Microsoft’s May security release includes updates for 80 vulnerabilities for a number of Microsoft products, including a security update for unsupported operating systems such as Windows XP and Server 2003 not included in the mainstream customer support notification. Of the security vulnerabilities fixed in this release, six are rated Critical, 73 are rated Important or Low, and one separately posted as a mitigating update addressing an imminent “wormable” threat. The release also includes updates for different Microsoft products such as Internet Explorer, Edge, Office, Office Services and Web Apps, Azure DevOps Server, SQL Server, ChakraCore, NuGet, .NET Framework, .NET Core, Team Foundation Server, Visual Studio, Online Services, and Skype for Android. Adobe also released security updates with this month’s Patch Tuesday post.
Microsoft released a security guidance notification for users of outdated Windows operating systems addressing CVE-2019-0708, considering that a number of enterprises continue to use legacy systems for daily operations. While Microsoft noted that it has not been seen in the wild, the vulnerability can be used for RCE attacks via the remote desktop services component of Windows 7, Windows 2003, Windows Server 2008 R2, Windows Server 2008, and Windows XP. An attacker may send customized requests to a targeted system, and the exploit requires no pre-authentication and no user interaction to acquire full user rights, create new accounts, install, change, and delete data. Microsoft notes that this is a mitigating move as future and existing malware can use this flaw to propagate from one system to another, much like the 2017 WannaCry outbreak.
Source: Trend Micro