• May 2019 Patch Tuesday arrives

    The Update Catalog has 237 new entries. Jeeeez.

    The Security Update Guide lists 2,195 new individual patches today.

    Martin Brinkmann has posted his summary:

    • Microsoft released security updates for all supported versions of Windows.
    • All versions of Windows are affected by CVE-2019-0903,  a GDI+ Remote Code Execution Vulnerability critical vulnerability.
    • Windows 7 is the only client system affected by another critical vulnerability CVE-2019-0708 , Remote Desktop Services Remote Code Execution Vulnerability
    • Microsoft released a security update for Windows XP (KB4500331)

    Dustin Childs has his report posted for ZDI:

    security patches for 79 CVEs (separately identified security holes) along with two advisories… (Windows Error Reporting bug CVE-2019-0863 being exploited actively)… details about the use of the exploit are not available, it is likely being used in limited attacks against specific targets.

    Big news is the “wormable” security hole in RDP, CVE-2019-0708. From Simon Pope on the MSRC Technet blogt:

    Any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017. While we have observed no exploitation of this vulnerability, it is highly likely that malicious actors will write an exploit for this vulnerability and incorporate it into their malware.

    Vulnerable in-support systems include Windows 7, Windows Server 2008 R2, and Windows Server 2008. Downloads for in-support versions of Windows can be found in the Microsoft Security Update Guide. Customers who use an in-support version of Windows and have automatic updates enabled are automatically protected.

    Out-of-support systems include Windows 2003 and Windows XP. If you are on an out-of-support version, the best way to address this vulnerability is to upgrade to the latest version of Windows. Even so, we are making fixes available for these out-of-support versions of Windows in KB4500705.

    Yes, you read that correctly. There’s a downloadable fix for Win 2003 (not to be confused with Win10 “version 2003,” which is currently in the Insider Fast Ring) and WinXP.

    But wait. That’s not all. There’s also a big hole in .NET versions 2.1 and 2.2. CVE-2019-0982. It’s a Denial of Service vulnerability.

    UPDATE: Poster Old School on Krebs on Security reports:

    KB 4494441 [that’s the Win10 1809 patch] had to be installed twice so be sure to run Windows Update twice. I was not amused.