skype for Android.