Administrators have their work cut out for them this month with a zero-day exploit, a flaw with the potential to be the next WannaCry, and more Intel CPU bugs.
Microsoft resolved 79 unique vulnerabilities for May Patch Tuesday with 23 rated critical, as well as one zero-day exploit (CVE-2019-0863) rated important that affects most supported Windows desktop and server operating systems. The zero-day is a privilege-escalation vulnerability in the Windows Error Reporting application that has been exploited in the wild.
"If they exploit this, they get kernel mode access to the system. They can pretty much do anything at that point," said Chris Goettl, director of product management at Ivanti, a security and IT management vendor based in South Jordan, Utah. "In this case, they will have to exploit something else to get onto the system, but once they do, they can use this to elevate their privilege."
The May Patch Tuesday updates also fixed numerous critical bugs for Internet Explorer 11 and Microsoft Edge browsers in supported Windows systems.
These browser patches address typical exploits such as remote code execution in which the attacker corrupts memory to execute arbitrary code in the context of the user, Goettl said.
"If a company runs least privilege, these vulnerabilities would allow the attacker to gain local execution rights as a reduced user, but then they could use that zero-day as the next step to elevate their privilege level," he said.
Microsoft also released updates for SQL Server, SharePoint, Microsoft Office and several denial-of-service vulnerabilities in the .NET Framework development platform.
A new twist on a familiar Intel CPU vulnerability
Also in the May Patch Tuesday security updates, Microsoft delivered fixes for client and server operating systems related to several new Intel CPU vulnerabilities similar to the Meltdown and Spectre bugs. Microsoft also included instructions in security advisory ADV190013 for IT pros to protect their older Intel-based systems.
The advisory reported that "microarchitectural data sampling" is a new subclass of the speculative execution side channel vulnerabilities that have plagued data centers since the beginning of 2018. Attackers who exploit flaws in one of four CVEs -- CVE-2018-12126 (nicknamed Fallout), CVE-2018-12127 (called RIDL), CVE-2018-12130 (dubbed Zombieload) and CVE-2019-11091 (also named RIDL) -- can access privileged information, such as passwords. There are multiple vulnerabilities, so there is no umbrella name aside from Intel's microarchitectural data sampling nomenclature.
Simon PopeDirector of incident response, Microsoft Security Response Center
Intel issued its own advisory that details affected products and the status of microcode updates to address the vulnerability.
Microsoft's advisory said microcode updates did not exist for the following operating systems: Windows Server, version 1803 (Server Core); Windows 10, version 1809 for x64-based systems; and Windows Server 2019 (full and Server Core deployments). Customers can protect themselves by disabling hyper-threading until both the firmware (microcode) and operating system updates are available, according to the company.
Microsoft patches exploit in move reminiscent of WannaCry outbreak
May Patch Tuesday's security updates also closed a critical remote code execution flaw (CVE-2019-0708) in Windows 7 and Windows Server 2008/2008 R2 systems related to a bug in the Remote Desktop Services (RDS) feature, formerly called Terminal Services. The RDS exploit allows an attacker to run code on an unpatched system to grant them a range of abilities, from installing programs to creating accounts with full user rights.
"This vulnerability is pre-authentication and requires no user interaction. In other words, the vulnerability is 'wormable,' meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017," wrote Simon Pope, Microsoft Security Response Center director of incident response, in a blog.
Administrators of affected systems under support can find the security updates in the usual locations or have them installed through automatic updates. For Windows XP and Server 2003 systems, administrators can find patches via the knowledge base article KB4500705.
Another day, another exploit comes to light
In other Microsoft security news, researchers from IT security company ESET on May 7 said they uncovered LightNeuron, a sophisticated backdoor and spying malware tailored for Exchange Server systems.
LightNeuron has two key ingredients: a transport agent for mail handling and a dynamic link library (DLL) that held the bulk of the malicious code. For any of this to work, it requires administrative access to the Exchange system.
Once the attacker registers and implements LightNeuron's components, the malware takes control of the server to block, read and modify email messages. ESET said the malware creates a command-and-control server and uses steganography to mask its commands inside JPG images and PDF documents in email attachments. ESET researchers believe LightNeuron's targets and its characteristics indicate it is the handiwork of the notorious Turla hacking group.
Due to its advanced camouflage techniques, ESET researchers said it's possible LightNeuron has been in use since 2014. Moreover, eliminating the malware can result in disastrous consequences.
"Simply removing the two malicious files will break Microsoft Exchange, preventing everybody in the organization from sending and receiving emails," according to an ESET whitepaper.
As of this article's publication, Microsoft had no mitigation or patch. Microsoft's Security Intelligence claims Windows Defender Antivirus can find and remove the threat, in a short advisory, but it's not clear if Defender catches LightNeuron before installation or if it removes it neatly after installation.
News of LightNeuron caught the attention of many administrators. Tony Redmond, a prominent Exchange expert and Microsoft MVP, sent out a tweet to suppress some hand-wringing related to the exploit, noting that IT pros who put more effort to lock down their systems would not be as concerned.
"Lots of [fear, uncertainty and doubt] floating around about from recent reports of the 'LightNeuron' attack on Exchange. If attackers get inside your network and secure the admin [privileges] necessary to install transport agents, you've got bigger problems to worry about," Redmond wrote.
LightNeuron's exposure reinforces the message that once attackers get in a Windows system, they can burrow and remain undetected for quite some time and do significant damage.
IT pros must throw up as many obstacles as they can to prevent intrusions, such as two-factor authentication on dedicated Exchange administration accounts and tighter controls over PowerShell in the system, ESET said. Administrators should regularly inspect Exchange Server, especially key pieces such as the transport agent, to verify all parts of Exchange have the proper signatures.
"It's probably a blind spot for most companies. They don't have the ability or don't take the time and effort to scan components within platforms like Exchange or SharePoint," Goettl said.