Tim Lovegrove
Security Analyst
Welcome to the May 2019 Patch Roundup, where we look at the latest updates from the main vendors released on Patch Tuesday and dissect a few of the key releases. This month is a doozy and carries the warning from manufacturers that many of this month’s vulnerabilities are highly likely to be actively targeted in the coming weeks or months. Let’s get cracking.
Adobe
Starting with Adobe, big patches have been dropped for Reader and Acrobat, covering a total of 86 vulnerabilities. These include 42 Critical-rated vulnerabilities, all of which permit arbitrary code execution resulting in machine take-over. Needless to say, these should be addressed as a high priority, particularly for end-user devices. Unusually, Flash gets an update for just one vulnerability, with Microsoft handling the same vulnerability for Edge and IE in their Patch Tuesday update.
We’d be remiss if we didn’t mention the WhatsApp vulnerability announced this week. While the risk is relatively low – victims have been limited to a small number of political activists, lawyers and journalists, most likely being targeted by a disgruntled nation state – the widespread advice has been to update the app immediately. This is easily (and often automatically) done on most modern phones, but if your staff are heavy users of WhatsApp then it’s worth sending a gentle reminder to update.
Cisco
Similarly, Cisco have been hitting headlines over the last few weeks for a number of critical updates, some of which are apparently near-impossible to fix.
On the 1st May a large batch of updates affecting Nexus switches, ASA/Firepower and Prime landed, swiftly followed this week by another batch including a Secure Boot Hardware tampering vulnerability and an authentication bypass for the REST API in the Elastic Services Controller.
The former (CVE-2019-1649) is gaining the headlines due to how widespread Cisco’s Secure Boot hardware is, and that there is currently no patch or workaround. When paired with a separate bug in the Web UI for IOS XE software, the attacker can gain elevated privileges and access to the underlying Cisco OS as root in order to successfully exploit the flaw. Once there, the flaw allows the installation of malicious, persistent code on the Trust Anchor chip of compromised devices, meaning the device will boot with whatever tampered-with code is present in the chip. The good news is, all of this requires a high level of access to begin with, suggesting either an insider threat or an already-compromised system are the most likely attack vectors.
Conversely, the REST API issue (CVE-2019-1867) is much more readily exploitable, and could allow an attacker to run administrator-level actions using the API as a conduit. A patch has been released for this bug.
Microsoft
Finally, Microsoft’s regular Patch Tuesday drop included a similarly wide range of bugs – 79 in total with 18 rated Critical. One of these – CVE-2019-0708 – is a sufficiently bad Remote Desktop Services flaw that Microsoft have ported it back to Windows XP/Server 2003 and made it generally available, rather than restricting the update to customers paying for extended support.
We also expect to see the Windows 10 “19H1” update drop imminently. This latest iteration of the 6-monthly not-quite-a-service-pack major upgrade brings changes to the User Interface, search and Cortana, and a number of under-the-hood tweaks to improve general usability. Also notable is the imminent arrival of “Edge Chrome” – a new iteration of the Edge browser built on Google’s Chrome platform. This is still in development and may not be bundled with 19H1 but should be available soon.
Get in touch
If you'd like any advice on the patches mentioned above, or any we haven't mentioned here, please get in touch with your Softcat Account Manager, or using the button below.